Is my home broadband connection being used to hijack my laptop/tablet?

debit2credit

Hi all,

I would appreciate your advice on this...
I have a laptop (Win XP) connected via ethernet cable to a vodafone wireless router with Avast anti-virus and I have an android tablet with avg free anti-virus.

Now I have been wondering for the past few weeks whether my laptop/tablet or both have been hijacked for the following reasons
- internet application periodically doesn't connect even though signal is 100%
- I check the wireless network connection status and the laptop sends and receives multiple packets although I can't connect (though this could be backround updates I assume)
- I tried to register for an irish boards.ie like website and I was told contact the system admin only to be told by the admin that the reason my registrations are rejected is because of the ISP or because my IP address could have been used for spamming.
- Today, my tablet has "forgotten" the password to the vodafone wireless and is asking me to reenter the key on the back of the router and I was happily using that internet connection only a few minutes earlier.

When I run the avast/avg scan it tells me my laptop/tablet are protected but I am a bit suspicious and wondering what to do. I checked the sticky but my problem seems to be network based? I am pretty sure there are no neighbours etc.. using the connection but could a backround person/program be logging into my hardware without me knowing?

I also have syncing applications like dropbox between my laptop, tablet and phone and don't want one device corrupting the others??

Thanks a mil for your help!

jsa112

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Quick Scan button. Do not change any settings. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files here

jsa112

no idea about your android

theres a little malware may be responsible


open OTL copy this into the box


:OTL
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=514&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=0983503913724856&q={searchTerms}
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=112475&tt=290412_2_bst&babsrc=SP_ss&mntrId=4c04176e00000000000000134948a64f
IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=514&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=0983503913724856&q={searchTerms}
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2233703
IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb167/?search={searchTerms}&loc=IB_DS&a=6OyHdoqapO&i=26
O2 - BHO: (Search-Results Toolbar) - {f34c9277-6577-4dff-b2d7-7d58092f272f} - C:\PROGRA~1\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll File not found
O3 - HKLM\..\Toolbar: (Search-Results Toolbar) - {f34c9277-6577-4dff-b2d7-7d58092f272f} - C:\PROGRA~1\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll File not found
O33 - MountPoints2\{275e0022-5695-11de-b6de-0014a594aa7c}\Shell\AutoRun\command - "" = SUD\SSOW\sep.exe
O33 - MountPoints2\{275e0022-5695-11de-b6de-0014a594aa7c}\Shell\open\command - "" = SUD\SSOW\sep.exe
[2012/05/07 20:28:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2012/05/07 20:28:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Babylon
[2013/01/10 21:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\searchresultstb

:Commands
[PURITY]
[EMPTYTEMP]
[EMPTYFLASH]
[RESETHOSTS]
[EMPTYJAVA]
[CREATERESTOREPOINT]
[Reboot]
:Files
ipconfig /flushdns /c

click run fix post that log


also download install and update malwarebytes

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

run a quick scan post that log here


don't attach the logs btw

debit2credit

Thanks a mil!

I have that otl log running currently and I took out the attachment just in case!!

I'll revert back...

debit2credit

I have the OTL Dialogue below and I have installed and run malwarebytes and the malwarebytes log below as well.

Is it looking better?
Thanks so much!

ll processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f34c9277-6577-4dff-b2d7-7d58092f272f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f34c9277-6577-4dff-b2d7-7d58092f272f}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{f34c9277-6577-4dff-b2d7-7d58092f272f} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f34c9277-6577-4dff-b2d7-7d58092f272f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{275e0022-5695-11de-b6de-0014a594aa7c}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{275e0022-5695-11de-b6de-0014a594aa7c}\ not found.
File SUD\SSOW\sep.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{275e0022-5695-11de-b6de-0014a594aa7c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{275e0022-5695-11de-b6de-0014a594aa7c}\ not found.
File SUD\SSOW\sep.exe not found.
C:\Documents and Settings\All Users\Application Data\Babylon folder moved successfully.
Folder C:\Documents and Settings\Admin\Application Data\Babylon\ not found.
Folder C:\Documents and Settings\Admin\Application Data\searchresultstb\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 111511 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Admin
->Temp folder emptied: 2817003 bytes
->Temporary Internet Files folder emptied: 20233715 bytes
->Google Chrome cache emptied: 33571885 bytes
->Flash cache emptied: 506 bytes

User: Guest
->Temp folder emptied: 50796 bytes
->Temporary Internet Files folder emptied: 822396738 bytes
->Flash cache emptied: 15618 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 9157686 bytes

