| Problems with WiFi and computers on network Hello,
I'm trying to help a friend.
Someone is getting into their WiFi network,
and using their computers.
Also, at night, when their computers are off (powered down),
the WiFi indicator light on the router flashes constantly.
This has been happening for several months, or more.
They blamed something else.
For example, "MSN is really slow again."
Or "The computer can't find Google again."
Or "The computer is slow because it is hot."
Etc.
The recent symptoms included the computers running very slowly.
The performance was slightly better than impossible to use.
There were many disconnects from the network.
I noticed that while watching a RaspberryPi computer on their network.
The computer was disconnecting from the network because of very frequent
Deauthentication packets.
I noticed that during Booting, the computer found two keyboards.
I noticed that the /tmp directory had some files that always had the same names.
One of the files had "biker" in the name.
Another file had "ozzy" in the name.
If the files were deleted, they would soon return,
with the same names.
When ssh was disabled, it would soon return to enabled.
The browser was painfully slow.
The cpu usage was usually at 100%.
The browser crashed frequently because it ran out of memory.
I shutdown the RaspberryPi computer.
[I'm not going to try to clean it.
I will get a new memory card, with a new image installed on it.
I will follow some checklists to harden the system before it goes near
a network.]
The computer that I am trying to clean is a Windows 7 laptop.
It is painfully slow to use.
The cpu usage is frequently at 100%.
It also frequently displays alerts for high disk usage, or
high memory usage.
This frequently happens while the computer is being used to
play a small game, like solitaire.
I checked their router.
It didn't have much security.
The network password was very weak.
Now, it is much longer, and stronger.
The router password was very weak.
Now, it is much longer, and stronger.
The router firewall was set to low.
Now, it is set to high.
But, the more secure router has no effect on the intruders.
I imagine that there are some things installed on the computer
that go out and connect with the intruders.
I ran the programs listed in the Security Cleanup FAQ.
Some interesting things happened during that.
When I tried to disable the Norton Security Suite,
it looked like it was already disabled.
Also, when I clicked on Settings, nothing happened.
Then, after Malwarebytes Anti-Malware ran, it restarted the computer.
After the restart, Norton Security opened, with a message that said,
Click here to Install Norton Security.
It looked like it was real.
I thought that was another attempt to install more malware.
So, I closed that window.
I thought that the timing was interesting.
A security program that was already installed, and disabled;
gave me the opportunity to install;
immediately after Malwarebytes Anti-Malware restarted the computer.
Then, while OTL was running,
the computer taskbar displayed a notification that Windows Update
was downloading, and it was 45% completed.
I pressed the WiFi button on the laptop to disconnect from the network.
The icon didn't look right.
The neighbors received the same notification a few days ago.
[They let their update run.]
[When they restarted their computer,
it reported that it found a problem,
and that it was fixing the problem with a system restore.
I imagine that more malware was installed.]
The same notification, same icon, same 45%, ...
while the computer was running OTL ?
I changed the Windows Update settings from "Automatic" to "Do Not Install".
I went to Services, and disabled the Windows Update service.
Then, I went to C:\Windows\SoftwareDistribution and renamed the files
in that folder.
I put "NOT_" at the beginning of each file name.
For example, "Download" was renamed to "NOT_Download".
C:\Windows\SoftwareDistribution\NOT_Download
Then, I went back to the folder, and renamed it.
"SoftwareDistribution" was renamed to "NOT_SoftwareDistribution".
C:\Windows\NOT_SoftwareDistribution
I imagine that there are better ways to stop a malicious update.
I guessed what to do.
After that, the computer has been offline most of the time.
It has only been online a few times, for a few seconds.
Moving on ...
The log files.
(I had a lot of difficulty finding some of the log files.)
I can not find the log file from SecurityCheck: checkup.txt
I can run any of the programs again,
and I will try to answer your questions.
Thank you | |
 TheJokerPremium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5
1 recommendation | Hi Pumpkin08
Please follow the below instructions in the order listed.
quote:
I'm trying to help a friend.
Someone is getting into their WiFi network,
and using their computers.
Also, at night, when their computers are off (powered down),
the WiFi indicator light on the router flashes constantly.
That's not necessarily an indication of malicious activity, the router will show activity even when the computers are off, so while it could be in indicator, it's also normal acitivty.
Run OTL.exe again
In the Custom Scans/Fixes box at the bottom, paste in the following:
quote:
:OTL
@Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:3B3A302E
Please post the new OTL log (there will just be one log this time).
Please download Malwarebytes Anti-Rootkit here:
»downloads.malwarebytes.org/file/mbar
Unzip the contents to a folder on the Desktop.
- Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
- Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
- Click on the Cleanup button to remove any threats and reboot if prompted to do so.
- Wait while the system shuts down and the cleanup process is performed.
- Please post the two logs produced.
Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.
Please delete your current copy of Security Check, and download a new copy, save it to your Desktop, re-run the program and post the log (checkup.txt).
http://screen317.spywareinfoforum.org/SecurityCheck.exe
Please post the log from OTL, the two logs from MBAR, the log from Security check, and note any errors encountered.
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010 | |
|
