|
Problem description: 2 weeks ago I had bridge mode my Comcast modem/router turned on. It essentially turns off the wireless network on it, and kills the DHCP that it runs. It turns it into a modem only. I have a Netgear 750 Dual Band that I run my internetwork on. I hadn't had this issue before then, so I figure it might be worth mentioning. Every machine in my house has been getting adware spammed on it now. My iPhone 5s, my main gaming Win 7 rig, my Win 7 Surface Pro 2. On the gaming rig I get a screen that pops up saying that my Adobe Reader needs to be updated. It pops up another window (even with pop ups disabled), I close that one out with hitting X. That one actually pops a second window which is more of a Windows Notification (Press OK to continue or Cancel to exit type of notification), and a pop up window behind that. The ads come only when I'm browsing with IE and it doesn't matter where I click on the browser window (even non-clickable text), it will pop that up. Doesn't happen with every click, it's pretty random. When I'm surfing on my iPhone in Safari it will pop up another tab in Safari and do a notification like message. This happens when I follow links inside of the facebook app itself. Attempted fixes: First on my gaming rig I just tried a format and reinstall. I normally do this every 6 months anyway. After drivers were installed and Windows was updated, I went the the Final Fantasy 14 website to start the download of the client. This is the first page I surfed to, and I got the ad pop up. I have my iPhone with me today at work, and when I surf here at work, I don't get these ads, but when I surf at home, 1 hour earlier, I was getting pop ups. On my gaming rig I ran Adware, Microsofts Malware tool, Spybot, Malwarebytes, and all of them turned up nothing. Recent changes: Since this is on multiple systems with different OS's, I don't think stating system changes will help much. I did convert my Comcast router to "bridge mode". I formatted my gaming/primary machine. I haven't tried any troubleshooting or changes on my Surface Pro 2 or iPhone 5s. -- Operating system: Windows 7 x64, iOS 8.0.1 System specs: Gaming rig: Personal built. Intel i5-750 Processor - 12GB of RAM G-Skill - Samsung 850 Pro Seriez MZ-7KE128BW 2.5 128GB - Second HDD that I was given from a friend so I don't know model - MOBO Asus P7P55D LGA 1156. Router might be relivent here: Netgear N750 Wireless Dual Band Gigabit Router WNDR4000 Location: USA I have Googled and read the FAQ: Yes - Google couldn't turn up results on what I'm looking for. It gave options to troubleshoot one machine, which didn't work. I think this is some kind of a "man in the middle" ad/attack thing. I don't know see anything that has taken over my DHCP settings on the router, and I wouldn't know how to check if it's using bad DNS servers. Adding this just in case it helps. This is from my gaming/primary machine. Logfile of Trend Micro HijackThis v2.0.5 Scan saved at 7:19:47 AM, on 10/29/2014 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v11.0 (11.00.9600.17344) Boot mode: Normal Running processes: C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\sebastian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOG1L0LN\HijackThis.exe C:\Users\sebastian\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Logitech SetPoint - {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Startup: Samsung Magician.lnk = ? O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing) O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Riverbed Technology, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: Splashtop® Remote Service (SplashtopRemoteService) - Splashtop Inc. - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: Splashtop Software Updater Service (SSUService) - Splashtop Inc. - C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 6153 bytes
|
# ? Oct 29, 2014 15:27 |
|
|
# ? Apr 26, 2024 16:15 |
|
Checking the DNS settings on my router shows this: Domain Name Server (DNS) Address [ ] Get Automatically from ISP [x] Use These DNS Servers Primary DNS 104 - 131 - 91 - 209 Secondary DNS 162 - 243 - 214 - 177 I know I personally didn't add those.
|
# ? Oct 29, 2014 15:31 |
|
Perform a factory reset via the button on the router, update to the latest firmware, then reset it to factory again.
|
# ? Oct 29, 2014 19:08 |
|
Also, some comcast cable modems (not sure if it's specific brands) have outward facing telnet ports wide open with default login/password. Be sure and change the defaults after a reset.
|
# ? Oct 29, 2014 21:34 |