Jump to content


Photo

Malware change words to active links


  • Please log in to reply
1 reply to this topic

#1 drtaha

drtaha

    Member

  • New Member
  • Pip
  • 3 posts

Posted 29 July 2004 - 03:39 PM

On my computer i found that.... any time a web page open ((( any web page ))) that will have the word ((( DISCOVER ))) in any text on any page, it will change to a ((( LINK ))) with a different color that will take me to

http://www.ncsreport...LinkID=DCF10260

then it will redirect me to Discover card web site, no matter where this word will appear on any page ...on any web site

I also realized the the word ((( Hotels ))) and ((( Mortgage ))) will do the same thing on any web site and on any page and it will redirect me to www.expedia.com and www.eloans.com respectivly


I tried to trace the origin of the problem by placing the word (( discover )) on some web sites that i created and still getting the same result on my computer.

please advice the possibility of removing this unwanted functionality from my PC.it is really very disturbing ...

No virus scanner or spyware was able to detect this virus / trojan

thank you

Thank u Dave38 <<<< here is the Hijak this log file >>>>>>

Logfile of HijackThis v1.98.0
Scan saved at 2:12:42 AM, on 7/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 .

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\PwsTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Outlook Express\MSIMN.EXE
E:\Download\HiJackThis_Last.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {40D20724-5D3A-43C8-9FF5-2B6F209DBD27} - C:\WINNT\system32\bhrw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [Microsoft Security Hot Fix] "%SystemRoot%\mshotfix.exe"
O4 - HKLM\..\Run: [MS_Critical_Update] c:\CriticalUpdate.exe
O4 - HKLM\..\Run: [RegistryMon] c:\registry.pif
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab


Email address deleted. Not a good idea to post it in a public forum.:

Edited by drtaha, 30 July 2004 - 01:45 AM.


#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 29 July 2004 - 05:33 PM

We need a closer look at what's happening.

Please download Hijack this . Unzip it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button