Sign in to follow this  
Thanu

Vktarget.ru / Traffstock / AdWizard / Stubborn Browser Hijacker

Recommended Posts

If you click on ABP and then choose "Block element" then you click on the pop-up, and ABP will start blocking it.

Edited by Loke

Share this post


Link to post
Share on other sites

I see - That's the Pro/paid version, I take it - you use it? Recommend it?

 

Well, after surfing more and checking with my wife on her tablet, it appears that we are no longer a victim to the TOT's nasty Vktarget.ru browser hijacker, if that's what you call it - malware at any rate. This is a real discgrace and black mark on the Telephone Organization of Thailand it seems - not that they particularly care.

 

Great to have you hear helping Loke and I hope you don't have to put up with them much longer - but should we do anything to get the word out? Post on ThaiVisa or something? I'm sure most people won't make it here to LavaSoft, unfortunately.

 

And I do want to thank CeciliaB and LS Artem kindly for their donated technical skills - it's very upsetting and frustrating when problems like this distract us from work and the enjoyment of life.

 

Now, knock on bamboo and be careful ... Cheers, Thanu

 

PS: Are you doing any computer work, Loke? I am a writer, website promoter, and anthropologist in Udon-Nong Khai. Just curious. Sounds like you've got things made, other than this TOT fiasco.

Share this post


Link to post
Share on other sites

Hi All,

I, too, live in Thailand (central Bangkok) and have been annoyed to the core by this virus/hijacker. I noticed it about 2 weeks ago and have been applying my novice skills and getting nowhere!!!!

 

When my wife's iphone & work laptop started showing the same Traffstock / cartoon-porn popups (at home only, thankfully!!!), i spent a sleepless night trying to get to the bottom of it - i suspected it was the router, since multiple machines, platforms were getting the popups, etc.

i look forward to following this string and helping in whatever way I can!

 

Thanks

Share this post


Link to post
Share on other sites

Hello!

Thank you guys for clarifying the situation. Because it was looking like we are catching the ghosts here :blink:

So we can suspect that we have a deal with :

  1. Infected router
  2. Infected ISP
  3. Poisoned DNS
  4. Some harmful extension was installed in browser and was synchronized among other PCs (Chrome, FF, Opera).

So you can try to:

  • Use another DNS as main (for example 8.8.8.8)
  • Try to web surf using Mobile Internet or another ISP
  • Launch your browser in safemode
  • Check launch parameters in all browser icons

Share this post


Link to post
Share on other sites

Hi all,

 

I agree with Artem.

 

It might be that someone has hacked into your routers, those of you have one, and you should start with checking if your router manufacturer has developed a new firmware (software inside the router) on the web site of that manufacturer. If you find a new version, please install it into the router, and if not, reinstall the current version if possible, since installing firmware version usually resets the router to the original settings. After that you need to go to the router configuration by entering its IP address, e.g. 192.168.0.1, in the browsers address field, and changing its login password to something else and make sure that remote login, that's being able to change its configuration from the internet, is turned off. Login password is the password you use in the browser and not the encryption key for its wireless connection (which should be configured as well).

 

There are malware that from a computer logs in to the router and changes its settings. It's also possible that your router has vulnerabilities and can be exploited from the internet, and if there isn't a new firmware version that fixes the vulnerability you have to buy a new router to be sure nobody can hack into it.

 

We recently had an outbreak of router hacking here in Sweden, since someone found that the ISP, which had sold the routers, had its own login with a very weak password that was used for doing remote reconfigurations. It got rather big in the news and the iSP had to to release a new firmware version within a few days.

 

If you aren't sure that your router is safe, it's important that all computers and smartphones are set to use fixed DNS servers instead of automatic configuration. You can set them to use Googles, 8.8.8.8 and 8.8.4.4, or OpenDNS, 208.67.222.222 and 208.67.220.220.

http://www.opendns.com/

 

Please, tell us if these DNS server reconfigurations are enough. If not, the computer might be infected.

