n2stuff
0
- Joined
- Nov 4, 2011
- Messages
- 801
- Points
- 28
Windows 7 64bit and IE 9
LPF Donation via Stripe | LPF Donation - Other Methods
Links below open in new window
ArcticMyst Security by Avery
Browser hijacker - redirect "virus"
- Thread starter Lethere Belight
- Start date
- Status
- Joined
- May 20, 2012
- Messages
- 301
- Points
- 18
I have it now. Just downloaded Malwarebytes & doing a scan.
I have talked to other people that did this and no luck.
Will see what happens.
I have talked to other people that did this and no luck.
Will see what happens.
- Joined
- Jun 26, 2012
- Messages
- 788
- Points
- 28
Its ad ware. If any of you guys need help pm me.
- Joined
- Mar 17, 2006
- Messages
- 2,863
- Points
- 113
Hi guys, don't think the problem is related to LPF server itself.
As a security engineer at the company I work for, I handle around 10 to 15 malware incidents per week. 90% of the time the user gets infected because
1) they are running outdated Java which basically means your computer gets infected by simply visiting any webpage with an exploit. (I was actually just credited for creating IDS rule to detect some of these exploits on Snort.org Blog)
2) adobe reader has same problems
3) quicktime, outdated flash, VLC media player... anything that involves the browser or the browser itself
In my opinion Google chrome is by far the most secure of browsers.
you could consider upgrading any outdated Java, adobe reader, flash, shockwave... any browser plugins... or just disable them
For Java sometimes its better to simply not even have it installed unless you really need it, or run it inside a virtual machine on your desktop
if u install java, it sometimes leaves old vulnerable versions behind so u gotta uninstall each one manually
In google chrome it basically autoupdates, and autoupdates the flash plugin as far as i know..
never had a single malware popup or anything suspicious in the last 2 or 3 years on any site. the key is keeping your 3rd party browser plugins updated
If anyone wants malware assistance, please let me know and I'm happy to help via TeamViewer remote support. just shoot me an email avery.a.tarasov @ securityengineer.pro
for antivirus i recommend kaspersky internet security 2013. u can schedule it to scan for vulnerabilities daily... the key is stopping the software vulnerabilities as they are what lets the malware in most of the time.
just my opinions here but hope this helps
talk soon
peace
As a security engineer at the company I work for, I handle around 10 to 15 malware incidents per week. 90% of the time the user gets infected because
1) they are running outdated Java which basically means your computer gets infected by simply visiting any webpage with an exploit. (I was actually just credited for creating IDS rule to detect some of these exploits on Snort.org Blog)
2) adobe reader has same problems
3) quicktime, outdated flash, VLC media player... anything that involves the browser or the browser itself
In my opinion Google chrome is by far the most secure of browsers.
you could consider upgrading any outdated Java, adobe reader, flash, shockwave... any browser plugins... or just disable them
For Java sometimes its better to simply not even have it installed unless you really need it, or run it inside a virtual machine on your desktop
if u install java, it sometimes leaves old vulnerable versions behind so u gotta uninstall each one manually
In google chrome it basically autoupdates, and autoupdates the flash plugin as far as i know..
never had a single malware popup or anything suspicious in the last 2 or 3 years on any site. the key is keeping your 3rd party browser plugins updated
If anyone wants malware assistance, please let me know and I'm happy to help via TeamViewer remote support. just shoot me an email avery.a.tarasov @ securityengineer.pro
for antivirus i recommend kaspersky internet security 2013. u can schedule it to scan for vulnerabilities daily... the key is stopping the software vulnerabilities as they are what lets the malware in most of the time.
just my opinions here but hope this helps
talk soon
peace
Last edited:
- Joined
- Mar 17, 2006
- Messages
- 2,863
- Points
- 113
secunia also has a free tool called PSI which lets u know about potentially vulnerable / outdated software
Computer Security - Software & Alerts - Secunia
Computer Security - Software & Alerts - Secunia
- Joined
- Mar 17, 2006
- Messages
- 2,863
- Points
- 113
tools i frequently use to check for rootkit infections (zeroaccess, tdl3, tdl4, tdss,alueron,etc).. many search hijacker use rootkit for persistance
aswMBR
Anti-rootkit utility TDSSKiller
they have personally helped me in investigations many times
aswMBR
Anti-rootkit utility TDSSKiller
they have personally helped me in investigations many times
Last edited:
- Joined
- Mar 27, 2011
- Messages
- 14,125
- Points
- 113
FWIW Zonealarm now offers a free firewall and anti virus. The AV engine is supposed to be the same as used by Kasperski.
Here are some other things to try
1. Remove all the temp files out of your temp folder.
On win 7 and vista it should be C:\users\username \appdata\local\temp
On XP it should be C:\Documents and Settings\username\local settings\temp
2. Remove everything out of your prefetch folder
C:\windows\prefetch
3. Run TDSSKiller
4. For windows 7 check the C:\users\username folder for anything that looks out of place
For XP check C:\Documents and Settings\username
5. Check the programs in Msconfig to see if their are any programs you can't identify...and uncheck them
6. press control alt delete access task manager and look for any weird programs that look like they shouldn't be there (not for a novice)
7. Obviously check add remove programs for any bizarre program. Particularly anything that says search, toolbar, browser optimizer or some antivirus program you don't think should be there. Also check to see if you see anything called MyWebSearch or Starware...I run into those 2 a lot at work.
