windows 7 - I cannot go to google.com and other websites due to invalid certificate; possible DNS issue?

26
2014-06
  • cchampion

    I am using Windows 7 on my PC's and my wife and I both have IPhones.

    About a 2 weeks ago I was having a problem on the PC's where google.com would sometimes give a 404 not found and then in the middle of the screen say "ngix". I attempted to fix this by resetting the host file back to default (nothing in it but comments). This seemingly fixed the ngix problem, but then other weird things started happening.

    I keep getting invalid certificates on web sites such as google.com, linkedin.com, godaddy.com and others. The kicker is now this problem is intermittently occurring on both my PC's, one virtual machine (on a PC) and also on both my IPhone and my wife's IPhone.

    From what I have read this could be caused by a DNS problem that tries to take me to a bogus site instead of the real site. I have looked at the host files again on my PC's and they look fine (there is nothing in them, everything is commented out). I have also looked at the DNS settings on my router and I see nothing suspicious. I could easily be missing something though because I am not trained in networking or system administration.

    I have scanned with several anti-virus and anti-malware tools, including malwarebytes, AVG, Norton and others, and none of them find anything. Virus definitions are up-to-date.

    I finally got fed up with the invalid certificate on my phone when I go to google.com so I clicked to continue anyway and I was carried to a coupons.com website. I closed it immediately. I have no clue what is going on. I hate to have to wipe my computers as that might not even fix the issue if it is a DNS problem on the router.

    I have powered off the router, waited 30 seconds, then powered it back on; that had no effect.

    Any assistance with this issue would be greatly appreciated.

    • Answers
  • arielnmz

    First of all, scan your computer with anti-malware software. I'm aware you've already tried with some apps, I suggest you also run a check with adwcleaner, it's a freeware and portable alternative. Here are some useful steps to solve this kind of issue:

    1. Use antimalware and antivirus software (✓).
      • Check that no suspicious or unwanted software is lodaded at startup: Win+R and execute msconfig.exe, uncheck all apps that run at startup. Many apps aren't identified as actual malware, hence why your antimalware or antivirus software won't remove them.
      • Also check for suspicious services, you can also disable them from msconfig. Hint: check the Hide Microsoft services option to make sure you don't disable something important.
      • Disable or remove any extensions of your browser.
    2. Reset your hosts file (✓).
    3. Try accesing the same site from another computer, if the problem isn't present, it's most certainly a problem with your computer, repeat steps 1 and 2, or in the worst case do a clean reinstall.
    4. If the problem persists, it's most certainly an issue with your DNS (your router):
      • Change the default DNS of your router, I recommend using Google's Public DNS addresses: 8.8.8.8 and 8.8.4.4. They're fast and relatively more secure than your ISP's.
      • Change the DNS that your router provides to DHCP clients (you'll have to renew your connection after this).
      • Change the DNS addresses that your network adapter uses.
      • If all of the above fails, try resetting your router to the default factory settings, and change your DNS addresses again.

    • Related Question

    virus - UAC being turned off once a day on Windows 7
  • Questioner

    I have strange problem on my HP laptop. This began to happen recently. Whenever I start my machine, Windows 7 Action Center displays the following warning:

    You need to restart your computer for UAC to be turned off.

    Actually, this does not happen if it happened once on a specific day. For example, when I start the machine in the morning, it shows up; but it never shows up in the subsequent restarts within that day. On the next day, the same thing happens again.

    I never disable UAC, but obviously some rootkit or virus causes this. As soon as I get this warning, I head for the UAC settings, and re-enable UAC to dismiss this warning. This is a bothersome situation as I can't fix it.

    First, I have run a full scan on the computer for any probable virus and malware/rootkit activity, but TrendMicro OfficeScan said that no viruses have been found. I went to an old Restore Point using Windows System Restore, but the problem was not solved.

    What I have tried so far (which couldn't find the rootkit):

    • TrendMicro OfficeScan Antivirus
    • AVAST
    • Malwarebytes' Anti-malware
    • Ad-Aware
    • Vipre Antivirus
    • GMER
    • TDSSKiller (Kaspersky Labs)
    • HiJackThis
    • RegRuns
    • UnHackMe
    • SuperAntiSpyware Portable
    • Tizer Rootkit Razor (*)
    • Sophos Anti-Rootkit
    • SpyHunter 4
    • ComboFix

    There are no other strange activities on the machine. Everything works fine except this bizarre incident.

    What could be the name of this annoying rootkit? How can I detect and remove it?

    EDIT: Below is the log file generated by HijackThis:

    Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:07:04, on 17.01.2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\LightningFAX\LFclient\lfsndmng.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Microsoft LifeCam\LifeExp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\mimio\mimio Studio\system\aps_tablet\atwtusb.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\userx\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.yaysat.com.tr/proxy/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Babylon IE plugin - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [lfsndmng] C:\Program Files\LightningFAX\LFclient\LFSNDMNG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: mimio Studio.lnk = C:\Program Files\mimio\mimio Studio\mimiosys.exe
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://172.20.12.103:4343/officescan/console/html/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://172.20.12.103:4343/officescan/console/html/ClientInstall/setup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = yaysat.com
O17 - HKLM\Software\..\Telephony: DomainName = yaysat.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = yaysat.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = yaysat.com
O18 - Protocol: qcom - {B8DBD265-42C3-43E6-B439-E968C71984C6} - C:\Program Files\Common Files\Quest Shared\CodeXpert\qcom.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: AgentService - Iron Mountain Incorporated - C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: BMFMySQL - Unknown owner - C:\Program Files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SMS Task Sequence Agent (smstsmgr) - Unknown owner - C:\Windows\system32\CCM\TSManager.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8204 bytes

    As suggested in this very similar question, I have run full scans (+boot time scans) with RegRun and UnHackMe, but they also did not find anything. I have carefully examined all entries in the Event Viewer, but there's nothing wrong.

