cannot delete keeps coming back

[ken545]

Markbo,

I think we are beating a dead horse here, as many times as we remove those entries there going to come back.

http://www.atheros.com/pt/AR5007EG.htm

Description: Atheros AR5007EG Wireless Network Adapter
DNS Server Search Order: 85.255.112.130
DNS Server Search Order: 85.255.112.170
DNS Server Search Order: 1.2.3.4


This infection has infected your wireless adapter, I need to look into this but I believe that the cmos chip on the adapter is infected. Not really sure how to proceed, will be back soon with more info

 

[ken545]

Can you give me some more information. What's going on here is becoming more common, the infection has attacked most likely your router.

85.255.112.130

This is where this IP address is taking you
krTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
Ukraine


1. How is your system set up, what router do you use and did it come from your ISP or did you purchase it yourself?






Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

 

[ken545]

This is what your up against

http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html

 

[Markbo]

gmer scan

This just happened I have a desktop and a laptop.
I am using linksys wrt45g. I did read that article found it trying to fix the problem. I am going to disconected internet from all pc,reset router then scan pcs with everything you send me


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-20 17:09:26
Windows 6.0.6001 Service Pack 1


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\tdx \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\tdx \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\tdx \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----

 

[ken545]

Hello,

What I would do is to reset the router back to the default settings like you just said, then run Malwarebytes and post the log, do this just on the one we are working on at the moment.

Then hook up your computers and run Malwarebytes again on the same computer and lets see if those entries come back

 

[ken545]

Markbo,

Forgot to point out that after you reset the router ( make sure that you set a new password and network name also) that you run the scans disconnected from the router as you will take a chance reinfecting the router if the infection is not cleaned and is still present. Malwarebytes should remove it.