Share this post


Link to post
Share on other sites

if it is my router, then i have difficult situation - I just went to the mfg's website (tp-link . com) and did a search for my model number (TD854W) and there is no match on their site. We bought the router when we switched to TOT for our ADSL service. When I tried to ring their service number, it just a repeating message that all staff were engaged, please hold the line...for 25 min. gave up and going to bed after only 3+ hrs sleep last night.

 

as to the moderators' recent statements, this modem set up has 3 levels of passwords (1st level is static, issued by TOT; 2nd level seems to be unique to us, but when I tried to change the user ID, zero internet connections available, so i had to put it back to default; and 3rd level has user Id & pw set by us (we've changed these 2x and it's had no effect).

 

i will attempt the DNS setting tomorrow.

 

G'night!

Share this post


Link to post
Share on other sites

if it is my router, then i have difficult situation - I just went to the mfg's website (tp-link . com) and did a search for my model number (TD854W) and there is no match on their site. We bought the router when we switched to TOT for our ADSL service. When I tried to ring their service number, it just a repeating message that all staff were engaged, please hold the line...for 25 min. gave up and going to bed after only 3+ hrs sleep last night.

 

as to the moderators' recent statements, this modem set up has 3 levels of passwords (1st level is static, issued by TOT; 2nd level seems to be unique to us, but when I tried to change the user ID, zero internet connections available, so i had to put it back to default; and 3rd level has user Id & pw set by us (we've changed these 2x and it's had no effect).

 

i will attempt the DNS setting tomorrow.

 

G'night!

 

If you are going to make changes in router settings please be sure that you made a backup of all settings, saved your passwords and connection configuration!!!! After that you can restore to default settings by clicking on a small button that is placed in a little hole backside of your router. http://www.tp-link.com/en/article/?id=83

Share this post


Link to post
Share on other sites

if it is my router, then i have difficult situation - I just went to the mfg's website (tp-link . com) and did a search for my model number (TD854W) and there is no match on their site. We bought the router when we switched to TOT for our ADSL service. When I tried to ring their service number, it just a repeating message that all staff were engaged, please hold the line...for 25 min. gave up and going to bed after only 3+ hrs sleep last night.

Either it isn't the correct number you found or it's a model made for a certain ISP or market, see http://forum.tp-link.com/showthread.php?2704-model-TD854W

Share this post


Link to post
Share on other sites

Hi All,

a quick note - I rang TOT(ISP provider) and asked if they had any reports of troublesome behavior from Traffstock. Before I could mention VkTarget. ru as the URL, the rep was already referencing it as "That Russian pop-up/ browser problem".

 

His only suggestion was to go in and change the DNS settings. I'll be honest, his step-by-step did NOT get me to the DNS settings, so maybe he was looking at XP procedures (I'm dealing with Windows 7 home edition). But his DNS refernce of 8.8.4.4 seems to have done the trick.

 

after the change, I have tempted the fates by opening no less than 15 browser windows/multiple tabs in each window and NO popups or vktarget. ru redirects...fingers crossed. However, as soon as I reopend my laptop in the coffee shop next door, Mommy & kid in their fur coats were smiling at me even before I got my screen at my preferred viewing angle. (after a loud internal scream) I drank my coffee & came back to my home network, where, still knocking on wood...NO OCCURRENCES!!!

  • Like 1

Share this post


Link to post
Share on other sites

Either it isn't the correct number you found or it's a model made for a certain ISP or market, see http://forum.tp-link.com/showthread.php?2704-model-TD854W

That link is to a forum run by a router-hobbyist, not by tp-link corp. and in that string, people are complaining of this model not being shown anywhere on corp www; the forum mod's suggestion is to email corp. for beta firmware...anyway, DNS trick above seems to be solution for the time-being.

Share this post


Link to post
Share on other sites

Thanks for reporting back :)

Yes, it's obviously a DNS problem and since your ISP has a lot of customers with the same issue, I think it's either a vulnerability in the router or they can't handle their own DNS servers.

