Well, since it appears you are pretty technically savy, there is a tool called HijackThis. Its a tool that scans the system for browser helper objects, startup objects, as well as a number of other items that can help you narrow down problems like this. Just have to be careful, because its a brute force tool, it doesn't hold your hand and it can, and will, cheerfully remove things that shouldn't be removed. The way I use it is to look for lines with nonsense names (werrs.exe, wjjy.exe). Most of the newer trojans are self replicating, so even if you remove one instance of it, there are multiple others lurking and waiting to start. But if you can stop one instance from starting, the rest can be found with other anti-virus / anti-spyware tools, such as Adaware, or Spybot.<br>
HijackThis can be found at <a href="http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis">http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis</a> .<br><br>Russ<br><br><div class="gmail_quote">
On Mon, Nov 24, 2008 at 1:44 PM, David L. Willson <span dir="ltr"><<a href="mailto:DLWillson@thegeek.nu">DLWillson@thegeek.nu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Update: It happens with both browsers. Drudge Report was a misspelling. He was trying to get to Drudge ReReport (and <a href="http://DenverNews.com.com" target="_blank">DenverNews.com.com</a>, too). Virus Total doesn't work in either browser, doesn't ping, and doesn't trace, but it does 'nslookup'. I've run a 'repair' and checked TCP/IP settings, hosts file, and proxy.<br>
<br>
On my system, it looks like this:<br>
<br>
$ ping -c3 <a href="http://virustotal.com" target="_blank">virustotal.com</a><br>
PING <a href="http://virustotal.com" target="_blank">virustotal.com</a> (<a href="http://74.53.201.162" target="_blank">74.53.201.162</a>) 56(84) bytes of data.<br>
64 bytes from <a href="http://viruskill2.hispasec.com" target="_blank">viruskill2.hispasec.com</a> (<a href="http://74.53.201.162" target="_blank">74.53.201.162</a>): icmp_seq=1 ttl=55 time=93.0 ms<br>
64 bytes from <a href="http://viruskill2.hispasec.com" target="_blank">viruskill2.hispasec.com</a> (<a href="http://74.53.201.162" target="_blank">74.53.201.162</a>): icmp_seq=2 ttl=55 time=89.2 ms<br>
64 bytes from <a href="http://viruskill2.hispasec.com" target="_blank">viruskill2.hispasec.com</a> (<a href="http://74.53.201.162" target="_blank">74.53.201.162</a>): icmp_seq=3 ttl=55 time=72.3 ms<br>
<br>
--- <a href="http://virustotal.com" target="_blank">virustotal.com</a> ping statistics ---<br>
3 packets transmitted, 3 received, 0% packet loss, time 2009ms<br>
rtt min/avg/max/mdev = 72.331/84.881/93.050/9.007 ms<br>
<br>
On his busted-ass system, diagnostics look like this:<br>
<br>
P:\>ping <a href="http://virustotal.com" target="_blank">virustotal.com</a><br>
<br>
Pinging localhost [<a href="http://127.0.0.1" target="_blank">127.0.0.1</a>] with 32 bytes of data:<br>
<br>
Reply from <a href="http://127.0.0.1" target="_blank">127.0.0.1</a>: bytes=32 time<1ms TTL=128<br>
[...]<br>
<br>
P:\>c:<br>
<br>
C:\>cd WINDOWS\system32\drivers\etc<br>
<br>
C:\WINDOWS\system32\drivers\etc>cat hosts<br>
'cat' is not recognized as an internal or external command,<br>
operable program or batch file.<br>
(f*ing Windows)<br>
C:\WINDOWS\system32\drivers\etc>type hosts<br>
[...]<br>
<a href="http://127.0.0.1" target="_blank">127.0.0.1</a> localhost<br>
<a href="http://10.100.0.139" target="_blank">10.100.0.139</a> NPICF97AE<br>
<br>
C:\WINDOWS\system32\drivers\etc>ping <a href="http://google.com" target="_blank">google.com</a><br>
<br>
Pinging <a href="http://google.com" target="_blank">google.com</a> [<a href="http://64.233.187.99" target="_blank">64.233.187.99</a>] with 32 bytes of data:<br>
[...]<br>
P:\>nslookup <a href="http://virustotal.com" target="_blank">virustotal.com</a><br>
Server: <a href="http://vmspr2.parsec.com" target="_blank">vmspr2.parsec.com</a><br>
Address: <a href="http://10.100.0.92" target="_blank">10.100.0.92</a><br>
<br>
Non-authoritative answer:<br>
Name: <a href="http://virustotal.com" target="_blank">virustotal.com</a><br>
Address: <a href="http://74.53.201.162" target="_blank">74.53.201.162</a><br>
<br>
<br>
P:\>ping <a href="http://virustotal.com" target="_blank">virustotal.com</a><br>
<br>
Pinging localhost [<a href="http://127.0.0.1" target="_blank">127.0.0.1</a>] with 32 bytes of data:<br>
<br>
Reply from <a href="http://127.0.0.1" target="_blank">127.0.0.1</a>: bytes=32 time<1ms TTL=128<br>
[...]<br>
Minimum = 0ms, Maximum = 0ms, Average = 0ms<br>
<br>
P:\>tracert <a href="http://virustotal.com" target="_blank">virustotal.com</a><br>
<br>
Tracing route to localhost [<a href="http://127.0.0.1" target="_blank">127.0.0.1</a>]<br>
over a maximum of 30 hops:<br>
<br>
1 <1 ms <1 ms <1 ms localhost [<a href="http://127.0.0.1" target="_blank">127.0.0.1</a>]<br>
<br>
Trace complete.<br>
<br>
----- Original Message -----<br>
From: <a href="mailto:foo7775@comcast.net">foo7775@comcast.net</a><br>
To: "CLUE tech" <<a href="mailto:clue-tech@cluedenver.org">clue-tech@cluedenver.org</a>><br>
Sent: Monday, November 24, 2008 12:04:02 PM GMT -07:00 US/Canada Mountain<br>
Subject: Re: [clue-tech] Firefox hijacked<br>
<br>
Does it happen regardless of the browser used? If not, I'd probably save his/her current profile info, remove the current FF installation & re-install the latest version. Add in a couple of recommended plugins (I like NoScript/AdBlockPlus/FlashBlock myself), & combined with Ad-Aware's protection against "invisible" registry writes, then (based on my experience) you *should be* pretty well protected against *most* of the evil that's out there...<br>
<br>
Best of luck.<br>
<br>
-------------- Original message ----------------------<br>
From: "David L. Willson" <DLWillson@TheGeek.NU><br>
> I have a user (a Windows user, but his browser is Free, so I'm asking here) who,<br>
> after a bout with Antivirus 2009, can no longer reach certain web sites, like<br>
> "<a href="http://www.virustotal.com" target="_blank">www.virustotal.com</a>" and "<a href="http://www.drudgereport.com" target="_blank">www.drudgereport.com</a>". The browser takes him to an<br>
> ineffective portal page instead.<br>
><br>
> I don't even know where to start with Googling this... The point is to return<br>
> the browser to normal operation, of course. Any ideas where to start looking?<br>
> _______________________________________________<br>
<br>
_______________________________________________<br>
clue-tech mailing list<br>
<a href="mailto:clue-tech@cluedenver.org">clue-tech@cluedenver.org</a><br>
<a href="http://www.cluedenver.org/mailman/listinfo/clue-tech" target="_blank">http://www.cluedenver.org/mailman/listinfo/clue-tech</a><br>
_______________________________________________<br>
clue-tech mailing list<br>
<a href="mailto:clue-tech@cluedenver.org">clue-tech@cluedenver.org</a><br>
<a href="http://www.cluedenver.org/mailman/listinfo/clue-tech" target="_blank">http://www.cluedenver.org/mailman/listinfo/clue-tech</a><br>
</blockquote></div><br>