Virus, modem, and router-switch

What happened
----------------

One computer in the network was infected with 26 virus.

A few hours later the SMC router-switch went down (all lights were off
except power indicater).

Next day I plugged in a D-Link router switch; it worked.

Later a domain I was working on could be "ping", but could not accessed
through HTTP protocol. A little bit later, it could not be "ping".

I worked on another domain as well; this domain resides in the same web
server as the above mentioned domain. The domain was accessible all this
time.

And then an about hour later, I could reached the second domain.

Question
---------

Is this the sign of a virus infection ?

"SL" <(E-Mail Removed)> wrote in message
news:i8rrrg$9og$(E-Mail Removed)...
> What happened
> ----------------
>
> One computer in the network was infected with 26 virus.
>
> A few hours later the SMC router-switch went down (all lights were off
> except power indicater).
>
> Next day I plugged in a D-Link router switch; it worked.
>
> Later a domain I was working on could be "ping", but could not
> accessed through HTTP protocol. A little bit later, it could not be
> "ping".
>
> I worked on another domain as well; this domain resides in the same
> web server as the above mentioned domain. The domain was accessible
> all this time.
>
> And then an about hour later, I could reached the second domain.
>
> Question
> ---------
>
> Is this the sign of a virus infection ?

No.

From: "SL" <(E-Mail Removed)>

| What happened
| ----------------

| One computer in the network was infected with 26 virus.

| A few hours later the SMC router-switch went down (all lights were off
| except power indicater).

| Next day I plugged in a D-Link router switch; it worked.

| Later a domain I was working on could be "ping", but could not accessed
| through HTTP protocol. A little bit later, it could not be "ping".

| I worked on another domain as well; this domain resides in the same web
| server as the above mentioned domain. The domain was accessible all this
| time.

| And then an about hour later, I could reached the second domain.

| Question
| ---------

| Is this the sign of a virus infection ?


First off realize that viruses is the plural of virus and I can assure you that you have a
better chance of being hit by lightning than 26 viruses.
All viruses are malware but not all malware are viruses. That being said you had a
computer on your network that was infected with 25 pieces of malware.

However...
How do you KNOW it had 26 anything ?
You din't supply any information on what infected the computer (either by detection name
or what was deemed to be malware on the computer) or the anti malware solution that was
installed on the platform.

As for the problems you are having with a SOHIO Router.
The description is vague. I have seen Routers revert to factory settings due to a Brown
Out power condition and I have seen them die due to power surge power conditions or by
other causative factors. SOHO Routers are inexpensive and can die without notice.

Routers can become compromised by Malware. The Psyb0t worm targets a limited number of
Routers using embedded Linux and there is the DNSChanger trojan. The DNSChanger trojan
alters the DNS Server Table of a given Router such that nodes, who receive DNS servers via
DHCP, will use the Dirty list of DNS Server that the DNSChanger Trojan chane the Router
to.

To know if the SMC brand Router was compramised by the computer on the network that was
infected with 26 pieces of malware will depend on EXACTLY what the malware was identified
to be.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

< snip >

| As for the problems you are having with a SOHIO Router.

< snip >


SOHIO Router - LOL

That should have been "SOHO Router".




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"sl@exabyte" <(E-Mail Removed)> wrote in message
news:i8ug4b$ae$(E-Mail Removed)...
>
>
>> First off realize that viruses is the plural of virus and I can
>> assure you that you have a
>> better chance of being hit by lightning than 26 viruses.
>> All viruses are malware but not all malware are viruses. That being
>> said you had a
>> computer on your network that was infected with 25 pieces of malware.
>>
>> However...
>> How do you KNOW it had 26 anything ?
>> You din't supply any information on what infected the computer
>> (either by detection name
>> or what was deemed to be malware on the computer) or the anti malware
>> solution that was
>> installed on the platform.
>>
>> As for the problems you are having with a SOHIO Router.
>> The description is vague. I have seen Routers revert to factory
>> settings due to a Brown
>> Out power condition and I have seen them die due to power surge power
>> conditions or by
>> other causative factors. SOHO Routers are inexpensive and can die
>> without notice.
>>
>> Routers can become compromised by Malware. The Psyb0t worm targets a
>> limited number of
>> Routers using embedded Linux and there is the DNSChanger trojan. The
>> DNSChanger trojan
>> alters the DNS Server Table of a given Router such that nodes, who
>> receive DNS servers via
>> DHCP, will use the Dirty list of DNS Server that the DNSChanger
>> Trojan chane the Router
>> to.
>>
>> To know if the SMC brand Router was compramised by the computer on
>> the network that was
>> infected with 26 pieces of malware will depend on EXACTLY what the
>> malware was identified
>> to be.
[...]

> Thanks for the info.
>
> I am not sure the SMC is compromised by virus, it just so happened
> very shortly after a PC in LAN was infected by 26 virus (a pop-up
> dialog says so).

Yes, often antivirus programs will detect non-viral malware and refer to
them as "viruses" when alerting the user.

