Inactive [InActive] Possible malware preventing downloads

It says the connection with the update server has failed. Please follow these steps:
-Make sure your internet connection is active, please try to open the www.avg.com website.
-Try to run the update later or schedule an automatic update for another time
-Make sure the update paramaters are set properly.

I just tried and i downloaded the update files manually (i got page load error previously) and was able to update. I am still being redirected on that dnscheck link though. I am not sure why.

 

Here is another example when i'm getting redirected.

http://download.microsoft.com/download/4/d/a/4da3a5fa-ee6a-42b8-8bfa-ea5c4a458a7d/dotnetfx3setup.exe

I'm trying to download microsoft .net framework 3.0. Is there another way around this redirect to download it?

 

Lets see if there's something hiding from us. Download GMER Rootkit Scanner from here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in ark.txt

Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

 

"Drives/Partition other than Systemdrive (typically C:\) "

Does this mean i leave c:\ checked or unchecked?

 

Leave C:\ checked

 

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-08 08:01:42
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.14 ----

 

Highlight and copy the contents of the code box below.

Code:

ipconfig /all >peek.txt
start notepad peek.txt
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own and peek.txt will open. Post it's contents here.

 

Windows IP Configuration



Host Name . . . . . . . . . . . . : jacob

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-0D-56-6B-E3-F1



Ethernet adapter Wireless Network Connection 9:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Belkin 54Mbps Wireless USB Network Adapter #9

Physical Address. . . . . . . . . : 00-11-50-89-14-66

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.115

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 85.255.112.124

85.255.112.12

1.2.3.4

Lease Obtained. . . . . . . . . . : Thursday, January 08, 2009 4:00:53 PM

Lease Expires . . . . . . . . . . : Friday, January 09, 2009 4:00:53 PM

 

Your router has been hijacked.

DNS Servers . . . . . . . . . . . : 85.255.112.124

85.255.112.12

You either need to login to the router control panel and reset the dns servers to use OpenDNS servers or press the reset button on the back of the router for a minimum of 10 seconds to reset it to factory defaults.
Either way, it is important that you change the password on the router.

Note - if using wireless security, you will be required to reconfigure those settings after resetting the router, most likely via a wired connection.

 

I should still be able to connect to the internet after this without having to do anything correct? Will this cause any other problems?

 

Yes, you will be able to connect. As mentioned, the only problem might be with wireless connections. Some routers do not have wireless connections enabled by default which would required using a wired connection to access the router and enable wireless. Then, if using wireless encryption, it would need to be reconfigured in the router and if a different encryption key is assigned, the PC using wireless would need that same key applied to the connection.

 

Ok i did the opendns. I did the steps you told me to do before you said it was hijacked. this is what i get.



Windows IP Configuration



Host Name . . . . . . . . . . . . : jacob

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-0D-56-6B-E3-F1



Ethernet adapter Wireless Network Connection 9:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Belkin 54Mbps Wireless USB Network Adapter #9

Physical Address. . . . . . . . . : 00-11-50-89-14-66

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.115

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 85.255.112.124

85.255.112.12

1.2.3.4

Lease Obtained. . . . . . . . . . : Saturday, January 10, 2009 3:17:46 PM

Lease Expires . . . . . . . . . . : Sunday, January 11, 2009 3:17:46 PM

Any better?

 

I think you're going to have to do the reset. It's still showing your connection is hijacked.

DNS Servers . . . . . . . . . . . : 85.255.112.124

85.255.112.12

See the instructions here for MBAM.
Download it, install it and update it.
Disconnect from your router, physically if it's a wired connection.
Run a full scan with MBAM and allow it to remove whatever it finds.
Do the reset on the router, then reconnect your computer and post the MBAM log here.
Let me know if you're still being redirected.

 

I did it twice because i forgot to update.

Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 2

1/10/2009 7:28:01 PM
mbam-log-2009-01-10 (19-28-01).txt

Scan type: Quick Scan
Objects scanned: 15842
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\doggyme (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mimi11.bho (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{275de758-ae97-4be3-bef1-107a376c66e0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Log 2

Malwarebytes' Anti-Malware 1.32
Database version: 1640
Windows 5.1.2600 Service Pack 2

1/10/2009 7:35:33 PM
mbam-log-2009-01-10 (19-35-33).txt

Scan type: Quick Scan
Objects scanned: 37979
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{32b835ad-a896-4cf2-a05d-20320d33a01d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.124 85.255.112.12 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

And are you still being redirected?

 

Sorry, i thought i had already answered that in my last post but it slipped my mind. I am no longer being redirected. Everything seems to be working correctly. Thank you so much for your help through this entire thing. What do you think the problem was exactly?

 

That's good news.

The problem was an infection that hijacked your router settings. It was able to do that because the username and password for the router were still set to the factory delivered settings. The infection tests known default settings when it detects a router and if able, gains access.

Are there any other computers connected? If so, I recommend physically disconnecting them and running MBAM scans on them as well.

Lets see if we can get a Kaspersky scan now. Do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.

 

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Invalid file signature]

I got farther than i did before though It was updating then abruptly ended.

 

Hmmmm ........ lets try Panda.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC now button
• A new window will open...click the Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, it will begin scanning your computer
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report along with a fresh HijackThis log.

Note - it's best to disable realtime protections whilst scanning

 

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-01-13 22:27:09
PROTECTIONS: 1
MALWARE: 10
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee Internet Security Suite 2007 9.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{9F60C5C7-E64F-4CFB-90A4-F1DC153F4E28}\RP196\A0037110.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{9F60C5C7-E64F-4CFB-90A4-F1DC153F4E28}\RP196\A0037096.sys
03587590 Adware/Yassist Adware No 0 No No C:\Documents and Settings\Owner\Desktop\DivXInstaller.exe[²Ã‡Ã‡\y_toolbar.exe][²Ã¨Ã‡]
03587590 Adware/Yassist Adware No 0 No No D:\RECYCLER\S-1-5-21-117609710-115176313-682003330-1003\Dd3.exe[²Ã‡Ã‡\y_toolbar.exe][²Ã¨Ã‡]
03587590 Adware/Yassist Adware No 0 No No D:\RECYCLER\S-1-5-21-117609710-115176313-682003330-1003\Dd4.exe[²Ã‡Ã‡\y_toolbar.exe][²Ã¨Ã‡]
04534966 Generic Trojan Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{9F60C5C7-E64F-4CFB-90A4-F1DC153F4E28}\RP195\A0037046.exe
04555951 Generic Trojan Virus/Trojan No 0 Yes Yes C:\Documents and Settings\Owner\Desktop\ComboFix.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location Ma
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Ma
;===================================================================================================================================================================================
;===================================================================================================================================================================================