    Now I know that there is a hidden trojan (rootkit) on my machine which seems to disguise itself quite successfully. Note that I don't have the chance to remove the HDD, or reinstall the OS as this is a work machine subjected to certain IT policies on a company domain.

    Despite all my attempts, the problem still remains. I strictly need a to-the-point method or a pukka rootkit remover to remove whatever it is. I don't want to monkey with the system settings, i.e. disabling auto runs one by one, messing the registry, etc.

    EDIT 2: I have found an article which is closely related to my trouble:

    Malware can turn off UAC in Windows 7; “By design” says Microsoft. Special thanks(!) to Microsoft.

    In the article, a VBScript code is given to disable UAC automatically:

    '// 1337H4x Written by _____________ 
'//                    (12 year old)

Set WshShell = WScript.CreateObject("WScript.Shell")

'// Toggle Start menu
WshShell.SendKeys("^{ESC}")
WScript.Sleep(500)

'// Search for UAC applet
WshShell.SendKeys("change uac")
WScript.Sleep(2000)

'// Open the applet (assuming second result)
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{ENTER}")
WScript.Sleep(2000)

'// Set UAC level to lowest (assuming out-of-box Default setting)
WshShell.SendKeys("{TAB}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")

'// Save our changes
WshShell.SendKeys("{TAB}")
WshShell.SendKeys("{ENTER}")

'// TODO: Add code to handle installation of rebound
'// process to continue exploitation, i.e. place something
'// evil in Startup folder

'// Reboot the system
'// WshShell.Run "shutdown /r /f"

    Unfortunately, that doesn't tell me how I can get rid of this malicious code running on my system.

    EDIT 3: Last night, I left the laptop open because of a running SQL task. When I came in the morning, I saw that UAC was turned off. So, I suspect that the problem is not related to startup. It is happening once a day for sure no matter if the machine is rebooted.

    EDIT 4: Today, I immediately started "Process Monitor" as soon as Windows was started to hopefully catch the guilty one (thanks to @harrymc for the idea). At 9:17, UAC slider was slided to the bottom (Windows 7 Action Center gave the warning). I investigated all the registry actions between 9:16 and 9:18. I saved the Process Monitor log file (70MB containing only that 2 minutes interval). There are lots of EnableLUA = 0 (and the other) entries. I'm posting the screenshots of the properties windows of the first 4 below. It says svchost.exe is doing this, and gives some thread and PID numbers. I don't know what I should infer about them:

    enter image description here enter image description here enter image description here enter image description here


    • Related Answers
  • Mehper C. Palavuzlar

    Because of the bounty I need to provide a new answer

    You should first check if the Security Center service can start, and if not - which one of its dependencies is to blame. Look also for error messages in the Event Viewer.

    If you have the feeling that your computer is infected, possible solutions may be :

    1. How to Repair Windows 7 System Files with System File Checker.
    2. Startup Repair : How To Easily Repair Windows 7 Boot Problems Using Startup Repair.
    3. The last resort is to reformat the hard disk and reinstall Windows.
      In your case, this might apply : Performing an HP System Recovery in Windows Vista.

    Just to remark that Windows is quite capable of destroying itself without any help, which is why Windows Update is more dangerous than any virus. Startup Repair may fix the problem in this case by reinitializing Windows, without requiring the applications to be reinstalled.

    If you realy think the problem is rather that of a virus, and you wish to know more about what is happening on your computer, you will need to find out two things :

    1. What change is being done to your system,
    2. What program does this change.

    For the first one, if it is a registry change, then the key is probably HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, item EnableLUA, whose value is 0 for Disabling and 1 for Enabling.

    Once you have located the change being done to your system, you can use Process Monitor and its Enable Boot Logging option (see help) to log all accesses to the key.

    I would first boot in Safe mode, and see if this is also happening. If not, then another attack-vector is to use Autoruns to disable startup items in a binary search for the product (since this might be a legitimate product causing the problem, rather than a virus).

  • Bobby Alexander

    Option 1: Disable all programs in Startup. (Start >Run > Msconfig. Disable everything under startup).

    Option 2: Install AVAST home edition and schedule a boot time scan. Better yet, disconnect the hard disk from your machine and connect it to another one and scan it from there using AVAST.

    Option 3. Another option is to run HijackThis. Generate the report and share it here for analysis. http://free.antivirus.com/hijackthis/

  • Try to Disable UAC without Admin Rights

    In my case it was domain policy that was being applied once per day. Same problem. Diagnosis was easier because UAC turning off occurred only when logging in to the domain, or connecting over VPN. Thus it was discovered that the domain policy included some script to turn UAC off. I contacted my system admins and they confirmed that. So you better consult with your administrators of domain or validate profile local policies and scripts if you are not in domain.

  • Seasoned Advice (cooking)

    Before you move onto more complicated measures, please do install AVG Anti-Virus Free Edition 2011. Let it perform a whole computer scan. Recently, I've had a similar problem, and no other anti-virus programs but the aforementioned one could fix it with its Anti-Rootkit measures.