Sites that hijack non-existing pages

Ask the few things google does not know

Moderator: Dictators in Training

Sites that hijack non-existing pages

Postby Yamori » Thu Jun 21, 2007 3:29 pm

So right now some ad-riddled site has mysteriously shown up every time a site I'm attempting to reach doesn't load or doesn't exist... aka if I type in "343243243243243243.com", or some site that won't load, it loads up some standard template page filled with ads.

It's become an issue since it has interfered with gmail and is blocking my access to it (ie, the gmail page now just loads some 3rd party ad-orgy that says "GOOGLE.COM: with ads for "Giggle" "Goggle" ect).

Anyone know what I'm talking about and how to get rid of this?

It seems to be doing this on both firefox AND IE, meaning it's some sort of sneaky program somewhere. Spyware detectors aren't picking it up.
-Yamori
AKA ~~Baron Boshie of the Nameless~~
User avatar
Yamori
NT Traveller
NT Traveller
 
Posts: 2002
Joined: Wed Mar 24, 2004 5:02 pm

Postby Naethyn » Thu Jun 21, 2007 3:32 pm

You're fucked.
Maeya wrote:And then your head just aches from having your hair pulled so tight for so long...
User avatar
Naethyn
NT Traveller
NT Traveller
 
Posts: 2085
Joined: Wed May 04, 2005 12:13 pm

Postby Lueyen » Thu Jun 21, 2007 3:49 pm

The first thing you should probably try is to flush your browser cache, although if it's doing it in both it's more likely then not malware.

I ran across a really nasty malware program about a year ago on a co-workers computer. It renamed it's executable on startup and shutdown as well as modifying it's registry keys, and it was a browser hijacker (which is what you are talking about).

Try this link:
http://216.180.233.162/~merijn/programs.php

It should work if the hijacker is simply changing dns resolution, which is probably the case.

download the program called hijackthis.exe

It scans your computer for suspicious startup items, and I have yet to find any malware that can hide from it. Unfortunately it's a manual removal utility because it shows many items, most of them are legit. You can post the results however and people here can probably help you identify the nasties.

You also might do a quick check to make sure there are no local dns redirects.

Start > Run

notepad "%systemroot%\system32\drivers\etc\hosts"

Lines that start with # are just comments, and you should only have one line that isn't a comment.

127.0.0.1 localhost

Anything else you should recognize. You can add the # in front of all other lines to make sure it's a problem and not something a program needs and easily restore it later. After you do this however you will want to flush your browser cache after you edit and save the file.
Raymond S. Kraft wrote:The history of the world is the history of civilizational clashes, cultural clashes. All wars are about ideas, ideas about what society and civilization should be like, and the most determined always win.

Those who are willing to be the most ruthless always win. The pacifists always lose, because the anti-pacifists kill them.
User avatar
Lueyen
Dictator in Training
Dictator in Training
 
Posts: 1793
Joined: Tue Mar 09, 2004 2:57 pm

Postby 10sun » Thu Jun 21, 2007 3:49 pm

It might simply be that your host file is screwed up.

Try typing 64.233.167.99 into your browser's address bar.
User avatar
10sun
NT Drunkard
NT Drunkard
 
Posts: 9861
Joined: Sat Mar 13, 2004 10:22 am
Location: Westwood, California

Postby Yamori » Thu Jun 21, 2007 4:11 pm

10sun wrote:It might simply be that your host file is screwed up.

Try typing 64.233.167.99 into your browser's address bar.


It brought up google. So far google is still loading up as a homepage normally, it's just server-error pages and Gmail that are loading this crap. :(
-Yamori
AKA ~~Baron Boshie of the Nameless~~
User avatar
Yamori
NT Traveller
NT Traveller
 
Posts: 2002
Joined: Wed Mar 24, 2004 5:02 pm

Postby Yamori » Thu Jun 21, 2007 4:20 pm

Thanks for the infos Lueyen. :O

Here is the hijack this scan:

Logfile of HijackThis v1.99.1
Scan saved at 5:11:59 PM, on 6/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 1735354298
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1735296080
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
-Yamori
AKA ~~Baron Boshie of the Nameless~~
User avatar
Yamori
NT Traveller
NT Traveller
 
Posts: 2002
Joined: Wed Mar 24, 2004 5:02 pm

Postby Lueyen » Thu Jun 21, 2007 5:37 pm

I don't see anything that looks abnormal. It may be still be malware renaming it's self as something legit.

Can you post your hosts file?

Also try opening a command prompt and typing:

ping http://www.invalidaddressyoutriedtogoto.com

If it gets a response then you are dealing with a redirect, if not it's probably specific to web browsing, and your "not found page" may have been replaced.
Raymond S. Kraft wrote:The history of the world is the history of civilizational clashes, cultural clashes. All wars are about ideas, ideas about what society and civilization should be like, and the most determined always win.

Those who are willing to be the most ruthless always win. The pacifists always lose, because the anti-pacifists kill them.
User avatar
Lueyen
Dictator in Training
Dictator in Training
 
Posts: 1793
Joined: Tue Mar 09, 2004 2:57 pm

Postby Yamori » Thu Jun 21, 2007 6:17 pm

The ping got a response~~

Also what is a hosts file

Also thanks for thy help sir!
-Yamori
AKA ~~Baron Boshie of the Nameless~~
User avatar
Yamori
NT Traveller
NT Traveller
 
Posts: 2002
Joined: Wed Mar 24, 2004 5:02 pm

Postby Lueyen » Thu Jun 21, 2007 6:46 pm

click on start, then run then copy and paste the following line.

notepad "%systemroot%\system32\drivers\etc\hosts"

click okay, it will open up a notepad showing the file.

