program intercepting web page and changing source. HELP!

Discussion in 'OT Technology' started by AVengeance, Jul 4, 2009.

  1. AVengeance

    AVengeance Active Member

    Joined:
    Aug 17, 2004
    Messages:
    22,615
    Likes Received:
    0
    Location:
    In my bunker Position:Hunkering
    A neighbor brought his laptop to me saying that he could "get the Internet, but my searches don't work". That didn't make any sense to me, but I said, sure, I'll take a look at it.

    I got the system booted up, and sure enough he was RIGHT! I could go to www.ask.com (same results no matter the search engine), type in a search, and the page that loaded would just be blank. I thought WTF? No "page cannot be displayed"? So I looked at the source code, expecting to see the "transitional" HTML code. Instead, the entire page source was present. At the top of the document, though, was this:

    <DIV STYLE="position:absolute;width:2000px;height:3000px;top:0px;left:0px;z-index:99999;background-color:#fffff"></DIV>

    So SOMETHING is running on this system that is intercepting the web page, altering the source code, then displaying the altered page. FUCK! I have removed some virii from this system, including that annoying "FREDDY49.EXE", which I was just at a customer's house removing about a week ago. There were three different pieces of malware on this system, and I've removed them. The guy had AVG (yea, great choice- you get what you pay for!). I tried removing it, but it wouldn't uninstall. I manually removed the program and all registry references. Still nothing. There is something tied into the browser that's doing this, and I can't figure out what it is. Any help?

    I also looked for rogue services, other startup entries, IE add-ons, etc. I ususally don't end up stumped, but this is blowing my mind.

    HALP MEEEEE!

    Thanks.
     
  2. Signedx

    Signedx New Member

    Joined:
    Feb 20, 2007
    Messages:
    755
    Likes Received:
    0
    Did you scan with Malware Bytes to remove the malware? If not, I suggest doing that.


    h ttp://www . malwarebytes . org / mbam.php

    (can't post links, remove spaces)
     
  3. Hate Crime

    Hate Crime Don't Hate OT Supporter

    Joined:
    Mar 12, 2006
    Messages:
    5,255
    Likes Received:
    0
    Location:
    Minnesota
    Check for proxy server?

    Host file?
     
  4. Sexual Vanilla

    Sexual Vanilla New Member

    Joined:
    May 23, 2005
    Messages:
    6,305
    Likes Received:
    0
    Location:
    South Carolina
    :werd:
     
  5. AVengeance

    AVengeance Active Member

    Joined:
    Aug 17, 2004
    Messages:
    22,615
    Likes Received:
    0
    Location:
    In my bunker Position:Hunkering
    No proxy server is set. I verified the IP was set to acquire auto (the way I have my home network set up) and it was. Nothing special.


    Host file?

    I'll try malwarebytes tonight. I already scanned with the foursome that comes with AV-CLS (McAfee, Kav, Trend, and Sophos). There were some items found and removed, and I found a couple things manually and removed. The system is running fine now except this one thing. I'll run Spybot S&D and the one Signedx suggests, and see what's up. All else fails, I'll just capture the CD Key for Windows and reinstall.
     
  6. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    Probably the simplest and quickest method.
     
  7. AVengeance

    AVengeance Active Member

    Joined:
    Aug 17, 2004
    Messages:
    22,615
    Likes Received:
    0
    Location:
    In my bunker Position:Hunkering
    Yea, usually. butttt... this is a laptop. No install disk, just a recovery partition.
     
  8. Fase

    Fase Your Face, In A Pickle Jar.

    Joined:
    Apr 6, 2004
    Messages:
    29,540
    Likes Received:
    0
    Location:
    Windsor, Ont, Canada.
    %windir%\system32\drivers\etc\host (If I recall)
     
  9. Chimpa Codigo

    Chimpa Codigo Bаnned bу Ѕuреr Modulators

    Joined:
    Jan 27, 2001
    Messages:
    68,463
    Likes Received:
    21
    Location:
    Salinas, CA
    you might also need to download winsockfix to make sure that connectivity is still available after removing the malware. Usually when there's a hijack like this, the adware uses a socket to take over http calls.
     
  10. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Internet Exploder is the biggest pain in the ass ever when it comes to removing ActiveX plugins. Just back up his files and wipe the bitch, it'll take just as long to unfuck the current install -- assuming you even can.

    I've had good luck with Avast! finding and removing malware that other programs couldn't touch, because right after you install it, it reboots and runs a bootup scan of everything on the hard drive. One time it even found an infected USERINIT.EXE, which was kind of a bitch to replace once it was deleted, but sure enough it fixed the problem.
     
  11. Fase

    Fase Your Face, In A Pickle Jar.

    Joined:
    Apr 6, 2004
    Messages:
    29,540
    Likes Received:
    0
    Location:
    Windsor, Ont, Canada.
    :werd:

    <3 Avast!
     
  12. Hate Crime

    Hate Crime Don't Hate OT Supporter

    Joined:
    Mar 12, 2006
    Messages:
    5,255
    Likes Received:
    0
    Location:
    Minnesota
    post your hijackthis log
     
  13. jvblackxj

    jvblackxj VW4Life

    Joined:
    Mar 14, 2003
    Messages:
    100
    Likes Received:
    0
    I remember this one. Man was it bad. Though it was just a couple of exe's and a proxy. easy enough to fix. this sounds a little more serious.
     

Share This Page