Main Menu
bullet Home
bullet Forum
bullet Members
bullet Member Map
bullet HvWiki
bullet Chat Room
bullet Submit News
bullet Site Rules
bullet Archives
bullet Visits
bullet Forum
Welcome
Username or Email:

Password:


Missing Code




[ ]
[ ]
Online
  • Guests: 33
  • Members: 0
  • Newest Member: omjtest
  • Most ever online: 396
    Guests: 396, Members: 0 on 12 Jan : 12:51
Members Birthdays:
All today's birthdays', congrats!
Mathias (41)
slash128v6 (52)


Next birthdays
01/31 Mathias (41)
01/31 slash128v6 (52)
02/01 Barry (70)
Contact
If you need assistance, please send an email to forum at 4hv dot org. To ensure your email is not marked as spam, please include the phrase "4hv help" in the subject line. You can also find assistance via IRC, at irc.shadowworld.net, room #hvcomm.
Support 4hv.org!
Donate:
4hv.org is hosted on a dedicated server. Unfortunately, this server costs and we rely on the help of site members to keep 4hv.org running. Please consider donating. We will place your name on the thanks list and you'll be helping to keep 4hv.org alive and free for everyone. Members whose names appear in red bold have donated recently. Green bold denotes those who have recently donated to keep the server carbon neutral.


Special Thanks To:
  • Aaron Holmes
  • Aaron Wheeler
  • Adam Horden
  • Alan Scrimgeour
  • Andre
  • Andrew Haynes
  • Anonymous000
  • asabase
  • Austin Weil
  • barney
  • Barry
  • Bert Hickman
  • Bill Kukowski
  • Blitzorn
  • Brandon Paradelas
  • Bruce Bowling
  • BubeeMike
  • Byong Park
  • Cesiumsponge
  • Chris F.
  • Chris Hooper
  • Corey Worthington
  • Derek Woodroffe
  • Dalus
  • Dan Strother
  • Daniel Davis
  • Daniel Uhrenholt
  • datasheetarchive
  • Dave Billington
  • Dave Marshall
  • David F.
  • Dennis Rogers
  • drelectrix
  • Dr. John Gudenas
  • Dr. Spark
  • E.TexasTesla
  • eastvoltresearch
  • Eirik Taylor
  • Erik Dyakov
  • Erlend^SE
  • Finn Hammer
  • Firebug24k
  • GalliumMan
  • Gary Peterson
  • George Slade
  • GhostNull
  • Gordon Mcknight
  • Graham Armitage
  • Grant
  • GreySoul
  • Henry H
  • IamSmooth
  • In memory of Leo Powning
  • Jacob Cash
  • James Howells
  • James Pawson
  • Jeff Greenfield
  • Jeff Thomas
  • Jesse Frost
  • Jim Mitchell
  • jlr134
  • Joe Mastroianni
  • John Forcina
  • John Oberg
  • John Willcutt
  • Jon Newcomb
  • klugesmith
  • Leslie Wright
  • Lutz Hoffman
  • Mads Barnkob
  • Martin King
  • Mats Karlsson
  • Matt Gibson
  • Matthew Guidry
  • mbd
  • Michael D'Angelo
  • Mikkel
  • mileswaldron
  • mister_rf
  • Neil Foster
  • Nick de Smith
  • Nick Soroka
  • nicklenorp
  • Nik
  • Norman Stanley
  • Patrick Coleman
  • Paul Brodie
  • Paul Jordan
  • Paul Montgomery
  • Ped
  • Peter Krogen
  • Peter Terren
  • PhilGood
  • Richard Feldman
  • Robert Bush
  • Royce Bailey
  • Scott Fusare
  • Scott Newman
  • smiffy
  • Stella
  • Steven Busic
  • Steve Conner
  • Steve Jones
  • Steve Ward
  • Sulaiman
  • Thomas Coyle
  • Thomas A. Wallace
  • Thomas W
  • Timo
  • Torch
  • Ulf Jonsson
  • vasil
  • Vaxian
  • vladi mazzilli
  • wastehl
  • Weston
  • William Kim
  • William N.
  • William Stehl
  • Wesley Venis
The aforementioned have contributed financially to the continuing triumph of 4hv.org. They are deserving of my most heartfelt thanks.
Forums
4hv.org :: Forums :: Computer Science
« Previous topic | Next topic »   

Browser Hijack ?
Move Thread LAN_403
Dr. Slack
Sun Oct 26 2008, 08:35PM Print
Dr. Slack Registered Member #72 Joined: Thu Feb 09 2006, 08:29AM
Location: UK St. Albans
Posts: 1659
 		Any help appreciated.

My duaghter's PC seemed to have a browesr hijack on it, clicking Google search links went to virus software pushing sites or Porntube, copying the links and pasting into the adddress seemed to work better. I tried to update my AV to finding spyware, but it said it couldn't find a web proxy, whatever settings I put in. IE and Firefox both still appear to connect to the net quite happily. I then tried installing Spybot S&D, and it couldn't get onto the net at 127.0.0.1, so wouldn't install. I checked my hosts file, and 127.0.0.1 localhost was the only entry. I then tried AdAware, which found a zillion infections (perhaps I should've recorded what they were, and now I can't find the log), removed them and rescanned, and it was decalred clear. The browesr redirect seems to have gone, however I still can't install Spybot? To my untutored eye, nothing jumps out at me from a HijackThis log, it's quite short and all looks legit, I'll post it to their forum, though would prefer to do a Spybot scan first. There's nothing obvious in the process list or installed programs either. CWshredder finds nothing.