Find the last line that starts with the # and copy/paste everything below it.


To answer the question what is it, when you request a webpage you put in a name, to actually request the page the computer has to reference the ip address. To get that ip address the computer first checks this file to see if the address is listed and if it is it uses that ip address, if not then it queries your dns server (normally at your isp) to get the address. So if a program modified your hosts file it can make specific addresses always return the ip address of the sight you are getting instead of their actual address.

I've seen some malware programs add hundreds of lines to this file, basically with the idea of redirecting common sights to you some advertising site instead (usually one that installs more malware to boot).

As I stated previously you should usually only have one line (excluding the lines starting with #) and that line tells the computer to resolve the name "localhost" to 127.0.0.1 which is like saying "me" in English.
Raymond S. Kraft wrote:The history of the world is the history of civilizational clashes, cultural clashes. All wars are about ideas, ideas about what society and civilization should be like, and the most determined always win.

Those who are willing to be the most ruthless always win. The pacifists always lose, because the anti-pacifists kill them.
User avatar
Lueyen
Dictator in Training
Dictator in Training
 
Posts: 1793
Joined: Tue Mar 09, 2004 2:57 pm

Postby Yamori » Thu Jun 21, 2007 7:36 pm

127.0.0.1 localhost



is the last line. PERPLEXING! @_@
-Yamori
AKA ~~Baron Boshie of the Nameless~~
User avatar
Yamori
NT Traveller
NT Traveller
 
Posts: 2002
Joined: Wed Mar 24, 2004 5:02 pm

Postby Lueyen » Thu Jun 21, 2007 11:54 pm

nope exactly how it should be ><. Unfortunately what you are probably looking at is something new enough to evade malware scanners, and isn't using any real obvious tricks. There is a possibility that some of your .dll files have been modified or possibly even copied over.

At this point I don't know how much luck I'm going to have asking you to check random files. There are probably hundreds of things we could try that might work. What I'd suggest at this point is getting some local professional help if that is possible.

If you want to try drastic measures you could have hijackthis "fix" everything in the list, but that is a rash approach, and it would be based on hoping that it's malware that is masquerading as a valid application.

I am assuming that you don't have system restore turned on... a system roll back would likely rectify it.

Beyond I can't think of much more then wiping out temp and prefech files that is going to be fairly easy. Maybe running repairs for windows or IE, reinstalling firefox and the like, but these are all just try and see if it works for lack of any real deductive direction.
Raymond S. Kraft wrote:The history of the world is the history of civilizational clashes, cultural clashes. All wars are about ideas, ideas about what society and civilization should be like, and the most determined always win.

Those who are willing to be the most ruthless always win. The pacifists always lose, because the anti-pacifists kill them.
User avatar
Lueyen
Dictator in Training
Dictator in Training
 
Posts: 1793
Joined: Tue Mar 09, 2004 2:57 pm

Postby Martrae » Fri Jun 22, 2007 7:02 am

Uninstall Google Toolbar

Which spyware/malware programs are you using?
Inside each person lives two wolves. One is loyal, kind, respectful, humble and open to the mystery of life. The other is greedy, jealous, hateful, afraid and blind to the wonders of life. They are in battle for your spirit. The one who wins is the one you feed.
User avatar
Martrae
Admin Abuse Squad
Admin Abuse Squad
 
Posts: 11962
Joined: Mon Mar 15, 2004 9:46 am
Location: Georgia

Postby Harrison » Fri Jun 22, 2007 9:11 am

Lueyen wrote:I am assuming that you don't have system restore turned on... a system roll back would likely rectify it.


People use that shit? :ugh:
How do you like this spoiler, motherfucker? -Lyion
User avatar
Harrison
NT Legend
NT Legend
 
Posts: 20323
Joined: Thu Mar 11, 2004 12:13 am
Location: New Bedford, MA

Postby Tossica » Fri Jun 22, 2007 9:14 am

Harrison wrote:
Lueyen wrote:I am assuming that you don't have system restore turned on... a system roll back would likely rectify it.


People use that shit? :ugh:



Yeah. It comes in handy more times than not.
User avatar
Tossica
NT Patron
NT Patron
 
Posts: 12490
Joined: Mon Mar 08, 2004 1:21 pm

Postby Lueyen » Fri Jun 22, 2007 10:27 am

Harrison wrote:
Lueyen wrote:I am assuming that you don't have system restore turned on... a system roll back would likely rectify it.


People use that shit? :ugh:


If you aren't super technically inclined and not a gaming elitist (more often then not the two go hand in hand), the the balance of resource drain for the return is quite good.
Raymond S. Kraft wrote:The history of the world is the history of civilizational clashes, cultural clashes. All wars are about ideas, ideas about what society and civilization should be like, and the most determined always win.

Those who are willing to be the most ruthless always win. The pacifists always lose, because the anti-pacifists kill them.
User avatar
Lueyen
Dictator in Training
Dictator in Training
 
Posts: 1793
Joined: Tue Mar 09, 2004 2:57 pm


Return to Tech Support

Who is online

Users browsing this forum: No registered users and 15 guests