 

I don't know who is running that forum, but it's TP-LINK Technologies Co., Ltd that owns the domain and they link to that forum on their web pages, in the support menu: http://www.tp-link.com/en/

But it's possible, it's like this forum where 99% of all answers are from volunteers (me).

Share this post


Link to post
Share on other sites

1%$^&&%^*(&^%$^*(**&

 

was just checking a news site & an extra tab got opened that went to adultube. com (no www. etc at the beginning). i just ran the malware detectors again, but nothing was detected by Malwarebytes Anti-Malware

 

i guess that band-aid didn't last too long!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

Hopeless and helpless at this point....the worst part is, i'm in the middle of setting up an ecommerce site that is supposed to become my primary business (since my role as foreign buyer's agent has no chance of getting clients in this environment)

 

I REALLY NEED SECURE USE OF MY COMPUTER!!!! Any furhter help will be greatly appreciated

thanks for listening

thom

 

Share this post


Link to post
Share on other sites

CeciliaB (btw, great name = a cousin of mine is also a Cecilia),

thank you for your volunteer effort - if my ecommerce catches the momentum that I anticipate, I will happily request to be a contributor/supporter to your cause! Selflessness MUST be your OWN reward, while your efforts need to be rewarded by the recipients!!!!!

  • Like 1

Share this post


Link to post
Share on other sites

Hi Thom,

 

Maybe best if I check a log file from your computer, too.

 

Please, download Farbar Recovery Scan Tool (FRST) and save it on the desktop:

For 64 bits Windows: http://download.bleepingcomputer.com/farbar/FRST64.exe

For 32 bits Windows: http://download.bleepingcomputer.com/farbar/FRST.exe

 

Start the FRST program.

 

Read the disclaimer and click Yes to accept it.

Click Scan button.

When done, FRST will create two log files, called FRST.txt and Addition.txt, on the desktop.

 

Please, attach them to your reply (press More Reply Options button to see how to attach files).

Share this post


Link to post
Share on other sites

Changed my router and this problem still persists.

 

My humble opinion:

 

1. ToT has been hacked - there's no doubt about it.

 

2. Use the free Adblock Plus (ABP https://adblockplus.org/)

 

3. Add Malware Domain to the ABP Filter List under options:

"Please choose a filter subscription from the list:"

Choose "Add a different subscription..."

"Subscription title:"
Write "Disable Malware"
4. Edit your hosts file (%WINDIR%\System32\drivers\etc\hosts) as administrator, and add these at the bottom of the file:
127.0.0.1 gamblespot.ru
127.0.0.1 www.sexgangsters.com
127.0.0.1 downloadpcapps.com
127.0.0.1 megafilecloud.ru
127.0.0.1 kudrafa.ru
127.0.0.1 vktarget.ru
127.0.0.1 stock-traffic.info
127.0.0.1 counter.yadro.ru
127.0.0.1 wizard-traffstock.com
127.0.0.1 contactsin.com
127.0.0.1 wizard-help.com
127.0.0.1 not-only.info
127.0.0.1 omgdomain.info
127.0.0.1 yandex.ru
127.0.0.1 greenlea.ru
127.0.0.1 akamaihd.net
127.0.0.1 ektezis.ru
127.0.0.1 dbterrrznvh.people-are-thought.info
127.0.0.1 zinzimo.info
127.0.0.1 waveview.info
127.0.0.1 doubleclick.net
127.0.0.1 traffic.outbrain.com
Now you'll have no more popups yet occasionally have your browser open a vktarget.ru tab, but your computer will not connect to vktarget.ru or any of the above.
5. Wait for ToT to get their s*** together, or if possible; find another ISP asap.
6. Be wary of uploading all those logs (i.e. FRST.txt and Addition.txt)! Those files exposes your system, thus makes you and your system vulnerable as they easily could be harvested and misused by hackers.

 

Just my two cents! - Sharing is caring!!

 

Loke (semi-retired computer-engineer)

Edited by Loke

Share this post


Link to post
Share on other sites

Hi Loke,

 

The internet is full of logs from FRST and other similar programs since more than 10 years, and I have never read that someone got hacked or harvested afterwards. Please, explain what you or someone else could do from those logs.

 

I find it very strange to only circumvent the problem by blocking sites in host file and in ad-blocking plugins instead of doing something to the real issue. If the DNS servers of the ISP are hacked, use other DNS servers instead. If your computer is compromised, reinstall it and make it really secure afterwards.

Share this post


Link to post
Share on other sites

No wonder you haven't read that. I'm not going to explain in details what I or others could do with those files. But let's take Thanu's logfiles as an example; containing loads of information which he just might want to keep for himself. Let's take Addition.txt where his real name is listed, and so is everything that he has downloaded (i.e. Requiem.for.a.Dream.DIRECTORS.CUT.2000), and all programs that he have installed - among them; what OS (incl. user-accounts), which browsers and security-programs (antivirus, anti-malware, firewall etc.) he uses and if any are out-of-date/updated. Hackers can then pick'n'choose from a complete list of programs - some with known exploits. All a hacker now needs is his IP-address, which could be obtained from him if he were to send an e-mail (which he in fact did to me after a PM), and which I'm sure is available to every board he uploads those logs to.

 

I find it very strange, that you don't seem to get the problem is with our ISP (ToT, Thailand), and it is completely out of our hands to remedy this. All you are suggesting is re-flash our routers (a risky affair), remove this and that software (which have nothing to do with this problem), and even re-install our computers <sigh>. Then you go on to postulate that we can make your computer "really secure afterwards"... That's really laughable.

 

Everything points to, that this particular problem is with our ISP, and all those quite time-consuming efforts you're suggesting would be to no avail.

 

As ToT are using Google's public DNS-servers, and as I really doubt they are infected, then the problem is somewhere else in the network-layers.

 

As I wrote, then all I'm offering here is a temporary solution. One, that will fix those popups and re-directions right NOW for those who'd be interested in that. In my case, then I wont have to watch different porn-cartoons popup, or have tabs with porn-sites continuous load in my browser, and so wont my three sons (8, 8 and 11yo).

 

Jesus!

Share this post


Link to post
Share on other sites

I'm infected and in North Eastern Thailand.

 

The infection inserts javascript before the closing body tag of most HTML pages. I believe that gives them the capability to keylog our browsers if they so choose. So I am afraid of doing Internet banking etc... I should stop... But my hosts file workaround will partially protect me, and I'm hoping for the best...

 

Both my PC and Android tablet became infected at the same time. I guess that suggests the issue is in the router, since the tablet is not running Windows.

 

I could find no viruses in Windows after several attempts.

 

Idiot ISP...cant even fix this major issue after a week. This is Thailand. As usual.

Share this post


Link to post
Share on other sites

No wonder you haven't read that. I'm not going to explain in details what I or others could do with those files. But let's take Thanu's logfiles as an example; containing loads of information which he just might want to keep for himself. Let's take Addition.txt where his real name is listed, and so is everything that he has downloaded (i.e. Requiem.for.a.Dream.DIRECTORS.CUT.2000), and all programs that he have installed - among them; what OS (incl. user-accounts), which browsers and security-programs (antivirus, anti-malware, firewall etc.) he uses and if any are out-of-date/updated. Hackers can then pick'n'choose from a complete list of programs - some with known exploits. All a hacker now needs is his IP-address, which could be obtained from him if he were to send an e-mail (which he in fact did to me after a PM), and which I'm sure is available to every board he uploads those logs to.

 

I find it very strange, that you don't seem to get the problem is with our ISP (ToT, Thailand), and it is completely out of our hands to remedy this. All you are suggesting is re-flash our routers (a risky affair), remove this and that software (which have nothing to do with this problem), and even re-install our computers <sigh>. Then you go on to postulate that we can make your computer "really secure afterwards"... That's really laughable.

