Author Topic: A possible hijacking?  (Read 13805 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: A possible hijacking?
« Reply #15 on: February 01, 2014, 04:41:02 PM »
Avast is aware of this .. were you getting alerts ?  http://blog.avast.com/2010/02/18/ads-poisoning-%e2%80%93-jsprontexi/  ad poisoning is an old trick but very effective

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #16 on: February 01, 2014, 04:46:27 PM »
Was not. I didn't have avast installed until last night, when I finally started the witch-hunt for this to root it out. It hasn't been happening very long at all.

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #17 on: February 01, 2014, 04:48:18 PM »
Is there anything else that can be done to delete this? I'm glad if it'll never come back, but I'm worried on what to do to stop it from coming around ever again.

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #18 on: February 01, 2014, 04:56:11 PM »
Alright, I'll be shutting down to head to work. If you guys can provide any more info, please, please *please* let me know! Thank you for all of the help so far.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: A possible hijacking?
« Reply #19 on: February 01, 2014, 05:03:17 PM »
The beauty of Avast is that it will block the connection so that nothing can get onto your system and you will be safe :)

To be doubly sure you can set the Avast hardened mode to aggressive and then you will get alerted any time an unknown programme starts, with the option to either block or run




OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #20 on: February 01, 2014, 11:33:24 PM »
Cheers! I enabled that  now that I'm home, and we'll see what happens.

A friend said it might be a part of a firefox addon, and that I should dump/reform a profile. Thoughts?

Also, this fellow seems to be having the exact same problem, here on Avast!

http://forum.avast.com/index.php?topic=145718.0

Should we try anything from there?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: A possible hijacking?
« Reply #21 on: February 02, 2014, 12:09:34 AM »
If it is not a constant thing then I would tend to attribute it to an infected website rather than an FF addon

Additionally if it was an addon then Avast would alert every time you started FF..  Does it do that

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #22 on: February 02, 2014, 12:16:10 AM »
It does not! Since we've tinkered around, it hasn't come back yet, either. I'm watching my event logger very carefully, though. I find it kinda weird that it keeps poking my DNS whenever it comes around.

DarthSnoopyFish

  • Guest
Re: A possible hijacking?
« Reply #23 on: February 02, 2014, 01:29:25 AM »
I have seen this issue on 2 computers the last day and it also happened to my friend. The common link between all 3 computers was that they were all running Skype. After some Googling today, I found these Skype blog posts.

http://community.skype.com/t5/Security-Privacy-Trust-and/Skype-ads-in-rotation-have-been-compromised-and-contain-Malware/td-p/2894251

http://community.skype.com/t5/Windows-desktop-client/Popup-Advertisements/td-p/2896167

It seems like the new ad service Skype rolled out last week has been compromised. Not good.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33928
  • malware fighter
Re: A possible hijacking?
« Reply #24 on: February 02, 2014, 01:41:00 AM »
Hi DarthSnoopyFish,

Thanks for reporting this back to base. Malcode very much undefined as yet, reported here: http://support.clean-mx.de/clean-mx/viruses.php?id=19947446
Seems that avast! Webshield is now blocking this malcode as JS:ScriptPE-inf[Trj] in in Chrome Browser/AppData  - as it blocking access to this report: htxp://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fe324rfds.bf-microdefender.nl%2Findex.php%3Fkey%3D541738592e6ce4d770cb2cf261a510b9 (probably showing off too much of the real code to avoid a live shield alert - but good enough for us checking detection here).

Good we have protection against this!

greets,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #25 on: February 02, 2014, 02:00:55 AM »
Thanks for the information! I had a hunch it was skype, but asking around, none of my other friends except one have had it.


I have Avast running all th etime now, and I keep looking at its shield to watch what's coming in.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33928
  • malware fighter
Re: A possible hijacking?
« Reply #26 on: February 02, 2014, 02:09:55 AM »
@OhDearMe &
@DarthSnoopyFish,

Another good reason to block all ads forever.....
(read: http://www.reddit.com/r/technology/comments/1wqudh/skypes_ads_may_be_compromised_with_malware/ )
A good and decent Adblocker extension like ABP for instance is a must nowadays to play an anti-malware role next to your resident av solution,
which for us all is avast!

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #27 on: February 02, 2014, 02:23:41 AM »
What troubles me is that supposedly the site didn't actually have an internal 500 error and was using that as a sort of facade while it did evil stuff in the background?

I wonder if my system is compromised at all, considering things are coming back totally clean?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: A possible hijacking?
« Reply #28 on: February 02, 2014, 01:45:13 PM »
With the 500 error it would suggest that the site was taken down.  There was no apparent malware on the logs so I feel you are clean

OhDearyMe

  • Guest
Re: A possible hijacking?
« Reply #29 on: February 02, 2014, 05:42:54 PM »
I was reading that the 500 error was actually a part of the ruse of the site, and wasn't actually shut down. Someone was poking around in the webpage data to come to such a conclusion.