They are *wrong* to do so IMO.

> I shall find out more about the DNSChanger Trojan.

You may have a log file with the list of found malware on the PC in
question (or, rather, the machine that ran the scanner). You should get
a more detailed malware name for each instance (and evidence that *most*
were not actually viruses).

From: "sl@exabyte" <(E-Mail Removed)>



| Thanks for the info.

| I am not sure the SMC is compromised by virus, it just so happened very
| shortly after a PC in LAN was infected by 26 virus (a pop-up dialog says
| so).

| I shall find out more about the DNSChanger Trojan.

You still haven't supplied any information on what infected the computer (either by
detection name or what was deemed to be malware on the computer) or the anti malware
solution that was
installed on the platform.


--
Dave
New, Multi-AV v7.03
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:

> SL wrote:
>
> | Thanks for the info.
>
> | I am not sure the SMC is compromised by virus, it just so
> happened very | shortly after a PC in LAN was infected by 26
> virus (a pop-up dialog says | so).
>
> | I shall find out more about the DNSChanger Trojan.
>
> You still haven't supplied any information on what infected
> the computer (either by detection name or what was deemed to
> be malware on the computer) or the anti malware solution that
> was installed on the platform.
>

In case the OP, SL, doesn't know what popped that message, the
description sounds like a pop-up dialog, popped by a single piece
of malware or a malicious website visited.
Then, the intent of that message-window would be to try to scare
the OP to download and install the actual malware.


--
Click on me!

From: "Etal" <(E-Mail Removed)>

| David H. Lipman wrote:

>> SL wrote:

>> | Thanks for the info.

>> | I am not sure the SMC is compromised by virus, it just so
>> happened very | shortly after a PC in LAN was infected by 26
>> virus (a pop-up dialog says | so).

>> | I shall find out more about the DNSChanger Trojan.

>> You still haven't supplied any information on what infected
>> the computer (either by detection name or what was deemed to
>> be malware on the computer) or the anti malware solution that
>> was installed on the platform.


| In case the OP, SL, doesn't know what popped that message, the
| description sounds like a pop-up dialog, popped by a single piece
| of malware or a malicious website visited.
| Then, the intent of that message-window would be to try to scare
| the OP to download and install the actual malware.


That is a very possible scenerio but the OP needs to explain further. We shouln't have to
"guess".


--
Dave
New, Multi-AV v7.03
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

> First off realize that viruses is the plural of virus and I can assure you
> that you have a
> better chance of being hit by lightning than 26 viruses.
> All viruses are malware but not all malware are viruses. That being said
> you had a
> computer on your network that was infected with 25 pieces of malware.
>
> However...
> How do you KNOW it had 26 anything ?
> You din't supply any information on what infected the computer (either by
> detection name
> or what was deemed to be malware on the computer) or the anti malware
> solution that was
> installed on the platform.
>
> As for the problems you are having with a SOHIO Router.
> The description is vague. I have seen Routers revert to factory settings
> due to a Brown
> Out power condition and I have seen them die due to power surge power
> conditions or by
> other causative factors. SOHO Routers are inexpensive and can die without
> notice.
>
> Routers can become compromised by Malware. The Psyb0t worm targets a
> limited number of
> Routers using embedded Linux and there is the DNSChanger trojan. The
> DNSChanger trojan
> alters the DNS Server Table of a given Router such that nodes, who receive
> DNS servers via
> DHCP, will use the Dirty list of DNS Server that the DNSChanger Trojan
> chane the Router
> to.
>
> To know if the SMC brand Router was compramised by the computer on the
> network that was
> infected with 26 pieces of malware will depend on EXACTLY what the malware
> was identified
> to be.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>

Thanks for the info.

I am not sure the SMC is compromised by virus, it just so happened very
shortly after a PC in LAN was infected by 26 virus (a pop-up dialog says
so).

I shall find out more about the DNSChanger Trojan.

From: "sl@exabyte" <(E-Mail Removed)>

| Some names are:

| win32.Dripper
| win32.Anitigen.a
| HTML.RedBrowser.a
| HTML.Bayfraud.ra
| HTML.Citifraud
| win32.Delf.h
| win32.Anitv.a


| After doing some "google", I think the pop-up is virus (with a button
| "Remove All"). The PC user was fooled, I think.

Google was a waste of time.

While it is helpful, to some degree, to know the names of the malware it is insufficient
information.

What is needed is the name of the anti malware application that is installed and is THAT
the what declared the malware as well as the fully qualified names and paths to the files
deemed to be infected.

Without that information, I must conclude that this is the result of a FakeAv trojan
infection which is a con. The person gets infected with a trojan and it Pops-Up
indicating you are infected and to remove the malware and FakeAV application is suggested.
The motivation is money and personal information. The other possibility is the PC isn't
actually infected but a well crafted web page is shown that LOOKS LIKE a standard window
Pop-Up indicating that the PC is infected.


--
Dave
New, Multi-AV v7.03
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp