Jump to content

Recommended Posts

Posted

Hi all

I have had a few times while browsing found that i am being redirected to a web page called shopify, even if the url is showing the correct https location.

Now I have fixed this in the past, run the adware software, reinstalled firefox ...etc...but what I tracked it back to is a PNG file in my user/appdat/temp called Microsoft.Explorer.Notification.{5FD706BA-5FE2-1B2B-965F-FFB7E42D3476}.png

I find after deleting this file and allowing a fresh one to be generated when you lauch again,solves the issue.

What is the issue being used, is this a kind of image tracker.

Any ideas...

Posted (edited)

well it started when I was looking at the latest post on Hackaday.

I looked at the post for creating a gps module for quad copter that was posted today, in the article, it had a link to the u-blox website.

When I cliked on it, it was fine, but when I went back to the hacakday site, I was redirected to shopify, it even change the icon in my bookmarks for this site.

all other sites was ok.

I rebooted.

ran antivirus scan...nothing new

ran adware cleaner...nothing new

reinstalled firefox.....still didn't resolve

I was still being redirected when going to hackaday site.

So I went to the user/appdat/temp and looked for the latest thing change at around the time it occurred, and the Microsoft.Explorer.Notification.{5FD706BA-5FE2-1B2B-965F-FFB7E42D3476}.png was the only thing recently changed.

I have deleted this before when having problems, so I checked thst I was still being redirected, yes I was, so I deleted this file, the problem fixed itself, back to the correct page.

Now it appears that this file is suppose to be used for USB notification in window 10 according to microsoft??

I copied the new current file to a folder, and retived the deleted one, and had a look at both files with hex edit, the corrupt file is twice the size.

This is a bit of a mystery to me, I will do some morre digging, but it looks like someone has fonnd a way to exploit this file.

I am still trying to work out what exactly this does in windows 10.

as far as I know, the .png is suppose to be an image file??..isn't it

And one last thing, when the files was copied to a folder on the desktop, the current one shows the usb icon, the corrupt one is showing a Java applet icon.

bug_zps59g50t1u.png

Edited by Swamppifi
Posted

I'm thinking 'too obvious for you' but I have to ask: Is it showing the real file extension, or is Microsoft hiding that from you in this view (because it's *SCARY*).

Posted

The properties of each file is showing the file type as .PNG.

I am a bit of loss in this as this is a new feature in windows 10.

Posted

Maybe the png is in fact a png of that specific image?

Posted (edited)

Without looking at the links and page you clicked to see what is going on, it's hard to say exactly. Paste the links to see if we can reproduce it, but more than likely, you have clicked something with a script, that is doing the redirect, like from an advertisement or such. My guess is once a cookie or web tracker gets set, when it gets requested and seen again, one of the embedded sites is redirecting the file or sending http 301/302 redirects at you and your machine is following something it probably shouldn't be. Windows 10 also has a shit ton of privacy and security issues right now, from sharing your wifi data to capturing all keystrokes by default. There are only a handful of links right now with how to disable a lot of these new features, but I don't have 10 to test against. This might be a new feature in 10 that allows the use of extra embedded data in images now, but I still think it might be them redirecting you after a click through, which you see on things like heavily laden ad based sites, porn sites, etc, where you try to get to the page in an image link, only to have to click it 3 times before the real site loads. Lots of warez sites used to do that back in the day for making money on click through rates.

You cn actually search that ID number as well in google for "5FD706BA-5FE2-1B2B-965F-FFB7E42D3476"

Also, try running some things like adblock, ghostery(awesome tool), and noscript. Might help against any nefarious hijacking.

Edited by digip
Posted

Cooper

I have to agree wiith you, it appears to be just a image file, but I feel it is being used as a control portal for something else in windows 10, other wise why would you call it with a random paramter in the name,, oh ... thats string in the name changes everytime I delete it, why not just call it icon.png or something if it is just an icon, and why put it in the appdat of the current user.

What I will do... as I have saved this file, I will put it back in the app data and see if I am getting redireted again. and the try and trace what is calling on it

It is a pretty big smoking gun when the corupted file was deleted, the browser went back to normal.

Digip I will try some of your suggestion and see what I find.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...