Network infection - need advice on where to start

I've got a malware issue that has spread across my home network and presently affects four computers, and there is a fifth I haven't examined. It's one of those "update your video" type things, with several bogus messages, pop-ups, and browser redirects.

I've done the read-and-run-me-first process on one machine, and nothing much turned up. On another machine, AdwCleaner found some items. Tdskiller didn't find anything, but OTL found some suspicious items and something rootkit it didn't like. Gmer gave me a blue screen of death. Ultimately, it sunk in that I really don't know how to start with something that has spread through my network, so I'd deeply appreciate some advice on how to start. I need a coherent approach rather than just flailing around.

thanks
Off White
Tenino, WA

 

Here are the reports from machine 1. I assume we don't need to worry about isolating computers from each other until we start fixing things?

thanks

Off

 

Machine 1 doesn't act clean: using firefox results in extra windows opening to some Onclick.ads site, with the content blocked, and these keep opening periodically. Chrome brought up some spurious "get paid for reviews" screens that were identical on machine 3.

Here are the logs on machine 2. MGTools didn't want to run, the computer claimed to not know what to do with a .bat file. Opening it from the folder on the C drive didn't work either, I had to use the command prompt and dust off my DOS skills to navigate to the folder and run it that way.

I'll upload the logs on machine 3 momentarily, they're also finished.

I figured I'd do this stuff with my Sunday, but what are you doing working today? I'm impressed.

 

Machine 3 logs attached

 

Resetting browsers brought no relief. All browsers on all five computers are compromised, either new tabs or windows open, often involving appimat.com. The fifth computer has been off since last wednesday afternoon, and when i turned it on today, with all other computers on the network shut down, it had the same problems. Can this be something in one of my three routers? On the network hard drive?

Here are logs for machine 4

 

Not bumping, just needed more upload slots. Superantispyware log and aswMBR log from machine three, the only scans that seem to have turned anything up. SAS says trojan Tracur, but I think the five scans in read me run first came up clean.

Apologies if uploading logs you haven't requested is a huge faux pas, I want to be both helpful and a good citizen.

thanks

 

No, both browsers are still compromised.

 

Yes, I've only been connecting one computer at a time to the network, seemed prudent.

Machine 2 still has the browser behavior, either new tabs or new windows that open. Today's redirect seems to be Parker Grand Casino, had that on Machine 1 when it was connected, and now here on Machine 2.

JRT wouldn't run from the desktop, Windows claimed to not know what to do with get.bat. I chose notepad to open it, saved it to desktop as get.bat, and ran it from the command prompt. Any ideas about this?

My phone also connects to the network, though I haven't had any browser misbehavior on it. Does the different OS (android) make it not an issue?

thanks
Off

 

Sorry for the improper use of the term, it's not really redirecting, just opening new tabs within the browser (typically in chrome) or a new window (typically in firefox). These ARE sites I haven't clicked, and the same range of links show up on different computers. Without adblock extensions working, it will lock up and I have to go to the Task Manager to shut down the browser.

When I clicked "jrt.exe" it opened an extraction progress bar, and apparently it runs a batch file named "get.bat" as part of the process. Windows brought up the "which program to run this" screen. I had this happen before (somewhere in the MGtools process), but I can't recall if it also happened on machine 2 or a different one. In that instance the batch file was in the MGTools folder and was easier to run from the command prompt, with JRT it was somewhere in the .exe process and I had a separate step to create a batch file I could run. It was definitely from JRT, not something else, and JRT ran fine when I opened the batch file via command prompt.

No worries on the android thing, I don't think the phone is involved.

NEW QUESTION/DIAGNOSTIC OPPORTUNITY:
I have a sixth computer, one of the laptops I supply to my employees, and I replaced the hard drive and I'm in the process of re-installing windows 7 and assorted software. The OS is installed and working, but I haven't connected it to my network yet. Should I avoid my network at all costs with this clean machine, or is it a useful experiment to connect it to the network with all my other computers turned off and see if it gets infected? As it is freshly set up, I could just wipe and reinstall Windows again, without adding another thing to this thread.

I'm sorry to present such a pesky project.

 

I couldn't say if I set that restriction, it doesn't ring a bell, but my wife is the one who uses IE.

I've attached a recent OTL log (along with the Extras log OTL created), but in reviewing things I think it was aswMBR that flagged something in red, and SuperAntiSpyware declared something a trojan. Scanning the SAS declared suspect c2mp/updatechecker.exe file with SAS confirms the flag, but scanning it with MBAM says its fine. I attached Machine 3 logs for aswMBR and SAS a few posts back, so I won't do that again.

Here on Machine 3, curiously, I wasn't getting the usual new tabs popping up in firefox or chrome, but opening IE stirred the beast, and I had to kill the process with Task Manager to get it to close, so whatever this thing is, its still loose on this computer.

 

Here's this morning's logs from machine 3.

 

Not sure if its on every machine, but I know its on 1, and likely on 2.

Nothing to be sorry about, it would be great to have an angle on this thing.

I'll re-run hitmanpro on machine 4, let me know if you want a log.

 

I've only found exactly what you named on Machine 1, though most others had similar codec installations with an "updatechecker" that I've uninstalled. All had a version number of 4.0.8

Ran Hitmanpro on Machine 4 and deleted some ask toolbar traces.

Unfortunately, Machine 4 still exhibits the popup tabs/window issues, with occasional lockup as does Machine 5. Machine 1 seems okay, but I need to go do some work on it, so we'll see how it does.

 

Machine 1, the only one I've had time to mess with, is definitely still infected. Machine 3 might be clean, at least I haven't had a reaction in the few minutes I've browsed around. Four and Five definitely have problems too. Haven't fired up Two recently.

I'm going to run out of time to mess with this shortly, I have to leave town on Saturday morning and I had too much to do even before this malware issue cropped up. I can do one more round of stuff, then I'll have to put things on hold until Thursday.

thanks
Off

 

I've run out of time, so I'll pick this back up and run these procedures on Thursday.

thanks
Off

 

I'm back, but out sick today, but hopefully I'll get to mess with at least one of the affected machines, however I had an idea I wanted to toss out there.

Is there a chance Dropbox could play a role in all this? A few months back I noticed it had been hacked, with an unknown user logged in. I booted the user and wised up to the two step verification business, but they had access for a number of hours. Dropbox is installed on all my machines, as well as the employee laptops, two of which seem to have some issues, though not necessarily identical to what I have going on.

thanks
Off

 

I'd have to catalog the extensions on each machine to know for sure. Most have Ad-Block or Ad-Block Plus on both Firefox and Chrome. I know one machine has a fairly feeble limited version on Explorer. I'll start with the revo-uninstall of chrome and firefox on machine 2, and post the MGlog and a list of extensions/add-ons found. That's the Windows tablet and and I can work from bed. :zzz

That screen you posted isn't exactly like ones I've seen, but its somewhat similar, usually about updating a video player or codec.

You'll have to walk me through resetting my router(s) if its more complicated than just unplugging, waiting, and plugging back in. I have a dsl modem/wireless router and an additional wi-fi router next to it, another wi-fi router 200' away in the office, as well as a network hard drive, and my network skills are minuscule.

 

I am, though on a train in North Dakota at the moment. I have had machine 2 with me on the trip, and haven't had any symptoms since I left, I'll have a report on other computers early next week, and I still need to reset routers, but its possible we've done something to correct what was going on.

Thanks! Off