How do I find out why AntiVir and Spybot can't find a web connection? I've not looked at registry entries yet. Are there any utilities that would tell me either what things there are on my machine to connect to, or what AV and Spybot are trying to connect to? I wonder if there is a Spybot install that doesn't need web connect (goes to search ...) ? On another machine, the spybot install suceeds, there it wanted to connect to 87.106.2.233.

System is Sempron, XP(SP3), with a wired connection to Dlink hub/ADSL

Interstingly the machine won't now start up in safe mode; as the list of drivers goes whizzing by, it stalls at the graphics driver gagp30kx.sys which could be a clue. I thought that all graphics adapters had a default plain vanilla VGA mode, and that safe used the minimum number of drivers? Is this related, how might I fix this?

The nuclear option is, of course, a rebuild ( she'll love rebuilding her Sims universe if it won't export)
<edit> No, not gone, one of the google redirects is to lovingclicks, and it intercepts access to security sites like free-av.com, and presumably what spybot is trying to connect to, though there's still nothing that adaware doesn't like </edit>

<edit> A while ago I did try to download windows defender, but couldn't, as I couldn't understand what I needed to do to download the downloader, each downloader appeared to need a different one, and eventually gave up </edit>

<edit> as expected, 87.106.2.233 is the spybot site, so the hijacker is reditrecting it, however hosts is still clean, and there is no occurence of "87.106" in the registry, so it's presumably buried deeper than that. How else will the redirection be mediated? </edit>
Back to top
Bjørn
Mon Oct 27 2008, 08:52AM
Bjørn Registered Member #27 Joined: Fri Feb 03 2006, 02:20AM
Location: Hyperborea
Posts: 2058
 		I recommend this online scanner: Link2 it often finds things that other methods fail to detect.

gagp30kx.sys seems to be an AGP driver that is needed since plain VGA does not exist anymore after the ISA bus got replaced. It seems that it is quite common for it to hang during boot for different reasons so it might be a coincidence.

You should also look for rootkits to be sure there is nothing hiding that virus scanners can't find. For example by using one of these: Link2 Link2
Back to top
Steve Conner
Mon Oct 27 2008, 11:03AM
Steve Conner Registered Member #30 Joined: Fri Feb 03 2006, 10:52AM
Location: Glasgow, Scotland
Posts: 6706
 		Boot and nuke! Boot and nuke!
Back to top
Ken M.
Wed Oct 29 2008, 05:22AM
Ken M. Registered Member #618 Joined: Sat Mar 31 2007, 04:15AM
Location: Us-Great Lakes
Posts: 628
 		It might lso be a new version of hacking, I read about in a co workers IEEE mag, where you can hijack an isp cache causing the isp to redirect a persons browser to a website that looks like a legitimate website but is actually a malicious website.
Back to top
Dr. Slack
Sun Nov 02 2008, 08:15AM
Dr. Slack Registered Member #72 Joined: Thu Feb 09 2006, 08:29AM
Location: UK St. Albans
Posts: 1659
 		Searching to post the hijackthis log led me to techsupportforum.com, an army of whitehats who like nothing more than to lead noobs by the hand through a disinfecting process, I would thoroughly recommend them. It took combo-fix with a custom script to sort it. Clean now, without a rebuild.
Back to top
Carbon_Rod
Mon Nov 03 2008, 07:32PM
Carbon_Rod Registered Member #65 Joined: Thu Feb 09 2006, 06:43AM
Location:
Posts: 1155
 		Indeed, the B&N option is the most robust solution.
If and only if you are NAT firewalled, the only host infected, and use safe media when reinstalling.

Some malware systems use a known worm or trojan to bait an AV scanning process. So the AV appears to "work", but the newest Windows plague includes some armored code that tricks the AV into killing & quarantining well known firewall components (finding out Zonelab's products were vulnerable to such issues was surprising.)

The end result is the user feels the system has resumed normal operation, and the remaining firewall appears to be functioning... except the process is not the firewall anymore.

This hit a few of our local systems last week, and was isolated on Saturday.


Often recommend for novice users:
Ubuntu 8.10
Pigeon (MSN chat, Yahoo! IM, IRC )
Firefox + noScript + adBlock Plus
Qemu w/ kernel mod + XP image (read only OS image)

Cheers,
Back to top
Conundrum
Mon Nov 10 2008, 06:56PM
Conundrum Registered Member #96 Joined: Thu Feb 09 2006, 05:37PM
Location: CI, Earth
Posts: 4061
 		Grr. Yeah I heard something about another variant that replaces the antivirus as well after first disabling the "real" antivirus. Pretty evil, when will these scumbags get a real job instead of writing fraudware?

I say sentence a few of them to 25 years w/out parole. that'll learn them.
Back to top

Moderator(s): Chris Russell, Noelle, Alex, Tesladownunder, Dave Marshall, Dave Billington, Bjørn, Steve Conner, Wolfram, Kizmo, Mads Barnkob

Go to:

Powered by e107 Forum System
 
Legal Information
This site is powered by e107, which is released under the GNU GPL License. All work on this site, except where otherwise noted, is licensed under a Creative Commons Attribution-ShareAlike 2.5 License. By submitting any information to this site, you agree that anything submitted will be so licensed. Please read our Disclaimer and Policies page for information on your rights and responsibilities regarding this site.