|
5HTSynaptrip
Dopamine Enthusiast



Registered: 09/14/08
Posts: 4,360
Loc: USA
Last seen: 6 years, 1 month
|
Re: my browser is being hijacked [Re: BlimeyGrimey]
#14673982 - 06/26/11 08:52 AM (12 years, 10 months ago) |
|
|
Yea, that can work as well as just aswMBR.exe. The problem lies in not identifying the rootkit and reinstalling Windows. When you do that pretty much everything won't recognize what you have, as was the case with me. The only way I ended up finding out I had a virus was using FTKImager to get a complete memory dump, and painstakingly scroll through 8 gigs of shit in a hex-viewer until I did indeed find the javascript and other shit the motherfucker was doing on my laptop. It had a keylogger and would always try sending info from my laptop. During this time I had it offline and only used a bootable Linux CD or my iPhone to go online.
The boot-time scan from my avast! Internet Security didn't catch it, but the avast! Rescue CD did find a fair amount of shit. The avast! CD is fucking pretty sweet if you ask me, it boots into a Windows type environment and is better than their old BART CD's, but only costs $10 instead of $140 a year or something (you don't license the CD either). Installing anything on top of rootkits (conventional AV suites) can really leave you believing you're safe, because the kernel is fucked in Win and the scans simply cannot see them sometimes. Now I just use bootable Linux stuff though, and I feel stupid for not doing it sooner. Just booting into Parted Magic alone and looking through my OS drive, finally seeing all the kernel logs and other shit Win 7 makes fucking hard to see or impossible when running the OS, is really an amazing way to see what's going on.
--------------------
Science is a way of thinking much more than it is a body of knowledge. - My hero, who will be forever remembered, Carl Sagan.
|
makaveli8x8
Stranger

Registered: 02/28/06
Posts: 21,636
Last seen: 7 years, 11 months
|
Re: my browser is being hijacked [Re: 5HTSynaptrip]
#14674387 - 06/26/11 11:07 AM (12 years, 10 months ago) |
|
|
ok i may have found a bit of information i changed my browser homepage from the firebox "default" to www.google.com and i used that all yesterday with no problems, but again the problems were random so thats not saying a whole lot.
Then i switched back to "default" or aka "about:home" and the first search i did sent me to that website. Then even more interesting when i clicked a link in the search it didn't show the website but instead showed me the "code"
for example if i type in shroomery and click on the first result it takes me to this link
http://www.shroomery.org/smarty/templates/css/doctypes.css
and what im shown is this
Quote:
ul.icons{margin:0;padding:0 0 0 10px;} .icons li{list-style-type:none;background:left top no-repeat;text-decoration:none;z-index:100000;margin:0;padding:0 0 0 20px;} li.section{background-image:url('/siteimages/folder.gif');} li.link{background-image:url('/siteimages/link.gif');} li.file{background-image:url('/siteimages/file.gif');} li.document,li.html,li.shortcut,li.sitelink,li.script{background-image:url('/siteimages/doc.gif');}
i dunno what any of this means, it sounds like something could have infested my browser or it maybe be a rootkit. It will prolly take me a few days to do a avast bootscan as its a pain in the ass for me to set aside the time to do all this crap but i just wanted to give a little update and ill post back when i get around to that bootscan
--------------------
  We were sent to hell for eternity Ø h® We play on earth to pass the time Over-population the root of all Evil-brings the Elites Closer to the gates.
|
makaveli8x8
Stranger

Registered: 02/28/06
Posts: 21,636
Last seen: 7 years, 11 months
|
Re: my browser is being hijacked [Re: makaveli8x8]
#14732614 - 07/07/11 06:27 PM (12 years, 10 months ago) |
|
|
ok finally got around to that boot scan
had a file ending in vload.class and vmain.class
they were java: Agent-AP Trj and other malware-gen
I also found a decompression bomb, but the antivirus wouldn't do anything with it, its a 45mb zip file located in my browser cache or something
anyways that boot scan got rid of my "search-results" hijacking problem, the only problem now however is that i assumed when i did a search with firefox's default page that it used "google", i mean thats would it would use whenever "search-results" didn't hijack it so yah it should be using that, well it turns out i still have another hijacker apparently because it uses BING!!!! microsoft has some balls let me tell yah
--------------------
  We were sent to hell for eternity Ø h® We play on earth to pass the time Over-population the root of all Evil-brings the Elites Closer to the gates.
|
5HTSynaptrip
Dopamine Enthusiast



Registered: 09/14/08
Posts: 4,360
Loc: USA
Last seen: 6 years, 1 month
|
Re: my browser is being hijacked [Re: makaveli8x8]
#14735946 - 07/08/11 11:54 AM (12 years, 10 months ago) |
|
|
Decompression bomb just mean it was in a packer too large to open for a scan. This can be a zip with a really high compression ratio or an executable. If the file is from a legitimate site, like say a digital download of Office for example, then you can obviously disregard it.
--------------------
Science is a way of thinking much more than it is a body of knowledge. - My hero, who will be forever remembered, Carl Sagan.
|
imachavel
I loved and lost but I loved-ftw



Registered: 06/06/07
Posts: 31,564
Loc: You get banned for saying that
Last seen: 12 hours, 22 minutes
|
Re: my browser is being hijacked [Re: gshock50]
#14737466 - 07/08/11 05:47 PM (12 years, 10 months ago) |
|
|
Quote:
gshock50 said: Try CCleaner and if that doesn't work... People claim this removes it:
Quote:
http://www.surfright.nl/en/hitmanpro
Best of luck.
it's malware bytes, then security essentials, in safe mode, then c cleaner. c cleaner only clears your registry, if the virus is still there, the registry value will reset as soon as you go online. before I argued with suess that a proxy server check box means you have a virus. he said other programs do that as well, such as earth link etc. well right he may be, but in this situation you should remove it
it should be in internet explorer tools, internet options, connections, lan settings, then make sure the box is unchecked. I don't know run arp but if you don't know a lot about that it'll be impossible to tell if an i.p. address doesn't seem like it belongs, and honestly if you are hooked up directly to a modem, then probably the internet will give you all types of arp connnections. I only read the first 3 replies, did people already cover the options I mentioned?
--------------------
I did not say to edit my signature soulidarity! Now forever I will never remember what I said about understanding the secrets of the universe by paying attention to subtleties!
I'm never giving you the password again. Jerk
|
imachavel
I loved and lost but I loved-ftw



Registered: 06/06/07
Posts: 31,564
Loc: You get banned for saying that
Last seen: 12 hours, 22 minutes
|
Re: my browser is being hijacked [Re: makaveli8x8]
#14737492 - 07/08/11 05:52 PM (12 years, 10 months ago) |
|
|
Quote:
makaveli8x8 said: the weirdest thing about it is that it doesn't do it all the time. i ran the hitman program and all it found were tracker cookies
it hasn't done anything since then but i have no reason to suspect its gone.
its very weird that these programs won't find it, i have ran hijackthis but like u say it takes some time to read it. Nothing popped out at me but there were a handful of exe's i have to google
guess my next step is to run a full virus scan but the thing is again that website says its not spyware or virus or anything so maybe thats why none of these programs are finding it i dunno
that isn't going to work unless your internet security settings are set to the max, in which case the browser will probably block just about every other web site you visit, including the shroomery.
the problem with those tools that detect cookies and such things that web sites give you, is that just about all web sites give them to you. to use the internet you have to download files from a web site to allow your computer to use this. some sites won't even let you visit them if you don't allow the site to download all the content necessary to visit it. I mean if it works for people great, but really, you should understand when you use the internet, your i.p. address is pretty much public to any site you access, otherwise you won't have access to it. you are, literally, physically, connecting through dozens of networks just to get to one web site. most of them are fire walled and secured and encrypted up the ass. the problem is the ones that don't have just a bit of this, will download the usual cookies, and then some. make sense? You would have to take a two week class to learn all the site rules and which ones are potentially harmful etc. Not visiting porn sites isn't good enough. There are several sites that will prompt you to download windows updates, etc. things that look normal, but completely trick the crap out of you. Only with experience do you know which of these are authentic and not.
--------------------
I did not say to edit my signature soulidarity! Now forever I will never remember what I said about understanding the secrets of the universe by paying attention to subtleties!
I'm never giving you the password again. Jerk
|
imachavel
I loved and lost but I loved-ftw



Registered: 06/06/07
Posts: 31,564
Loc: You get banned for saying that
Last seen: 12 hours, 22 minutes
|
Re: my browser is being hijacked [Re: 5HTSynaptrip]
#14737502 - 07/08/11 05:54 PM (12 years, 10 months ago) |
|
|
Quote:
5HTSynaptrip said: Yea, that can work as well as just aswMBR.exe. The problem lies in not identifying the rootkit and reinstalling Windows. When you do that pretty much everything won't recognize what you have, as was the case with me. The only way I ended up finding out I had a virus was using FTKImager to get a complete memory dump, and painstakingly scroll through 8 gigs of shit in a hex-viewer until I did indeed find the javascript and other shit the motherfucker was doing on my laptop. It had a keylogger and would always try sending info from my laptop. During this time I had it offline and only used a bootable Linux CD or my iPhone to go online.
The boot-time scan from my avast! Internet Security didn't catch it, but the avast! Rescue CD did find a fair amount of shit. The avast! CD is fucking pretty sweet if you ask me, it boots into a Windows type environment and is better than their old BART CD's, but only costs $10 instead of $140 a year or something (you don't license the CD either). Installing anything on top of rootkits (conventional AV suites) can really leave you believing you're safe, because the kernel is fucked in Win and the scans simply cannot see them sometimes. Now I just use bootable Linux stuff though, and I feel stupid for not doing it sooner. Just booting into Parted Magic alone and looking through my OS drive, finally seeing all the kernel logs and other shit Win 7 makes fucking hard to see or impossible when running the OS, is really an amazing way to see what's going on.
well it beats shoving in your windows disk and doing a system repair doesn't it? or even more painful, full backup and reformat. the nice thing is, you know how to do all this, it's a pain, sure, but even more painful when a person has no idea what the fuck you are talking about
--------------------
I did not say to edit my signature soulidarity! Now forever I will never remember what I said about understanding the secrets of the universe by paying attention to subtleties!
I'm never giving you the password again. Jerk
|
5HTSynaptrip
Dopamine Enthusiast



Registered: 09/14/08
Posts: 4,360
Loc: USA
Last seen: 6 years, 1 month
|
Re: my browser is being hijacked [Re: imachavel]
#14738301 - 07/08/11 09:13 PM (12 years, 10 months ago) |
|
|
You guys should mess around with some of the Linux LiveCD stuff out there. Hell, just being able to browse through every single file/folder you want is incredible. The avast! Rescue CD kinda sucks balls since it can't do a lot in 64-bit OS's. It'll show you what is fucked with the registry, but it doesn't tell you which is what and what definitely needs deleted. Most of the time the Rescue Disc is only used if you're so fucked you can't boot into your system at all.
--------------------
Science is a way of thinking much more than it is a body of knowledge. - My hero, who will be forever remembered, Carl Sagan.
|
|