Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Need help! I'm probably infected!
#11
I've rebooted and Chrome (And also Firefox) still behaves normally. Hmm...
[Image: TheGrapesChildrenSig.png]
Reply
#12
Blackberry Bun Wrote:I've rebooted and Chrome (And also Firefox) still behaves normally. Hmm...

That is also great to know, but better be safe than sorry. Get Malwarebytes or Spybot and run a scan if you haven't already.

As it stands, they look like the malware were just rogue extensions in both browsers, but personally, I would still scan a system to ensure the malware is truly gone.
I love foxes, especially the one in my avatar.
Reply
#13
Well, now that I think about it, a bad website could've dropped that malware site onto chrome's autostart list using javascript (yes, it can be done. Websites can hijack your startup page by just including some unwanted javascript hidden somewhere in the page). That doesn't 100% mean that you're not infected tho, it just means that the possibility of you being severely infected isn't as high as thought.
The Best Medicine > Magic. Because SCIENCE! can prove the former.
Reply
#14
RAMChYLD Wrote:Well, now that I think about it, a bad website could've dropped that malware site onto chrome's autostart list using javascript (yes, it can be done. Websites can hijack your startup page by just including some unwanted javascript hidden somewhere in the page). That doesn't 100% mean that you're not infected tho, it just means that the possibility of you being severely infected isn't as high as thought.

Interesting.
I love foxes, especially the one in my avatar.
Reply
#15
Proof that it's possible (or was possible, maybe Sandy's using a old version of Chrome)
<!-- m --><a class="postlink" href="http://stackoverflow.com/questions/438108/set-default-home-page-in-javascript">http://stackoverflow.com/questions/4381 ... javascript</a><!-- m -->

As you can see from there, a single line of code is enough to inject a bad website into the browser's home page list or autostart list.

Stay safe, use NoScript and AdBlockPlus if it's available for your browser of choice.
The Best Medicine > Magic. Because SCIENCE! can prove the former.
Reply
#16
RAMChYLD Wrote:Proof that it's possible (or was possible, maybe Sandy's using a old version of Chrome)
<!-- m --><a class="postlink" href="http://stackoverflow.com/questions/438108/set-default-home-page-in-javascript">http://stackoverflow.com/questions/4381 ... javascript</a><!-- m -->

As you can see from there, a single line of code is enough to inject a bad website into the browser's home page list or autostart list.

Stay safe, use NoScript and AdBlockPlus if it's available for your browser of choice.

In the Spam Thread last month before his computer got repaired, he did state the version of Chrome he is using, and it was in the 18.xx.xx range. Current version is around 23.0.1271.95, at least for Mac.

If you were using an outdated version of Chrome, Sandy, this experience should be an ample reason to upgrade to the latest version. All web browsers should be used with their latest version for ensured security.
I love foxes, especially the one in my avatar.
Reply
#17
My chrome is 23.0.1271.95 now, though I forgot what the old version was.
[Image: TheGrapesChildrenSig.png]
Reply
#18
Well, in any case, see if there's a noscript and adblock plugin for Chrome. Usually these malwares spread by contaminated ads from compromised/sleazy ad services. By blocking ad servers using an adblock plugin and blocking suspicious plugins using noscript, you'll have cover the browser from catching malware by malicious javascript code.
The Best Medicine > Magic. Because SCIENCE! can prove the former.
Reply
#19
Well, lousy me got infected by something different (Claro). I think I've managed to remove it myself this time, but here's a new HijackThis log to be sure. Sorry for the frequent bother.

Quote:Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:45:09, on 03/12/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.packardbell.com/?id=9525">http://go.packardbell.com/?id=9525</a><!-- m -->
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://www.claro-search.com/?affID=117452&tt=4912_4&babsrc=HP_ss&mntrId=9023d7ef00000000000000001c19cb93">http://www.claro-search.com/?affID=1174 ... 001c19cb93</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSD.exe"
O4 - HKLM\..\Run: [WisVoClt] "C:\Program Files\Launch Manager\WisVoClt.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [SmpcSys] C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EvolveClient] "C:\Program Files\Echobit\Evolve\EvolveClient.exe" -autorun
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil11e_Plugin.exe -update plugin
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe
O8 - Extra context menu item: &Download by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
O20 - AppInit_DLLs: c:\progra~2\browse~1\25911~1.18\{c16c1~1\mngr.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgwdsvc.exe
O23 - Service: Evolve Service (EvoSvc) - Echobit LLC - C:\Program Files\Echobit\Evolve\EvoSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Layanan Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Layanan Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: vToolbarUpdater13.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe

--
End of file - 10377 bytes

Well, it seems IE is still infected by claro, but now IE crashes whenever I try to start it to remove claro from the settings like what I've done with my other browsers. I never use IE anyway, but it's still a bit worrying.
[Image: TheGrapesChildrenSig.png]
Reply
#20
Hmm, okay. Well, try this:

<!-- m --><a class="postlink" href="http://support.microsoft.com/kb/929833#method3">http://support.microsoft.com/kb/929833#method3</a><!-- m -->

Open a command prompt as administrator and run " sfc /scannow ". With any luck that will repair IE by replacing any file that malware altered to those who came with Windows.
The Best Medicine > Magic. Because SCIENCE! can prove the former.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)