Potential Network Virus

[Feral Kat]

Good Morning Guys and Gals,

 

Hopefully a fresh pair of eyes is what I need for this as I am stumped. At my office we seem to have some kind of virus that has spread across multiple devices on the network, both windows and IOS based.

 

On desktop devices we are getting a pop up that says the following:

 

 

5/7 computers in our office appear to be getting the message. Since coming in today it also appears that now my iPhone and iPad are also having a similar issue however instead of the flash pop up they are re-directing to random pages on the app store.

 

For reference below is a list of sites that trigger the pop up.

 

http://www.kaspersky.com/ (PC Only)

http://www.theverge.com/ (PC and IOS)

http://imgur.com/ (PC and IOS)

http://avg.com/ (PC Only)

http://speedtest.net/ (PC Only)

 

AVG and Malwarebytes have both come back clear, I have reset all browsers and gone through my installed programs and not found anything.

 

Any help or advice that you can offer would be greatly appreciated!

 

Dan

[c3p0_]

You could give adw cleaner a try. Thats a tool to check for browser hijacks. http://www.bleepingcomputer.com/download/adwcleaner/dl/125/

 

If you are familiar on how to check for services then run process explorer and see if you find something suspicious https://technet.microsoft.com/de-at/sysinternals/bb896653.aspxEdit: fixed link

[Feral Kat]

It seems the ADW cleaner site is also affected, I forgot to add when the pop up appears you are unable to click off of it and it re-directs you to a download after ~ 15 seconds.

 

I'll take a look at services now and report back.

[Techdude154]

It seems the ADW cleaner site is also affected, I forgot to add when the pop up appears you are unable to click off of it and it re-directs you to a download after ~ 15 seconds.

 

I'll take a look at services now and report back.

See if you can reboot into safe mode with networking. To do so, you will need to hold shift and click restart to reboot into the recovery menu. Then choose safe mode with networking. This seems to be a network level virus if it on both your PC and IOS device. Try to connect your IOS device to a different network and see if it still pops up.

[c3p0_]

It seems the ADW cleaner site is also affected, I forgot to add when the pop up appears you are unable to click off of it and it re-directs you to a download after ~ 15 seconds.

 

I'll take a look at services now and report back.

 

Does it block google drive aswell? Uploaded the installer to gdrive https://drive.google.com/file/d/0BylNB1vw7DCXOXZSeUpOazRsSVU/view?usp=sharing

[Feral Kat]

See if you can reboot into safe mode with networking. To do so, you will need to hold shift and click restart to reboot into the recovery menu. Then choose safe mode with networking. This seems to be a network level virus if it on both your PC and IOS device. Try to connect your IOS device to a different network and see if it still pops up.

Tried safemode just before you mentioned it - sadly there's no difference. I disconnected my phone from the network and had the same problem on LTE.

The issue started on the PC's yesterday but not until today on IOS devices. While at home I was able to browse all of the problem sites on my phone.

[Feral Kat]

Does it block google drive aswell? Uploaded the installer to gdrive https://drive.google.com/file/d/0BylNB1vw7DCXOXZSeUpOazRsSVU/view?usp=sharing

 

Ah you hero! I'm running it now.

[Feral Kat]

ADW Cleaner Log:

 

 

# AdwCleaner v4.112 - Logfile created 17/03/2015 at 13:44:32
# Updated 09/03/2015 by Xplode
# Database : 2015-03-15.1 [server]
# Operating system : Windows 8.1  (x64)
# Username : Dan - DAN-LAPTOP
# Running from : C:\Users\Dan\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : DptfParticipantProcessorService
Service Found : DptfPolicyConfigTDPService
Service Found : DptfPolicyLpmService

***** [ Files / Folders ] *****

File Found : C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsfreak.com_0.localstorage
File Found : C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsfreak.com_0.localstorage-journal
File Found : C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage
File Found : C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal
File Found : C:\WINDOWS\System32\DptfParticipantProcessorService.exe
File Found : C:\WINDOWS\System32\DptfPolicyConfigTDPService.exe
File Found : C:\WINDOWS\System32\DptfPolicyLpmService.exe
Folder Found : C:\Program Files (x86)\Amazon\ABB
Folder Found : C:\Users\Dan\AppData\Roaming\download Manager

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
Key Found : HKCU\Software\anchorfree
Key Found : [x64] HKCU\Software\anchorfree
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17416

-\\ Google Chrome v41.0.2272.89

[C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [search Provider] : hxxp://uk.ask.com/web?q={searchTerms}
[C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [search Provider] : hxxp://en.softonic.com/s/{searchTerms}
*************************

AdwCleaner[R0].txt - [2106 bytes] - [17/03/2015 13:44:32]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2165 bytes] ##########

[c3p0_]

-

 

Should fixed it. But that seems to be your major culprit

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

 

Seems your dns got redirected over a proxy. So check your firewall settings and global internet settings in systemsettings. Percentage is quite low but your router settings could also be changed. If you have acces to the interface over 192.168.1.1 reset it to defaults too. There should be switch for that. 

 

Router default login is:

User: admin

Password: admin

[Feral Kat]

Should fixed it. But that seems to be your major culprit

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

Seems your dns got redirected over a proxy. So check your firewall settings and global internet settings in systemsettings. Percentage is quite low but your router settings could also be changed. If you have acces to the interface over 192.168.1.1 reset it to defaults too. There should be switch for that.

Router default login is:

User: admin

Password: admin

So I cleared this and checked all my local settings - no joy there.

On the router I have changed from our default DNS to googles DNS (For testing) and oddly enough its fixed it - I also had to clear cached sites.

[Beltboy]

Should fixed it. But that seems to be your major culprit

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

 

Seems your dns got redirected over a proxy. So check your firewall settings and global internet settings in systemsettings. Percentage is quite low but your router settings could also be changed. If you have acces to the interface over 192.168.1.1 reset it to defaults too. There should be switch for that. 

 

Router default login is:

User: admin

Password: admin

*.local is normal on windows Active Directory if your domain is *****.local  there are no public sites at this domain. this setting is automatically done to make sure internal site are accessed directly rather than through your proxy (ProxyOverride means don't use normal proxy settings for these sites).

 

If its also affecting your phone even on LTE then my first guess would be your DNS resolver cache has been poisoned, check your DNS is DHCP assigned and go to a command prompt  and type  ipconfig /flushdns

 

If this is an office network, do you use a proxy server you may need to run these steps on it if you do?

[Feral Kat]

*.local is normal on windows Active Directory if your domain is *****.local there are no public sites at this domain. this setting is automatically done to make sure internal site are accessed directly rather than through your proxy (ProxyOverride means don't use normal proxy settings for these sites).

If its also affecting your phone even on LTE then my first guess would be your DNS resolver cache has been poisoned, check your DNS is DHCP assigned and go to a command prompt and type ipconfig /flushdns

If this is an office network, do you use a proxy server you may need to run these steps on it if you do?

So it turns out that one of my colleagues had been doing some 'training' on the router and somehow managed to enter the wrong DNS servers, since changing them back the issue has been fine (After clearing the cache/flushing DNS)

Thanks guys for your help!