8. Try to create another local user account on your machine or use the built in administrator account...check to see if it's every profile on that machine that gets the problem or just the one
9. I run CCleaner a lot. It removes temp files...redirects like to hide in those temp files you forget to remove
10. The last time I got this rootkit it took me forever to fix it What finally worked was:
navigating to C:\Windows\System32\drivers\etc
This contains your HOSTS file. I noticed my Hosts file at the time had a recent date as to when it was last modified. It should be much older and if I'm not mistaken just as old as every other file in that etc folder. That was the clue that told me that the hosts file was the issue. I went to work and copied the hosts file from my work pc (same os...must be same os) and put it on my jump drive. I came home and copied the version from work and overwrite the one that was in the etc folder. This fixed my issue.
1. Remove all the temp files out of your temp folder.
On win 7 and vista it should be C:\users\username \appdata\local\temp
On XP it should be C:\Documents and Settings\username\local settings\temp
2. Remove everything out of your prefetch folder
C:\windows\prefetch
3. Run TDSSKiller
4. For windows 7 check the C:\users\username folder for anything that looks out of place
For XP check C:\Documents and Settings\username
5. Check the programs in Msconfig to see if their are any programs you can't identify...and uncheck them
6. press control alt delete access task manager and look for any weird programs that look like they shouldn't be there (not for a novice)
7. Obviously check add remove programs for any bizarre program. Particularly anything that says search, toolbar, browser optimizer or some antivirus program you don't think should be there. Also check to see if you see anything called MyWebSearch or Starware...I run into those 2 a lot at work.
8. Try to create another local user account on your machine or use the built in administrator account...check to see if it's every profile on that machine that gets the problem or just the one
9. I run CCleaner a lot. It removes temp files...redirects like to hide in those temp files you forget to remove
10. The last time I got this rootkit it took me forever to fix it What finally worked was:
navigating to C:\Windows\System32\drivers\etc
This contains your HOSTS file. I noticed my Hosts file at the time had a recent date as to when it was last modified. It should be much older and if I'm not mistaken just as old as every other file in that etc folder. That was the clue that told me that the hosts file was the issue. I went to work and copied the hosts file from my work pc (same os...must be same os) and put it on my jump drive. I came home and copied the version from work and overwrite the one that was in the etc folder. This fixed my issue.
Last edited:
- Joined
- Mar 17, 2006
- Messages
- 2,863
- Points
- 113
not sure if zone alarm also has it but what i really like about kaspersky internet security
* block domains extension (huge for stopping malware).. i block like all .info, .ru, .cn, .cc, .in, etc. stuff that i never go to so just block it.
* vulnerability scan feature is really good. find the vulnerabilities letting the malware in in the first place.
* block domains extension (huge for stopping malware).. i block like all .info, .ru, .cn, .cc, .in, etc. stuff that i never go to so just block it.
* vulnerability scan feature is really good. find the vulnerabilities letting the malware in in the first place.
Last edited:
- Joined
- Mar 17, 2006
- Messages
- 2,863
- Points
- 113
yah good advice on the hosts file
nice tips list norbie
nice tips list norbie
- Joined
- Mar 27, 2011
- Messages
- 14,125
- Points
- 113
Speaking of blocking. I forgot I even have it running, but I also run peerblock, which used to be good for anti p2p purposes, now not so much. The other great thing is, you can set it block custom lists of IP's including those common to IP's from which malware has been detected.
Vulnerability scan is interesting... I don't think I have seen that from any free service.
Vulnerability scan is interesting... I don't think I have seen that from any free service.
- Joined
- Sep 25, 2012
- Messages
- 87
- Points
- 0
Win 7 64 bit
IE 9.08
I haven't had any actual problems that I've noticed but MBAM (Malewarebytes) has popped up several times saying it was quarantining a file due to exploit.drop.9 or trojan.hapili (I think hapili is what is hijacking people's browser). The times I can remember what LPF page I was on, I was navigating back to LPF main page. MBAM has only given me a pop-up while on LPF.
That same thing happened to me last time I got it but eventually it got MUCH worse. Do a search on your computer for that file. I think I found the file in my c:\users\username\appdata\local...it should be somewhere in your profile.
Please also check your hosts file in c:\windows\system32\drives\etc
Open up that folder and select to view the files in it in the details view. Compare the date of the hosts file to the other files in that folder. If the date modified on the hosts file is fairly new as opposed to the dates on the other files in that folder then you have a problem.
Someone feel free to correct me if I'm wrong but my experience is none of these cool programs that search out spyware and viruses will actually fix your hosts file if it's been supplanted. You can either try a system restore or try to find a correct version of your os's host file and overwrite the tampered with host file with the correct one.
Last edited:
grainde
0
- Joined
- Jan 29, 2012
- Messages
- 3,164
- Points
- 113
Just thought Id mention using XP SP3 and firefox with noscript. Since I turned noscript back on yesterday, I havent had any problems since.
WRT hosts file I just duplicated it and renamed the duplicate .bac. Should be the simplest option; if your hosts file gets hijacked, just swap it out... :beer:
WRT hosts file I just duplicated it and renamed the duplicate .bac. Should be the simplest option; if your hosts file gets hijacked, just swap it out... :beer:
- Status
