[clue-tech] Firefox hijacked

David L. Willson DLWillson at TheGeek.NU
Mon Nov 24 13:44:50 MST 2008 

Update:  It happens with both browsers.  Drudge Report was a misspelling.  He was trying to get to Drudge ReReport (and DenverNews.com.com, too).  Virus Total doesn't work in either browser, doesn't ping, and doesn't trace, but it does 'nslookup'.  I've run a 'repair' and checked TCP/IP settings, hosts file, and proxy.

On my system, it looks like this:

$ ping -c3 virustotal.com
PING virustotal.com (74.53.201.162) 56(84) bytes of data.
64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=1 ttl=55 time=93.0 ms
64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=2 ttl=55 time=89.2 ms
64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=3 ttl=55 time=72.3 ms

--- virustotal.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2009ms
rtt min/avg/max/mdev = 72.331/84.881/93.050/9.007 ms

On his busted-ass system, diagnostics look like this:

P:\>ping virustotal.com
 
Pinging localhost [127.0.0.1] with 32 bytes of data:
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
[...]
 
P:\>c:
 
C:\>cd WINDOWS\system32\drivers\etc
 
C:\WINDOWS\system32\drivers\etc>cat hosts
'cat' is not recognized as an internal or external command,
operable program or batch file.
 (f*ing Windows)
C:\WINDOWS\system32\drivers\etc>type hosts
[...] 
127.0.0.1       localhost
10.100.0.139 NPICF97AE
 
C:\WINDOWS\system32\drivers\etc>ping google.com
 
Pinging google.com [64.233.187.99] with 32 bytes of data:
[...]
P:\>nslookup virustotal.com
Server:  vmspr2.parsec.com
Address:  10.100.0.92
 
Non-authoritative answer:
Name:    virustotal.com
Address:  74.53.201.162
 

P:\>ping virustotal.com
 
Pinging localhost [127.0.0.1] with 32 bytes of data:
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
[...]
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
 
P:\>tracert virustotal.com
 
Tracing route to localhost [127.0.0.1]
over a maximum of 30 hops:
 
  1    <1 ms    <1 ms    <1 ms  localhost [127.0.0.1]
 
Trace complete.

----- Original Message -----
From: foo7775 at comcast.net
To: "CLUE tech" <clue-tech at cluedenver.org>
Sent: Monday, November 24, 2008 12:04:02 PM GMT -07:00 US/Canada Mountain
Subject: Re: [clue-tech] Firefox hijacked

Does it happen regardless of the browser used?  If not, I'd probably save his/her current profile info, remove the current FF installation & re-install the latest version.  Add in a couple of recommended plugins (I like NoScript/AdBlockPlus/FlashBlock myself), & combined with Ad-Aware's protection against "invisible" registry writes, then (based on my experience) you *should be* pretty well protected against *most* of the evil that's out there...

Best of luck.

 -------------- Original message ----------------------
From: "David L. Willson" <DLWillson at TheGeek.NU>
> I have a user (a Windows user, but his browser is Free, so I'm asking here) who, 
> after a bout with Antivirus 2009, can no longer reach certain web sites, like 
> "www.virustotal.com" and "www.drudgereport.com".  The browser takes him to an 
> ineffective portal page instead.
> 
> I don't even know where to start with Googling this...  The point is to return 
> the browser to normal operation, of course.  Any ideas where to start looking?
> _______________________________________________

_______________________________________________
clue-tech mailing list
clue-tech at cluedenver.org
http://www.cluedenver.org/mailman/listinfo/clue-tech

More information about the clue-tech mailing list