A possible hijacking?

I’ve been looking around on the internet, and all of the threads I can find relating to this have the same, unsure reaction. I’m a victim of the random ‘microdefender[dot]nl’ hijackings. It opens a tab randomly in my Firefox that leads to that page ( usually headed by a random arrangement of numbers/letters ). I have some addons for protection, and every time I’ve gone so far, the site has an internal server error ( Error 500? )

I’ve run things like MBar and MBAM in regular mode ( nothing safe mode yet ), and I’m running Avast! Free right now, hoping SOMETHING will come up.

Please attach your logs. (MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

Attaching logs!

Hi does this occur only in firefox ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1391218407-3976517184-3099314675-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Yeah, FF is the only browser I use. I have Chrome and IE installed, but never touch them.

Like, ever.

I tried Chrome for a day, it was okay. IE I only used to get FF when I first got the PC.

DellDock is an okay program, it comes with the computer. I have it turned off, but some processes run in the bg. Should I just uninstall it instead?

Running the fixes you said, will BRB with logs.

I just removed the dell dock entries to try and speed up the start

Could you try IE please and see if you get the same problem

Whops, ran it with the DellDock stuff anyway. Oh well! I just restarted, it’s running the quick scan now.

As far as reproducing this goes ( on IE or otherwise ), I don’t think I can.

It happens completely randomly – I thought I clicked on something the first time it happened, I’ll put it that way.

It always directs to a website with a random arrangement of numbers/letters, like “12345ab-microdefender[dot]nl”. I have NoScript and AdBlocker on my FF, and I dunno if that helps prevent the site from interacting with me in any way, but the site is always blank with the typical “Internal 500 error”, like the site’s broken somehow. It only seems to crop up every other day or so, sometimes two, and only once. But the fact that it’s happening is what troubles me.

OTL is quick-scanning.

Quick-scan finished. Running AdwCleaner and will have logs for you in a second.

Logs attached!

Does it happen on a specific site ? As that site may be infected, the logs look clean

I don’t think so. It’s happened as I was dallying around on other programs, but had FF open in the bg. I’ve seen mention of the site pop up in my Event Logger, if that helps? It said it had something to do with the microsoft DNS?

Hold on, I’m dumb, let me try to get it for you. Yeah, here it is.

Under the Event Viewer, under “Windows Logs”, then “System”, the last instance of it was at 2:14 AM last night. It reads this:

“Name resolution for the name 90d6bc5a.microdefender-fe.nl timed out after none of the configured DNS servers responded.”

Details are this:

System

  • Provider

[ Name] Microsoft-Windows-DNS-Client
[ Guid] {1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}

EventID 1014

Version 0

Level 3

Task 0

Opcode 0

Keywords 0x4000000000000000

  • TimeCreated

[ SystemTime] 2014-02-01T07:14:35.418961000Z

EventRecordID 213361

Correlation

  • Execution

[ ProcessID] 1684
[ ThreadID] 6588

Channel System

Computer Monolith

  • Security

[ UserID] S-1-5-20

  • EventData

    QueryName 90d6bc5a.microdefender-fe.nl
    AddressLength 16
    Address 020000354B4B4B4B0000000000000000

Any idea what the heck this is about?

I don’t know if it’s any help to you guys, sorry.

I don’t suppose you can remember which programme ?

Skype was one thing. Skype recently added a whole bunch of new ads to their program. Another friend who uses it is having the same exact issue as me, but other friends who use it are not, so it’s probably just me being paranoid.

That was the first time it popped up. I was browsing the internet ( I usually browse websites like WoWHead and youtube while idle ), and was removing an old contact from skype. I hit “remove contact”, and that’s when the tab opened in firefox. I’m sure it was completely coincidental, but at that time I was like “Oh, I must’ve clicked on something.”

I keep Adblocker and Noscript on for pretty much every site I go to, except to allow things like youtube’s player.

Usual programs I run are League of Legends and World of Warcraft, which are both video games supported by big, good companies. I doubt it has anything to do with them!

I would go for Skype, I have ceased to use that unless absolutely necessary due to the intrusive ads and weird links it tries to get you to go to

Also it acts as a P2P programme so if you are not using it then it will become a transfer node. So only start it when you need it and not with the system

If it helps, I looked up the name of the website that keeps popping up, and found this:

http://urlquery.net/report.php?id=8938372

I don’t leave skype running in the bg if it’s not in use. I also don’t have it set to run at startup ( I hate things that run at startup, ugh. )

EDIT: A few more. I translated them to english, sorry!

http://translate.google.com/translate?hl=en&sl=da&u=http://komputer.dk/forum/hjaelp-til-windows-og-programmer/sikkerhed/falsk-advarsel&prev=/search%3Fq%3Dmicrodefender.nl%26start%3D10%26sa%3DN%26biw%3D1920%26bih%3D974

http://nerdanswer.com/answer.php?q=452576

They all have no idea what’s going on, or simply have no response. It’s kind of scary, honestly.

Avast is aware of this … were you getting alerts ? http://blog.avast.com/2010/02/18/ads-poisoning-–-jsprontexi/ ad poisoning is an old trick but very effective

Was not. I didn’t have avast installed until last night, when I finally started the witch-hunt for this to root it out. It hasn’t been happening very long at all.

Is there anything else that can be done to delete this? I’m glad if it’ll never come back, but I’m worried on what to do to stop it from coming around ever again.

Alright, I’ll be shutting down to head to work. If you guys can provide any more info, please, please please let me know! Thank you for all of the help so far.

The beauty of Avast is that it will block the connection so that nothing can get onto your system and you will be safe :slight_smile:

To be doubly sure you can set the Avast hardened mode to aggressive and then you will get alerted any time an unknown programme starts, with the option to either block or run

https://dl.dropboxusercontent.com/u/73555776/Hardened%20mode.JPG

https://dl.dropboxusercontent.com/u/73555776/Add%20to%20exclusions.JPG