| 
		
	
	
	
		
	Posts: 914 
	Threads: 128 
	Joined:  Feb 2011
	
 Reputation: 
1 
	
	
		I've rebooted and Chrome (And also Firefox) still behaves normally. Hmm...
	 
	
	
	
		
	Posts: 2,679 
	Threads: 37 
	Joined:  Feb 2011
	
 Reputation: 
8 
	
	
		Blackberry Bun Wrote:I've rebooted and Chrome (And also Firefox) still behaves normally. Hmm... 
That is also great to know, but better be safe than sorry. Get Malwarebytes or Spybot and run a scan if you haven't already. 
 
As it stands, they look like the malware were just rogue extensions in both browsers, but personally, I would still scan a system to ensure the malware is truly gone.
	 
I love foxes, especially the one in my avatar. 
	
	
	
		
	Posts: 1,843 
	Threads: 20 
	Joined:  Feb 2011
	
 Reputation: 
0 
	
	
		Well, now that I think about it, a bad website could've dropped that malware site onto chrome's autostart list using javascript (yes, it can be done. Websites can hijack your startup page by just including some unwanted javascript hidden somewhere in the page). That doesn't 100% mean that you're not infected tho, it just means that the possibility of you being severely infected isn't as high as thought.
	 
The Best Medicine > Magic. Because SCIENCE! can prove the former.
 
	
	
	
		
	Posts: 2,679 
	Threads: 37 
	Joined:  Feb 2011
	
 Reputation: 
8 
	
	
		RAMChYLD Wrote:Well, now that I think about it, a bad website could've dropped that malware site onto chrome's autostart list using javascript (yes, it can be done. Websites can hijack your startup page by just including some unwanted javascript hidden somewhere in the page). That doesn't 100% mean that you're not infected tho, it just means that the possibility of you being severely infected isn't as high as thought. 
Interesting.
	 
I love foxes, especially the one in my avatar. 
	
	
	
		
	Posts: 1,843 
	Threads: 20 
	Joined:  Feb 2011
	
 Reputation: 
0 
	
	
		Proof that it's possible (or was possible, maybe Sandy's using a old version of Chrome)<!-- m --><a class="postlink" href="http://stackoverflow.com/questions/438108/set-default-home-page-in-javascript">http://stackoverflow.com/questions/4381 ... javascript</a><!-- m -->
 
 As you can see from there, a single line of code is enough to inject a bad website into the browser's home page list or autostart list.
 
 Stay safe, use NoScript and AdBlockPlus if it's available for your browser of choice.
 
The Best Medicine > Magic. Because SCIENCE! can prove the former.
 
	
	
	
		
	Posts: 2,679 
	Threads: 37 
	Joined:  Feb 2011
	
 Reputation: 
8 
	
	
		RAMChYLD Wrote:Proof that it's possible (or was possible, maybe Sandy's using a old version of Chrome)<!-- m --><a class="postlink" href="http://stackoverflow.com/questions/438108/set-default-home-page-in-javascript">http://stackoverflow.com/questions/4381 ... javascript</a><!-- m -->
 
 As you can see from there, a single line of code is enough to inject a bad website into the browser's home page list or autostart list.
 
 Stay safe, use NoScript and AdBlockPlus if it's available for your browser of choice.
 
In the Spam Thread last month before his computer got repaired, he did state the version of Chrome he is using, and it was in the 18.xx.xx range. Current version is around 23.0.1271.95, at least for Mac.
 
If you were using an outdated version of Chrome, Sandy, this experience should be an ample reason to upgrade to the latest version. All web browsers should be used with their latest version for ensured security.
	 
I love foxes, especially the one in my avatar. 
	
	
	
		
	Posts: 914 
	Threads: 128 
	Joined:  Feb 2011
	
 Reputation: 
1 
	
	
		My chrome is 23.0.1271.95 now, though I forgot what the old version was.
	 
	
	
	
		
	Posts: 1,843 
	Threads: 20 
	Joined:  Feb 2011
	
 Reputation: 
0 
	
	
		Well, in any case, see if there's a noscript and adblock plugin for Chrome. Usually these malwares spread by contaminated ads from compromised/sleazy ad services. By blocking ad servers using an adblock plugin and blocking suspicious plugins using noscript, you'll have cover the browser from catching malware by malicious javascript code.
	 
The Best Medicine > Magic. Because SCIENCE! can prove the former.
 
	
	
	
		
	Posts: 914 
	Threads: 128 
	Joined:  Feb 2011
	
 Reputation: 
1 
	
	
		Well, lousy me got infected by something different (Claro). I think I've managed to remove it myself this time, but here's a new HijackThis log to be sure. Sorry for the frequent bother. Quote:Logfile of Trend Micro HijackThis v2.0.4Scan saved at 22:45:09, on 03/12/2012
 Platform: Windows Vista SP1 (WinNT 6.00.1905)
 MSIE: Internet Explorer v7.00 (7.00.6001.18000)
 Boot mode: Normal
 
 Running processes:
 C:\Windows\system32\Dwm.exe
 C:\Windows\Explorer.EXE
 C:\Windows\system32\taskeng.exe
 C:\Program Files\Launch Manager\HotkeyApp.exe
 C:\Program Files\Launch Manager\OSD.exe
 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
 C:\Windows\RtHDVCpl.exe
 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
 C:\Program Files\Winamp\winampa.exe
 C:\Program Files\AVG\AVG2013\avgui.exe
 C:\Program Files\Logitech\SetPointP\SetPoint.exe
 C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
 C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
 C:\Windows\system32\wuauclt.exe
 C:\Windows\system32\conime.exe
 C:\Program Files\Google\Chrome\Application\chrome.exe
 C:\Program Files\Google\Chrome\Application\chrome.exe
 C:\Program Files\Google\Chrome\Application\chrome.exe
 C:\Program Files\Google\Chrome\Application\chrome.exe
 C:\Program Files\Google\Chrome\Application\chrome.exe
 C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
 
 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.packardbell.com/?id=9525">http://go.packardbell.com/?id=9525</a><!-- m -->
 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://www.claro-search.com/?affID=117452&tt=4912_4&babsrc=HP_ss&mntrId=9023d7ef00000000000000001c19cb93">http://www.claro-search.com/?affID=1174 ... 001c19cb93</a><!-- m -->
 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O1 - Hosts: ::1 localhost
 O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
 O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
 O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
 O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
 O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
 O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
 O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
 O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
 O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
 O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSD.exe"
 O4 - HKLM\..\Run: [WisVoClt] "C:\Program Files\Launch Manager\WisVoClt.exe"
 O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
 O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
 O4 - HKLM\..\Run: [Skytel] Skytel.exe
 O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
 O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
 O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
 O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
 O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
 O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
 O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY
 O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
 O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
 O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
 O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
 O4 - HKCU\..\Run: [SmpcSys] C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
 O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
 O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
 O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
 O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
 O4 - HKCU\..\Run: [EvolveClient] "C:\Program Files\Echobit\Evolve\EvolveClient.exe" -autorun
 O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil11e_Plugin.exe -update plugin
 O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
 O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
 O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
 O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
 O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe
 O8 - Extra context menu item: &Download by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/201
 O8 - Extra context menu item: &Grab video by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/204
 O8 - Extra context menu item: Do&wnload selected by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/203
 O8 - Extra context menu item: Down&load all by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/202
 O8 - Extra context menu item: E&xport to Microsoft Excel - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
 O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
 O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
 O20 - AppInit_DLLs: c:\progra~2\browse~1\25911~1.18\{c16c1~1\mngr.dll
 O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
 O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
 O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
 O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgidsagent.exe
 O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgwdsvc.exe
 O23 - Service: Evolve Service (EvoSvc) - Echobit LLC - C:\Program Files\Echobit\Evolve\EvoSvc.exe
 O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
 O23 - Service: Layanan Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
 O23 - Service: Layanan Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
 O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
 O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
 O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
 O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
 O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
 O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
 O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
 O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
 O23 - Service: vToolbarUpdater13.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
 O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe
 
 --
 End of file - 10377 bytes
 
Well, it seems IE is still infected by claro, but now IE crashes whenever I try to start it to remove claro from the settings like what I've done with my other browsers. I never use IE anyway, but it's still a bit worrying.
	 
	
	
	
		
	Posts: 1,843 
	Threads: 20 
	Joined:  Feb 2011
	
 Reputation: 
0 
	
	
		Hmm, okay. Well, try this:
 <!-- m --><a class="postlink" href="http://support.microsoft.com/kb/929833#method3">http://support.microsoft.com/kb/929833#method3</a><!-- m -->
 
 Open a command prompt as administrator and run " sfc /scannow ". With any luck that will repair IE by replacing any file that malware altered to those who came with Windows.
 
The Best Medicine > Magic. Because SCIENCE! can prove the former.
 |