User: NetworkService
->Temp folder emptied: 318248 bytes
->Temporary Internet Files folder emptied: 125899995 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 687121 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 573241 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 508141533 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 35466 bytes
RecycleBin emptied: 3380 bytes

Total Files Cleaned = 1,454.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: Admin
->Flash cache emptied: 0 bytes

User: Guest
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: Admin

User: Guest

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Admin\Desktop\OTL\cmd.bat deleted successfully.
C:\Documents and Settings\Admin\Desktop\OTL\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 11232013_191403
Files\Folders moved on Reboot...
C:\Documents and Settings\Admin\Local Settings\Temp\JavaDeployReg.log moved successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\T6WV964V\iframe3[1].htm moved successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\S8XZY2GM\siCACDFYO8.htm moved successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\61G02VKN\showthread[2].htm moved successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2R3IFITO\member[2].htm moved successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...

23/11/2013 19:42:16
MBAM-log-2013-11-23 (20-00-05).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 251378
Time elapsed: 16 minute(s), 53 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 15
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} (PUP.Optional.Incredibar) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} (PUP.Optional.Incredibar) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014} (PUP.Datamngr) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014} (PUP.Datamngr) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F34C9277-6577-4DFF-B2D7-7D58092F272F} (PUP.Datamngr) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F9639E4A-801B-4843-AEE3-03D9DA199E77} (PUP.Optional.Incredibar) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9639E4A-801B-4843-AEE3-03D9DA199E77} (PUP.Optional.Incredibar) -> No action taken.
HKCU\SOFTWARE\DataMngr_Toolbar (PUP.Optional.DataMngr.A) -> No action taken.
HKCU\Software\1ClickDownload (PUP.Optional.1ClickDownload.A) -> No action taken.
HKCU\Software\Datamngr (PUP.Optional.DataMngr.A) -> No action taken.
HKCU\SOFTWARE\SWEETIM (PUP.Optional.SweetIM.A) -> No action taken.
HKLM\SOFTWARE\BabylonToolbar (PUP.Optional.Babylon.A) -> No action taken.
HKLM\SOFTWARE\SWEETIM (PUP.Optional.SweetIM.A) -> No action taken.
Registry Values Detected: 4
HKCU\Software\SweetIM|simapp_id (PUP.Optional.SweetIM.A) -> Data: 11111111 -> No action taken.
HKLM\SOFTWARE\Mozilla\Firefox\extensions|{336D0C35-8A85-403a-B9D2-65C292C39087} (PUP.Optional.Incredibar) -> Data: C:\Program Files\Web Assistant\Firefox -> No action taken.
HKLM\SOFTWARE\Mozilla\Firefox\extensions|{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052} (PUP.Optional.Incredibar) -> Data: C:\Program Files\Web Assistant\Firefox -> No action taken.
HKLM\Software\SweetIM|simapp_id (PUP.Optional.SweetIM.A) -> Data: 11111111 -> No action taken.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 3
C:\Documents and Settings\All Users\Application Data\DownloadnSave (PUP.DownloadnSave) -> No action taken.
C:\Documents and Settings\All Users\Application Data\DownloadnSave\data (PUP.DownloadnSave) -> No action taken.
C:\Documents and Settings\Admin\Application Data\Babylon (PUP.Optional.Babylon.A) -> No action taken.
Files Detected: 6
C:\Documents and Settings\All Users\Application Data\DownloadnSave\content.js (PUP.DownloadnSave) -> No action taken.
C:\Documents and Settings\All Users\Application Data\DownloadnSave\jpnnbfjmbmmkploieoehdbkkjebfceae.crx (PUP.DownloadnSave) -> No action taken.
C:\Documents and Settings\All Users\Application Data\DownloadnSave\settings.ini (PUP.DownloadnSave) -> No action taken.
C:\Documents and Settings\All Users\Application Data\DownloadnSave\data\content.js (PUP.DownloadnSave) -> No action taken.
C:\Documents and Settings\All Users\Application Data\DownloadnSave\data\jsondb.js (PUP.DownloadnSave) -> No action taken.
C:\Documents and Settings\Admin\Application Data\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> No action taken.
(end)

jsa112

have MBAM fix those. Are you still having problems after that ? The logs are looking good

debit2credit

Perfect!

Thanks a million for all your help-I'll run the OTL again to see if anything pops up but I think we're in the clear. Delighted!