Author Topic: A possible hijacking?  (Read 13804 times)

0 Members and 1 Guest are viewing this topic.

OhDearyMe

  • Guest
A possible hijacking?
« on: February 01, 2014, 08:55:00 AM »
I've been looking around on the internet, and all of the threads I can find relating to this have the same, unsure reaction. I'm a victim of the random 'microdefender[dot]nl' hijackings. It opens a tab randomly in my Firefox that leads to that page ( usually headed by a random arrangement of numbers/letters ). I have some addons for protection, and every time I've gone so far, the site has an internal server error ( Error 500? )

I've run things like MBar and MBAM in regular mode ( nothing safe mode yet ), and I'm running Avast! Free right now, hoping SOMETHING will come up.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76034
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: A possible hijacking?
« Reply #1 on: February 01, 2014, 08:57:29 AM »
Please attach your logs. (MBAM, OTL and aswMBR..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #2 on: February 01, 2014, 01:59:36 PM »
Attaching logs!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: A possible hijacking?
« Reply #3 on: February 01, 2014, 02:06:34 PM »
Hi does this occur only in firefox ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1391218407-3976517184-3099314675-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #4 on: February 01, 2014, 03:25:53 PM »
Yeah, FF is the only browser I use. I have Chrome and IE installed, but never touch them.

Like, ever.

I tried Chrome for a day, it was okay. IE I only used to get FF when I first got the PC.

DellDock is an okay program, it comes with the computer. I have it turned off, but some processes run in the bg. Should I just uninstall it instead?

Running the fixes you said, will BRB with logs.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: A possible hijacking?
« Reply #5 on: February 01, 2014, 03:29:09 PM »
I just removed the dell dock entries to try and speed up the start

Could you try IE please and see if you get the same problem

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #6 on: February 01, 2014, 03:35:48 PM »
Whops, ran it with the DellDock stuff anyway. Oh well! I just restarted, it's running the quick scan now.

As far as reproducing this goes ( on IE or otherwise ), I don't think I can.

It happens completely randomly -- I thought I clicked on something the first time it happened, I'll put it that way.

It always directs to a website with a random arrangement of numbers/letters, like "12345ab-microdefender[dot]nl". I have NoScript and AdBlocker on my FF, and I dunno if that helps prevent the site from interacting with me in any way, but the site is always blank with the typical "Internal 500 error", like the site's broken somehow. It only seems to crop up every other day or so, sometimes two, and only once. But the fact that it's happening is what troubles me.

OTL is quick-scanning.

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #7 on: February 01, 2014, 03:47:04 PM »
Quick-scan finished. Running AdwCleaner and will have logs for you in a second.

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #8 on: February 01, 2014, 03:51:35 PM »
Logs attached!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: A possible hijacking?
« Reply #9 on: February 01, 2014, 04:05:47 PM »
Does it happen on a specific site ?  As that site may be infected, the logs look clean

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #10 on: February 01, 2014, 04:15:48 PM »
I don't think so. It's happened as I was dallying around on other programs, but had FF open in the bg. I've seen mention of the site pop up in my Event Logger, if that helps? It said it had something to do with the microsoft DNS?

Hold on, I'm dumb, let me try to get it for you. Yeah, here it is.

Under the Event Viewer, under "Windows Logs", then "System", the last instance of it was at 2:14 AM last night. It reads this:

"Name resolution for the name 90d6bc5a.microdefender-fe.nl timed out after none of the configured DNS servers responded."

Details are this:

 System

  - Provider

   [ Name]  Microsoft-Windows-DNS-Client
   [ Guid]  {1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}
 
   EventID 1014
 
   Version 0
 
   Level 3
 
   Task 0
 
   Opcode 0
 
   Keywords 0x4000000000000000
 
  - TimeCreated

   [ SystemTime]  2014-02-01T07:14:35.418961000Z
 
   EventRecordID 213361
 
   Correlation
 
  - Execution

   [ ProcessID]  1684
   [ ThreadID]  6588
 
   Channel System
 
   Computer Monolith
 
  - Security

   [ UserID]  S-1-5-20
 

- EventData

  QueryName 90d6bc5a.microdefender-fe.nl
  AddressLength 16
  Address 020000354B4B4B4B0000000000000000


Any idea what the heck this is about?

I don't know if it's any help to you guys, sorry.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: A possible hijacking?
« Reply #11 on: February 01, 2014, 04:18:01 PM »
I don't suppose you can remember which programme ?

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #12 on: February 01, 2014, 04:25:29 PM »
Skype was one thing. Skype recently added a whole bunch of new ads to their program. Another friend who uses it is having the same exact issue as me, but other friends who use it are not, so it's probably just me being paranoid.

That was the first time it popped up. I was browsing the internet ( I usually browse websites like WoWHead and youtube while idle ), and was removing an old contact from skype. I hit "remove contact", and that's when the tab opened in firefox. I'm sure it was completely coincidental, but at that time I was like "Oh, I must've clicked on something."

I keep Adblocker and Noscript on for pretty much every site I go to, except to allow things like youtube's player.

Usual programs I run are League of Legends and World of Warcraft, which are both video games supported by big, good companies. I doubt it has anything to do with them!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: A possible hijacking?
« Reply #13 on: February 01, 2014, 04:28:24 PM »
I would go for Skype, I have ceased to use that unless absolutely necessary due to the intrusive ads and weird links it tries to get you to go to

Also it acts as a P2P programme so if you are not using it then it will become a transfer node.  So only start it when you need it and not with the system

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #14 on: February 01, 2014, 04:29:06 PM »
If it helps, I looked up the name of the website that keeps popping up, and found this:

http://urlquery.net/report.php?id=8938372

I don't leave skype running in the bg if it's not in use. I also don't have it set to run at startup ( I hate things that run at startup, ugh. )

EDIT: A few more. I translated them to english, sorry!

http://translate.google.com/translate?hl=en&sl=da&u=http://komputer.dk/forum/hjaelp-til-windows-og-programmer/sikkerhed/falsk-advarsel&prev=/search%3Fq%3Dmicrodefender.nl%26start%3D10%26sa%3DN%26biw%3D1920%26bih%3D974

http://nerdanswer.com/answer.php?q=452576

They all have no idea what's going on, or simply have no response. It's kind of scary, honestly.
« Last Edit: February 01, 2014, 04:31:09 PM by OhDearyMe »