[clue-tech] Firefox hijacked

Russell Glissmann rglissma at gmail.com
Mon Nov 24 15:51:05 MST 2008 

Well, since it appears you are pretty technically savy, there is a tool
called HijackThis.  Its a tool that scans the system for browser helper
objects, startup objects, as well as a number of other items that can help
you narrow down problems like this.  Just have to be careful, because its a
brute force tool, it doesn't hold your hand and it can, and will, cheerfully
remove things that shouldn't be removed.  The way I use it is to look for
lines with nonsense names (werrs.exe, wjjy.exe).  Most of the newer trojans
are self replicating, so even if you remove one instance of it, there are
multiple others lurking and waiting to start.  But if you can stop one
instance from starting, the rest can be found with other anti-virus /
anti-spyware tools, such as Adaware, or Spybot.
HijackThis can be found at
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis .

Russ

On Mon, Nov 24, 2008 at 1:44 PM, David L. Willson <DLWillson at thegeek.nu>wrote:

> Update:  It happens with both browsers.  Drudge Report was a misspelling.
>  He was trying to get to Drudge ReReport (and DenverNews.com.com, too).
>  Virus Total doesn't work in either browser, doesn't ping, and doesn't
> trace, but it does 'nslookup'.  I've run a 'repair' and checked TCP/IP
> settings, hosts file, and proxy.
>
> On my system, it looks like this:
>
> $ ping -c3 virustotal.com
> PING virustotal.com (74.53.201.162) 56(84) bytes of data.
> 64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=1 ttl=55
> time=93.0 ms
> 64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=2 ttl=55
> time=89.2 ms
> 64 bytes from viruskill2.hispasec.com (74.53.201.162): icmp_seq=3 ttl=55
> time=72.3 ms
>
> --- virustotal.com ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2009ms
> rtt min/avg/max/mdev = 72.331/84.881/93.050/9.007 ms
>
> On his busted-ass system, diagnostics look like this:
>
> P:\>ping virustotal.com
>
> Pinging localhost [127.0.0.1] with 32 bytes of data:
>
> Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
> [...]
>
> P:\>c:
>
> C:\>cd WINDOWS\system32\drivers\etc
>
> C:\WINDOWS\system32\drivers\etc>cat hosts
> 'cat' is not recognized as an internal or external command,
> operable program or batch file.
>  (f*ing Windows)
> C:\WINDOWS\system32\drivers\etc>type hosts
> [...]
> 127.0.0.1       localhost
> 10.100.0.139 NPICF97AE
>
> C:\WINDOWS\system32\drivers\etc>ping google.com
>
> Pinging google.com [64.233.187.99] with 32 bytes of data:
> [...]
> P:\>nslookup virustotal.com
> Server:  vmspr2.parsec.com
> Address:  10.100.0.92
>
> Non-authoritative answer:
> Name:    virustotal.com
> Address:  74.53.201.162
>
>
> P:\>ping virustotal.com
>
> Pinging localhost [127.0.0.1] with 32 bytes of data:
>
> Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
> [...]
>    Minimum = 0ms, Maximum = 0ms, Average = 0ms
>
> P:\>tracert virustotal.com
>
> Tracing route to localhost [127.0.0.1]
> over a maximum of 30 hops:
>
>  1    <1 ms    <1 ms    <1 ms  localhost [127.0.0.1]
>
> Trace complete.
>
> ----- Original Message -----
> From: foo7775 at comcast.net
> To: "CLUE tech" <clue-tech at cluedenver.org>
> Sent: Monday, November 24, 2008 12:04:02 PM GMT -07:00 US/Canada Mountain
> Subject: Re: [clue-tech] Firefox hijacked
>
> Does it happen regardless of the browser used?  If not, I'd probably save
> his/her current profile info, remove the current FF installation &
> re-install the latest version.  Add in a couple of recommended plugins (I
> like NoScript/AdBlockPlus/FlashBlock myself), & combined with Ad-Aware's
> protection against "invisible" registry writes, then (based on my
> experience) you *should be* pretty well protected against *most* of the evil
> that's out there...
>
> Best of luck.
>
>  -------------- Original message ----------------------
> From: "David L. Willson" <DLWillson at TheGeek.NU>
> > I have a user (a Windows user, but his browser is Free, so I'm asking
> here) who,
> > after a bout with Antivirus 2009, can no longer reach certain web sites,
> like
> > "www.virustotal.com" and "www.drudgereport.com".  The browser takes him
> to an
> > ineffective portal page instead.
> >
> > I don't even know where to start with Googling this...  The point is to
> return
> > the browser to normal operation, of course.  Any ideas where to start
> looking?
> > _______________________________________________
>
> _______________________________________________
> clue-tech mailing list
> clue-tech at cluedenver.org
> http://www.cluedenver.org/mailman/listinfo/clue-tech
> _______________________________________________
> clue-tech mailing list
> clue-tech at cluedenver.org
> http://www.cluedenver.org/mailman/listinfo/clue-tech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue-tech/attachments/20081124/a61f33a4/attachment-0001.html

More information about the clue-tech mailing list