We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Hijacked links?

1567810

Comments

  • mrbadexample
    mrbadexample Posts: 10,805 Forumite
    Part of the Furniture 10,000 Posts Combo Breaker Photogenic
    It's doing it again. :wall:

    Here's the Malwarebytes log (got an error when I tried to update MWB so might need doing again).

    Malwarebytes' Anti-Malware 1.46
    https://www.malwarebytes.org

    Database version: 4434

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    07/05/2011 20:59:25
    mbam-log-2011-05-07 (20-59-25).txt

    Scan type: Quick scan
    Objects scanned: 145845
    Time elapsed: 8 minute(s), 41 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.194,93.188.160.165 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f3aeaf67-c2ec-40c8-868b-e5c33d1f650b}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.194,93.188.160.165 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\user\Local Settings\temp\0.523418196390592.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


    Off to do the Hijack This scan next.
    If you lend someone a tenner and never see them again, it was probably worth it.
  • mrbadexample
    mrbadexample Posts: 10,805 Forumite
    Part of the Furniture 10,000 Posts Combo Breaker Photogenic
    Managed to update MWB. New log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    https://www.malwarebytes.org

    Database version: 6528

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    07/05/2011 21:15:30
    mbam-log-2011-05-07 (21-15-30).txt

    Scan type: Quick scan
    Objects scanned: 163416
    Time elapsed: 7 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    If you lend someone a tenner and never see them again, it was probably worth it.
  • mrbadexample
    mrbadexample Posts: 10,805 Forumite
    Part of the Furniture 10,000 Posts Combo Breaker Photogenic
    Hijack This log:

    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\S3trayp.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    C:\Program Files\TimeLeft3\TimeLeft.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\spider.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.lycos.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
    O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe
    O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} (Java Plug-in 1.6.0_17) -
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

    --
    End of file - 3386 bytes
    If you lend someone a tenner and never see them again, it was probably worth it.
  • mrbadexample
    mrbadexample Posts: 10,805 Forumite
    Part of the Furniture 10,000 Posts Combo Breaker Photogenic
    Can anyone tell me if there's anything nasty I should remove please?

    Cheers,
    MBE
    If you lend someone a tenner and never see them again, it was probably worth it.
  • closed
    closed Posts: 10,886 Forumite
    edited 7 May 2011 at 8:40PM
    hardly anything there

    but..if you want to streamline a little more

    Install and run startuplite, accept suggested changes - http://www.malwarebytes.org/StartUpLite.exe

    Using Hijackthis, tick and fix these entries

    O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} (Java Plug-in 1.6.0_17) -
    Uninstall any IE toolbars (browser helper objects or BHO's) in Control panel, or Firefox plugins that you don't need. This is a list of the IE BHO's evident in the log

    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll

    __________________________________________________

    Unless you need them running all the time, use the startup tab in msconfig to disable these items from running at startup (they can always be run manually if needed)

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
    O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe

    In internet explorer, click on tools, internet options, advanced, disable script debugging to stop this running

    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

    __________________________________________________

    start, run, msconfig, select services tab, disable these services UNLESS you use them. (make a note of any services you disable,if you have any problems related to these services subsequently, simply re-enable them)

    SSDP Discovery Service
    Remote Registry
    WebClient
    Distributed Link Tracking Client

    Also disable these services if you don't use them by running msconfig, services tab

    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    !!
    > . !!!! ----> .
  • mrbadexample
    mrbadexample Posts: 10,805 Forumite
    Part of the Furniture 10,000 Posts Combo Breaker Photogenic
    closed wrote: »
    hardly anything there

    When I click on a link from Google, I still get taken to the wrong page, so something's still not right.

    I'll try your suggestions and report back. Thanks. :)
    If you lend someone a tenner and never see them again, it was probably worth it.
  • closed
    closed Posts: 10,886 Forumite
    edited 7 May 2011 at 8:48PM
    scan with tdsskiller

    delete c:\windows\system32\drivers\etc\hosts

    which browser? - check your proxy settings inside the browser.

    using ccleaner, delete the java cache - it's on the applications tab of ccleaner
    !!
    > . !!!! ----> .
  • RussJK
    RussJK Posts: 2,359 Forumite
    edited 7 May 2011 at 8:52PM
    Some people have trouble with the Logitech entry:
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

    See if you can still use webcam with that service set to Disabled, if not try setting it to Manual - that way it'll load if only when you need it. I would similarly set the Nokia service to manual (rather than automatic) if you get some use out of it.

    You might want to think about prevention, since just having an antivirus doesn't seem to be helping you.
    mrbadexample wrote: »
    When I click on a link from Google, I still get taken to the wrong page, so something's still not right.

    In addition to checking the browser proxy as above, try:
    Start > Run > ipconfig /dnsflush, then see how you go - since the trojan you had altered the DNS settings.
  • mrbadexample
    mrbadexample Posts: 10,805 Forumite
    Part of the Furniture 10,000 Posts Combo Breaker Photogenic
    closed wrote: »
    scan with tdsskiller

    That seems to have got it. :D

    Thanks all for the help. :T
    If you lend someone a tenner and never see them again, it was probably worth it.
  • Bagger
    Bagger Posts: 72 Forumite
    Part of the Furniture Combo Breaker
    Let me summarise what you have to do. The chances are that you have multiple infections.

    Do the following in order:

    Run Tddskiller first. This is an anti-rootkit program from Kapersky Labs.

    Then run Malwarebytes. The chances are you will be unable to run it. If this is the case, run Spybot instead.

    Remember to update Spybot before you run it. Whilst Spybot is running, you will probably find that Malwarebytes will now run.

    After the anti-spyware programs have all run (Malwarebytes and Spybot), run your anti virus program.

    Good Luck
    Bagger
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 352.3K Banking & Borrowing
  • 253.6K Reduce Debt & Boost Income
  • 454.3K Spending & Discounts
  • 245.3K Work, Benefits & Business
  • 601.1K Mortgages, Homes & Bills
  • 177.5K Life & Family
  • 259.2K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture