Welcome to Laser Pointer Forums - discuss green laser pointers, blue laser pointers, and all types of lasers

Buy Site Supporter Role (remove some ads) | LPF Donations

Links below open in new window

FrozenGate by Avery

Browser hijacker - redirect "virus"

Status
Not open for further replies.





I have it now. Just downloaded Malwarebytes & doing a scan.
I have talked to other people that did this and no luck.
Will see what happens.
 
I'm a dumb IT guy so here's something you may be able to do to resolve it...

Type msconfig into the run command. Go to the startup tab and look for any suspicious programs and uncheck them and hit the apply button. If you get an access denied error don't worry it still worked.

Type regedit into the run command. Go to Hkey Local Machine -> Software -> Microsoft -> Shared Tools -> MSconfig

The things that you unchecked should show up under the folders startupreg or startupfolder below MSconfig. You should be able to see what those programs correspond with when you expand those two folders. If one of the programs looks like it goes with something you use don't mess with it...if it looks vague and obscure go ahead and delete it. This does not delete a program from your computer! All it does it is remove the program from the list of programs that startup when your computer starts up. Usually this will remove the symptoms of the virus/spyware (pretty sure you've actually got spyware but I could be wrong).

Once you can use the internet again try to download the following two free programs...malwarebytes and combofix. Malwarebytes is great at removing spyware and I use it a lot at work. Combofix is really used as a measure of last resort as it's a bit powerful and can accidentally delete something you need (I've never had that happen to me but I've heard it's happened so I'm at least acknowledging it as a possibility). I tend to use it only on severely affected machines. Combofix is really good at removing really malicious things called Rootkits.
Its ad ware. If any of you guys need help pm me.
 
Hi guys, don't think the problem is related to LPF server itself.

As a security engineer at the company I work for, I handle around 10 to 15 malware incidents per week. 90% of the time the user gets infected because

1) they are running outdated Java which basically means your computer gets infected by simply visiting any webpage with an exploit. (I was actually just credited for creating IDS rule to detect some of these exploits on Snort.org Blog)

2) adobe reader has same problems
3) quicktime, outdated flash, VLC media player... anything that involves the browser or the browser itself
In my opinion Google chrome is by far the most secure of browsers.

you could consider upgrading any outdated Java, adobe reader, flash, shockwave... any browser plugins... or just disable them

For Java sometimes its better to simply not even have it installed unless you really need it, or run it inside a virtual machine on your desktop

if u install java, it sometimes leaves old vulnerable versions behind so u gotta uninstall each one manually

In google chrome it basically autoupdates, and autoupdates the flash plugin as far as i know..

never had a single malware popup or anything suspicious in the last 2 or 3 years on any site. the key is keeping your 3rd party browser plugins updated


If anyone wants malware assistance, please let me know and I'm happy to help via TeamViewer remote support. just shoot me an email avery.a.tarasov @ securityengineer.pro


for antivirus i recommend kaspersky internet security 2013. u can schedule it to scan for vulnerabilities daily... the key is stopping the software vulnerabilities as they are what lets the malware in most of the time.

just my opinions here but hope this helps

talk soon
peace
 
Last edited:
tools i frequently use to check for rootkit infections (zeroaccess, tdl3, tdl4, tdss,alueron,etc).. many search hijacker use rootkit for persistance

aswMBR


Anti-rootkit utility TDSSKiller


they have personally helped me in investigations many times
 
Last edited:
FWIW Zonealarm now offers a free firewall and anti virus. The AV engine is supposed to be the same as used by Kasperski.
 
Here are some other things to try

1. Remove all the temp files out of your temp folder.

On win 7 and vista it should be C:\users\username \appdata\local\temp

On XP it should be C:\Documents and Settings\username\local settings\temp

2. Remove everything out of your prefetch folder

C:\windows\prefetch

3. Run TDSSKiller

4. For windows 7 check the C:\users\username folder for anything that looks out of place

For XP check C:\Documents and Settings\username

5. Check the programs in Msconfig to see if their are any programs you can't identify...and uncheck them

6. press control alt delete access task manager and look for any weird programs that look like they shouldn't be there (not for a novice)

7. Obviously check add remove programs for any bizarre program. Particularly anything that says search, toolbar, browser optimizer or some antivirus program you don't think should be there. Also check to see if you see anything called MyWebSearch or Starware...I run into those 2 a lot at work.

8. Try to create another local user account on your machine or use the built in administrator account...check to see if it's every profile on that machine that gets the problem or just the one

9. I run CCleaner a lot. It removes temp files...redirects like to hide in those temp files you forget to remove

10. The last time I got this rootkit it took me forever to fix it What finally worked was:

navigating to C:\Windows\System32\drivers\etc

This contains your HOSTS file. I noticed my Hosts file at the time had a recent date as to when it was last modified. It should be much older and if I'm not mistaken just as old as every other file in that etc folder. That was the clue that told me that the hosts file was the issue. I went to work and copied the hosts file from my work pc (same os...must be same os) and put it on my jump drive. I came home and copied the version from work and overwrite the one that was in the etc folder. This fixed my issue.
 
Last edited:
not sure if zone alarm also has it but what i really like about kaspersky internet security

* block domains extension (huge for stopping malware).. i block like all .info, .ru, .cn, .cc, .in, etc. stuff that i never go to so just block it.

* vulnerability scan feature is really good. find the vulnerabilities letting the malware in in the first place.
 
Last edited:
yah good advice on the hosts file
nice tips list norbie
 
Speaking of blocking. I forgot I even have it running, but I also run peerblock, which used to be good for anti p2p purposes, now not so much. The other great thing is, you can set it block custom lists of IP's including those common to IP's from which malware has been detected.

Vulnerability scan is interesting... I don't think I have seen that from any free service.
 
The people having this problem could you please tell us what OS and browser/s you are using. Is this issue just hitting Windows and if so what version. Same with the browser type and version. Could you also tell us step by step what you did just before you are jacked. What page on LPF you are on last etc?

All the best

Win 7 64 bit
IE 9.08

I haven't had any actual problems that I've noticed but MBAM (Malewarebytes) has popped up several times saying it was quarantining a file due to exploit.drop.9 or trojan.hapili (I think hapili is what is hijacking people's browser). The times I can remember what LPF page I was on, I was navigating back to LPF main page. MBAM has only given me a pop-up while on LPF.
 
Win 7 64 bit
IE 9.08

I haven't had any actual problems that I've noticed but MBAM (Malewarebytes) has popped up several times saying it was quarantining a file due to exploit.drop.9 or trojan.hapili (I think hapili is what is hijacking people's browser). The times I can remember what LPF page I was on, I was navigating back to LPF main page. MBAM has only given me a pop-up while on LPF.


That same thing happened to me last time I got it but eventually it got MUCH worse. Do a search on your computer for that file. I think I found the file in my c:\users\username\appdata\local...it should be somewhere in your profile.

Please also check your hosts file in c:\windows\system32\drives\etc

Open up that folder and select to view the files in it in the details view. Compare the date of the hosts file to the other files in that folder. If the date modified on the hosts file is fairly new as opposed to the dates on the other files in that folder then you have a problem.

Someone feel free to correct me if I'm wrong but my experience is none of these cool programs that search out spyware and viruses will actually fix your hosts file if it's been supplanted. You can either try a system restore or try to find a correct version of your os's host file and overwrite the tampered with host file with the correct one.
 
Last edited:
Just thought Id mention using XP SP3 and firefox with noscript. Since I turned noscript back on yesterday, I havent had any problems since.

WRT hosts file I just duplicated it and renamed the duplicate .bac. Should be the simplest option; if your hosts file gets hijacked, just swap it out... :beer:
 
Status
Not open for further replies.


Back
Top