IE6 and FF2 hijacked? Help please!

Discussion in 'Malware Help (A Specialist Will Reply)' started by Bolts, Dec 15, 2006.

  1. Bolts

    Bolts Private E-2

    Hi all,

    I have a bit of an issue right now with my partners laptop.

    XP home FF and IE6

    She tells me that any address she types in to the browser ends up at DODO.COM.

    Interestingly, she tells me that the address is correct. for example, type in www.ibm.com and the address bar will show this but the screen is chock a block with dodo.com

    Sypot S&D which was on the machine found 7 errors and repaired them, but I am a bit concerned it is a bit more serious than that...

    Any input would be most sincerely appreciated.
     
    Bolts, Dec 15, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Go to Start > Run and type in cmd
    • Click OK.
    • This will open a command prompt.
    • Type or copy and paste the following line in the command window:
      ipconfig /flushdns
    • Hit Enter
    • Exit the command window

    Now download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program
    Did the above steps change any of your status with web pages?

    If not, you need to do as much of the below as possible!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    chaslang, Dec 15, 2006
    #2
  3. Bolts

    Bolts Private E-2

    I have flushed the caches, flushed the dns as suggested and run hoster...there is no change.

    Interestingly, after i flush the browser cache, and i start up the browser, if i look at the browser cache files, the first entry is dodo.css. all the other files have the correct address but with all the dodo files appended.
     
    Last edited: Dec 15, 2006
    Bolts, Dec 15, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay. Then you need to continue with the other steps!
     
    chaslang, Dec 15, 2006
    #4
  5. Bolts

    Bolts Private E-2

    Thanx Chaslang,

    Will do...

    ..just need a bit more time than I thought to d/l on one confuser, transfer the apps across etc etc..

    Thanx for your input to date - I'll 'get back to you' after the next lot

    :)
     
    Bolts, Dec 15, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Is this happening on both FireFox and IE?

    Is dodo.com a site that she uses for something. Is it her ISP?
     
    chaslang, Dec 15, 2006
    #6
  7. Bolts

    Bolts Private E-2

    Hi Chaslang,

    The mystery is now over. Mrs B has just resigned from her job and had an arrangement with the employer to leave her access open. This was cool, except that the ISP had a list of people leaving - Mrs B being one of them and they shut her down without authority.

    It appears that dodo is this companies isp and this behavior is standard for users who attempt loging via that number.

    Phew! what a long and protracted explanation.!!!

    So, it was a 'forced hijack' if you will, and it has been repaired - her access has been reinstated. THere was nothing sinister as it turns out

    So all my testing that came up negative was for good reason!

    Once again, many thanks for your suggestions Chaslang
     
    Bolts, Dec 20, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    And thus the reason for my question
    that I posted in message # 6.


    Glad to here problems are resolved now. You're welcome.
     
    chaslang, Dec 20, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds