Has this website been hacked

RandomQ

debitcardmayhem wrote: »

Change their laptop wifi adaptor to use 8.8.8.8 or 1.1.1.1 as the dns server, then see if that stops it , the hotspot could be messing with DNS

Hi

Thanks for suggestion, I tried that and problem remains, so suggests it is his Laptop.

RandomQ

AndyPix wrote: »

Clear cookies, check installed browser addons, check no manual proxy has been added

Hi

Thanks for suggestions

I ran ccleaner to remove all cookies

Redirection occurs on Firefox, Chrome and Opera, so unlikely to be an add-on or it would have to be in all three.

So today I connected one of my laptops running Win10 to his router and was able to go to MyDep site with no issues.

This could be the site detecting Win10 (his PC is Win7) but it suggests to me that problem is with PC.

I can't see any evidence of a proxy but not sure what to check for hidden ones

Can't see anything unusual on task manager for all users, all processes seem to be from MS or Intel or OEM folders.

I have run adwcleaner, it found a few pups but nothing that looked serious, I also ran the basic cleanup with all options set and it made no difference, it still redirects.

I have run Malwarebytes on it, it has defender, so I guess have to do the checks on Bleeping Computer, look for rootkit etc.

I did recommend nuking it but he is adament to keep his setup.

It would be interesting to know what it is as it is completely invisible to me, normally I can find stuff when people bring me their infected PC's.

AndyPix

control panel => internet options => advanced


"Restore advanced settings" , then "reset"


Reboot computer - Open internet explorer and tell me if the redirect occurs now

RandomQ

AndyPix wrote: »

control panel => internet options => advanced


"Restore advanced settings" , then "reset"


Reboot computer - Open internet explorer and tell me if the redirect occurs now

Thanks Andy

That did the trick, that is 2 beers I owe you!

So how did they manage to get IE to redirect Chrome, Opera, Comodo and Firefox.

Would be good to know what they changed in the registry

Also I did a scan with defender and it found something that Malwarevytes did not care about

https://www.virustotal.com/#/file/37f83a6b2f920ef8b76d7c9f44c9bde430cc3e10d41a17f25f5b8bb19fb1145a/detection

Not sure if it was ever used, he had several Acrylic files on there

AndyPix

It was probly a manual proxy that has been changed by one of the PUPs that you found.


Resetting IE changes this in internet options , which all the other browsers listen to .. **


** Apart from firefox - which completely ignores internet options so not sure why the issue was happening there too - but as its now fixed there is no point in investigating further


Incase you are wondering, the keys that will have been edited are here :


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

RandomQ

AndyPix wrote: »

It was probly a manual proxy that has been changed by one of the PUPs that you found.


Resetting IE changes this in internet options , which all the other browsers listen to .. **


** Apart from firefox - which completely ignores internet options so not sure why the issue was happening there too - but as its now fixed there is no point in investigating further


Incase you are wondering, the keys that will have been edited are here :


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Sheeeeeit Andy, when you are right you are right, I just went to check and issue remains with Firefox!!

I only checked Opera and Chrome.

So what does Firefox listen to?

Boss gave me one of those looks as if it is my bloody fault!


These were keys fixed by adwcleaner

** [ Registry ] *****

PUP.Adware.Heuristic HKU\S-1-5-21-1940220276-3402961915-493940499-1001\SOFTWARE\01165BAE0F3BA1C9E9F93F2281187E08
PUP.Optional.Legacy HKLM\Software\Wow6432Node\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
PUP.Optional.Legacy HKLM\Software\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
PUP.Optional.Legacy HKLM\Software\Wow6432Node\Classes\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
PUP.Optional.Legacy HKLM\Software\Wow6432Node\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
PUP.Optional.Legacy HKLM\Software\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
PUP.Optional.Legacy HKLM\Software\Wow6432Node\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
PUP.Optional.Legacy HKLM\Software\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
PUP.Optional.Legacy HKLM\Software\Wow6432Node\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}

AndyPix

Firefox only listens to its own settings.
So open firefox, click the little 3 horizontal lines and go to "options"


Then in the "find in options" box - type the word proxy
You will see it now offers you to click on "settings"


Ensure "no proxy" is ticked and click "ok"

RandomQ

Thanks Andy

I did that and ironically MyDep was down for maintenance but seemed to me the right URL.

I am going to check the registry for the key settings

I found this which helps

https://getadmx.com/?Category=Mozilla&Policy=FullArmor.Policies.50C48427_E059_4052_BB12_F2468756F4EE::proxy_settings_2

RandomQ

This is bizarre

It came back

Still only affects mydeposit site as far as I know

No Proxy was already set in Firefox

It made Chrome and Opera go to 3rd party site too, site changes but always those bad sites.

ADWcleaner said I had Pup in firefox video downloader, albeit that does not explain how it affects other browsers. I had it remove it anyway.

All apps shut down and reboot did not clear it.

Next day it did it again, I used ccleaner and did another reboot and it has gone.

My feeling is that it just picks random sites you visit often and redirects those, I have seen adware do this.

It is weird as I have no idea how it does it, I never use an admin account and my admin account has internet disabled.

I have run Malwarebytes and nothing found.

Do I assume that this was somehow placed by firefox addon, is it still there but hiding or has it been put there by a website?

***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

Deleted Video Downloader
Deleted Video Downloader

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete IFEO
[+] Delete Prefetch
[+] Delete Tracing Keys
[+] Reset BITS
[+] Reset Hosts File
[+] Reset IPSec
[+] Reset Chromium Policies
[+] Reset IE Policies
[+] Reset Proxy Settings
[+] Reset TCP/IP
[+] Reset Winsock

*************************

esuhl

I'd run an antivirus from a bootable CD/USB. I often find they pick up things that hide themselves when Windows is running.

I'm a big fan of Avast's Rescue Disc. Unfortunately you have to install Avast antivirus to get it (but you can uninstall it after creating the CD/USB).

https://support.avast.com/en-eu/article/Use-Antivirus-Rescue-Disk


Once you've booted the CD/USB and run a scan, reboot into Windows and run MalwareBytes and adwCleaner again.