[clue-tech] Firefox hijacked
David L. Willson
DLWillson at TheGeek.NU
Mon Nov 24 13:44:50 MST 2008
Update: It happens with both browsers. Drudge Report was a misspelling. He was trying to get to Drudge ReReport (and DenverNews.com.com, too). Virus Total doesn't work in either browser, doesn't ping, and doesn't trace, but it does 'nslookup'. I've run a 'repair' and checked TCP/IP settings, hosts file, and proxy.
On my system, it looks like this:
$ ping -c3 virustotal.com
PING virustotal.com (74.53.201.162) 56(84) bytes of data.
64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=1 ttl=55 time=93.0 ms
64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=2 ttl=55 time=89.2 ms
64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=3 ttl=55 time=72.3 ms
--- virustotal.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2009ms
rtt min/avg/max/mdev = 72.331/84.881/93.050/9.007 ms
On his busted-ass system, diagnostics look like this:
P:\>ping virustotal.com
Pinging localhost [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
[...]
P:\>c:
C:\>cd WINDOWS\system32\drivers\etc
C:\WINDOWS\system32\drivers\etc>cat hosts
'cat' is not recognized as an internal or external command,
operable program or batch file.
(f*ing Windows)
C:\WINDOWS\system32\drivers\etc>type hosts
[...]
127.0.0.1 localhost
10.100.0.139 NPICF97AE
C:\WINDOWS\system32\drivers\etc>ping google.com
Pinging google.com [64.233.187.99] with 32 bytes of data:
[...]
P:\>nslookup virustotal.com
Server: vmspr2.parsec.com
Address: 10.100.0.92
Non-authoritative answer:
Name: virustotal.com
Address: 74.53.201.162
P:\>ping virustotal.com
Pinging localhost [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
[...]
Minimum = 0ms, Maximum = 0ms, Average = 0ms
P:\>tracert virustotal.com
Tracing route to localhost [127.0.0.1]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms localhost [127.0.0.1]
Trace complete.
----- Original Message -----
From: foo7775 at comcast.net
To: "CLUE tech" <clue-tech at cluedenver.org>
Sent: Monday, November 24, 2008 12:04:02 PM GMT -07:00 US/Canada Mountain
Subject: Re: [clue-tech] Firefox hijacked
Does it happen regardless of the browser used? If not, I'd probably save his/her current profile info, remove the current FF installation & re-install the latest version. Add in a couple of recommended plugins (I like NoScript/AdBlockPlus/FlashBlock myself), & combined with Ad-Aware's protection against "invisible" registry writes, then (based on my experience) you *should be* pretty well protected against *most* of the evil that's out there...
Best of luck.
-------------- Original message ----------------------
From: "David L. Willson" <DLWillson at TheGeek.NU>
> I have a user (a Windows user, but his browser is Free, so I'm asking here) who,
> after a bout with Antivirus 2009, can no longer reach certain web sites, like
> "www.virustotal.com" and "www.drudgereport.com". The browser takes him to an
> ineffective portal page instead.
>
> I don't even know where to start with Googling this... The point is to return
> the browser to normal operation, of course. Any ideas where to start looking?
> _______________________________________________
_______________________________________________
clue-tech mailing list
clue-tech at cluedenver.org
http://www.cluedenver.org/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list