-
November 13th, 2004, 11:34 PM
#11
Smif:
Did you import your settings from IE or did you say "import nothing"?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
November 13th, 2004, 11:36 PM
#12
If I was to write a cross browser hijack, I would maybe insert <script> Document.Location(mysite)</script> into the html returned from a get request, sorta like a man in the middle, but local?
Although, if you were able to "inject" like that, why not just change the html received into your own webpage? Then you can phish or whatever the hell you want.
edit:
hmmm... good point about that imported material... then I would have to ask, Was this hijack present in IE?
-
November 14th, 2004, 12:00 AM
#13
Junior Member
here's the update on my box
tiger, the process you talked about is gone, and it didnt come back when i re-set. i did all the HJ stuff and my log is currently lookin like so:
Logfile of HijackThis v1.98.2
Scan saved at 2:51:38 PM, on 13/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\********\My Documents\Programs\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
to answer other questions...i did actually run ad-aware when this problem first came up, but it didnt find anything so i didnt think to mention it here. also, as for importing explorer setting, i imported my favorites from IE but i dont remember telling it to import all the settings.
When i re-set my box before making the changes in HJ the site came up again, but after doing as i was told it did not (and i'll add that my box runs faster now too ) so i think my problem's fixed. thankyou all for your time - smif
-
November 14th, 2004, 04:09 AM
#14
Originally posted here by Soda_Popinsky
Maybe IE was responsible for the hijacker, but why would malware target Firefox when it gets there through IE? If IE gets exploited, then that means the exploited user has IE as their preferred browser, making FF functions of the payload irrelevant?
Using Occam's Razor on the two principal possibilities:
- Firefox got exploited
- Malware got onto the system via some other means and simply uses the default browser to open a site
I think the latter is the far simpler of the two. I've seen this happen with lots of different browsers on windows (Opera, NS4.x, Mozilla1.x, Firefox, IE, etc), it's not specific to each browser, nor is opening a webpage indicative of a hijack.
Simple way to find out: Smif, is Firefox set as your default browser?
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
November 14th, 2004, 04:29 AM
#15
Junior Member
-
November 14th, 2004, 05:21 AM
#16
I may be beating a dead horse here, but I find this interesting. I agree that he was most likely exploited through means other than a Firefox exploit, but I still have questions:
1. Did you see this behavior on IE?
2. Why did you switch browsers in the first place?
3. Is IE/XP fully patched and was it before you switched browsers?
4. Did you use IE at all after you got firefox?
5. What version of Firefox are you using?
the first time i load Firefox every day it sends me to the website "http://www.dxstar.com/" .
Although I bet it's possible, I would expect it would be too complicated to code malware to redirect the initial homepage in your default browser. Pop up's in the default browser are simple stuff, but this sounds unreasonable.
It still sounds to me like the malware is specifically targeting FF, instead of a default browser. Which is odd, because I believe it would only do that if the writer knew ahead time that Firefox would be the browser being used. (exploit....?)
-
November 14th, 2004, 07:04 AM
#17
Junior Member
soda, here are the answers to your questions
1. no, i didnt have this prob with IE
2. i switched for many reasons, the amount of browser hijacks on IE is one of them, but also a friend was raving about how great FF is comparativly and so i tried it out on his suggestion and continued using it cause i like it
3. to the best of my knowledge xp and IE are fully patched, and they were when i switched browsers
4. IE has not been used since intalling FF
5. i have FF 1.0
as to the other stuff you said, my home page was never changed (i did say this before), i was just sent to dxstar the first time i loaded FF. and also (as earlier stated) FF is my default browser, not IE.
hope this answers your questions
-
November 14th, 2004, 07:37 AM
#18
You did, thanks.
Open Internet Explorer, go to tools, and update Windows. For everything else, go ahead and use FF. If there are any high priority updates, let us know.
my home page was never changed (i did say this before),
I know what you are saying, it's just really odd, which makes it so much more interesting.
If you haven't deleted tppznyqt.exe, WUPDPIJ32.EXE, and kghnl.exe, stick 'em in a zip and send them my way, if that isn't a problem.
-
November 14th, 2004, 10:37 AM
#19
To play devil's advocate for just a second...but there could be a simple answer to this:
Did you import settings from IE at the end of your Firefox install? If your home page is set due to something either you did or a browser hijack, and you imported it to FF, then it would certainly answer why it fires up like that.
Just curious, hehe...
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|