 

Everything points to, that this particular problem is with our ISP, and all those quite time-consuming efforts you're suggesting would be to no avail.

 

As ToT are using Google's public DNS-servers, and as I really doubt they are infected, then the problem is somewhere else in the network-layers.

 

As I wrote, then all I'm offering here is a temporary solution. One, that will fix those popups and re-directions right NOW for those who'd be interested in that. In my case, then I wont have to watch different porn-cartoons popup, or have tabs with porn-sites continuous load in my browser, and so wont my three sons (8, 8 and 11yo).

 

Jesus!

I mean that I have never read that anyone complains about being hacked after receiving help with malware in a forum. If that was common, the antimalware community would know that after all these years.

 

Names aren't important in the logs and can be removed if wanted, usually only seen when full name is used as the account name and that's rare. Persons sending emails to unknown persons has nothing to do with the logs, and there is nothing in the logs that connects the poster to an IP address or an email address. You only described what could be done when the IP address is known and it isn't.

 

Without the logs of Thanu, we hadn't known that the DNS server was a German one, not Googles.

 

The fix I provided in post #7 did remove an adware add-on for Chrome:

HR Extension: (No Name) - C:\Users\windows7\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda [2012-12-04]

http://www.herdprotect.com/ejpbbhjlbipncjklfjjaedaieimbmdda.crx-9661b3607c1e198cba4e6c1293e5b1eceed07413.aspx

 

The fix also removed a vulnerability in Chrome due to an old version of Java:

CHR Plugin: (Java™ Platform SE 7 U9) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

Leaving the computer less vulnerable.

 

I quote post #20:

I've been using IE the last hour and NO instance of problem / hijacker. Reckon it must be Chrome-related.

How can IE be without the ads if the problem only can be handled by blocking sites in hosts file and Ad-blocker add-on, as you wrote?

 

and post#36:

But his DNS refernce of 8.8.4.4 seems to have done the trick.

 

after the change, I have tempted the fates by opening no less than 15 browser windows/multiple tabs in each window and NO popups or vktarget. ru redirects.

 

Risky to update firmware of a router?!!

Common procedure to do that since vulnerabilities are found in them and fixed, e.g. http://www.dlink.com/uk/en/support/securityand http://www.cnet.com/news/asus-router-vulnerabilities-go-unfixed-despite-reports/ .

Share this post


Link to post
Share on other sites

I'm infected and in North Eastern Thailand.

 

The infection inserts javascript before the closing body tag of most HTML pages. I believe that gives them the capability to keylog our browsers if they so choose. So I am afraid of doing Internet banking etc... I should stop... But my hosts file workaround will partially protect me, and I'm hoping for the best...

 

Both my PC and Android tablet became infected at the same time. I guess that suggests the issue is in the router, since the tablet is not running Windows.

 

I could find no viruses in Windows after several attempts.

 

Idiot ISP...cant even fix this major issue after a week. This is Thailand. As usual.

Hi danbradster,

 

I suggest that you change your DNS settings in the computer and tablet to Googles or OpenDNS, see post http://www.lavasoftsupport.com/index.php?/topic/34135-vktargetru-traffstock-adwizard-stubborn-browser-hijacker/page-2#entry147254since it seems to help others.

Share this post


Link to post
Share on other sites

Hi All

 

Mike here from Chonburi, also with TOT and am being plagued by this Russian malware. I also have a TP-link TD854W router which will not let me update the primary and secondary DNS addresses as described earlier in this thread. I press "save" and nothing happens, when I refresh the page the updates have not taken effect.

 

I have tried recycling the router and attaching it directly to the laptop - no difference.

 

I am concerned about internet banking and would appreciate any advice with regards to how to get my router to save the changes.

 

Thanks

 

Edit: I am currently using a VPN which I hope can protect me, but I have no clear idea whether it is or not!

Edited by baldplumber

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this