[clue-tech] Firefox hijacked

Mike Staver staver at fimble.com
Mon Nov 24 14:59:29 MST 2008 

Just my 2 cents - when I come across a windows system like this, several
things will also happen.  More than likely, you won't be able to see some
"hidden" files inside the OS. I usually see files starting with an _ or
tmp (or something similar) blocked from view in Windows Explorer.  The
jerks often mess with the hosts file or tcp-ip settings in some way along
with that file trick.  Even if I could trace the root of the problem and
think it's clean, I still wouldn't trust the system.  I find it much
easier and less time consuming to bust out the windows install disc and
start over.  Even with the best anti-virus software known to man, you just
can't protect a user from themselves.  I had "fixed" a users machine once
with AdAware, Hijack This, Spybot, and McAfee Stinger - only to have the
virus reappear over and over again.  I even made sure Windows Restore was
off and I thought I had it clean. It just goes to show that once a system
dll or exe has been comprimised, you can no longer trust anything on the
box. I'm paranoid like that though.  I apply the same rules to Linux boxen
- I've seen the ps, ls, and top binaries replaced before so that they
would exclude certain processes from view.

> Update:  It happens with both browsers.  Drudge Report was a misspelling.
> He was trying to get to Drudge ReReport (and DenverNews.com.com, too).
> Virus Total doesn't work in either browser, doesn't ping, and doesn't
> trace, but it does 'nslookup'.  I've run a 'repair' and checked TCP/IP
> settings, hosts file, and proxy.
>
> On my system, it looks like this:
>
> $ ping -c3 virustotal.com
> PING virustotal.com (74.53.201.162) 56(84) bytes of data.
> 64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=1 ttl=55
> time=93.0 ms
> 64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=2 ttl=55
> time=89.2 ms
> 64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=3 ttl=55
> time=72.3 ms
>
> --- virustotal.com ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2009ms
> rtt min/avg/max/mdev = 72.331/84.881/93.050/9.007 ms
>
> On his busted-ass system, diagnostics look like this:
>
> P:\>ping virustotal.com
>
> Pinging localhost [127.0.0.1] with 32 bytes of data:
>
> Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
> [...]
>
> P:\>c:
>
> C:\>cd WINDOWS\system32\drivers\etc
>
> C:\WINDOWS\system32\drivers\etc>cat hosts
> 'cat' is not recognized as an internal or external command,
> operable program or batch file.
>  (f*ing Windows)
> C:\WINDOWS\system32\drivers\etc>type hosts
> [...]
> 127.0.0.1       localhost
> 10.100.0.139 NPICF97AE
>
> C:\WINDOWS\system32\drivers\etc>ping google.com
>
> Pinging google.com [64.233.187.99] with 32 bytes of data:
> [...]
> P:\>nslookup virustotal.com
> Server:  vmspr2.parsec.com
> Address:  10.100.0.92
>
> Non-authoritative answer:
> Name:    virustotal.com
> Address:  74.53.201.162
>
>
> P:\>ping virustotal.com
>
> Pinging localhost [127.0.0.1] with 32 bytes of data:
>
> Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
> [...]
>     Minimum = 0ms, Maximum = 0ms, Average = 0ms
>
> P:\>tracert virustotal.com
>
> Tracing route to localhost [127.0.0.1]
> over a maximum of 30 hops:
>
>   1    <1 ms    <1 ms    <1 ms  localhost [127.0.0.1]
>
> Trace complete.
>
> ----- Original Message -----
> From: foo7775 at comcast.net
> To: "CLUE tech" <clue-tech at cluedenver.org>
> Sent: Monday, November 24, 2008 12:04:02 PM GMT -07:00 US/Canada Mountain
> Subject: Re: [clue-tech] Firefox hijacked
>
> Does it happen regardless of the browser used?  If not, I'd probably save
> his/her current profile info, remove the current FF installation &
> re-install the latest version.  Add in a couple of recommended plugins (I
> like NoScript/AdBlockPlus/FlashBlock myself), & combined with Ad-Aware's
> protection against "invisible" registry writes, then (based on my
> experience) you *should be* pretty well protected against *most* of the
> evil that's out there...
>
> Best of luck.
>
>  -------------- Original message ----------------------
> From: "David L. Willson" <DLWillson at TheGeek.NU>
>> I have a user (a Windows user, but his browser is Free, so I'm asking
>> here) who,
>> after a bout with Antivirus 2009, can no longer reach certain web sites,
>> like
>> "www.virustotal.com" and "www.drudgereport.com".  The browser takes him
>> to an
>> ineffective portal page instead.
>>
>> I don't even know where to start with Googling this...  The point is to
>> return
>> the browser to normal operation, of course.  Any ideas where to start
>> looking?
>> _______________________________________________
>
> _______________________________________________
> clue-tech mailing list
> clue-tech at cluedenver.org
> http://www.cluedenver.org/mailman/listinfo/clue-tech
> _______________________________________________
> clue-tech mailing list
> clue-tech at cluedenver.org
> http://www.cluedenver.org/mailman/listinfo/clue-tech
>

More information about the clue-tech mailing list