Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Browser hijacking

  1. #1
    Disgruntled Postal Worker fourdc's Avatar
    Join Date
    Jul 2002
    Location
    Vermont, USA
    Posts
    797

    Browser hijacking

    I've got a peculiar piece of Malware running on my box now. It hijacks the links on a Google search and sends you to a random place, usual a commercial seach engine but never the same place twice.

    It affects IE 8, FF 3.5 and Opera 10. It does not affect Chrome. Running an Avast boot scan shows no malware. Spybot and Ad aware with the latest editions find nothing. For grins i downloaded and ran MS malware detection and removal tool and it found nothing as well.

    So far this only affects search results, it doesn't hijack manual entries or bookmarks.

    Any ideas of where to take this next?

    many thanks
    ddddc

    "Somehow saying I told you so just doesn't cover it" Will Smith in I, Robot

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Did you try Malware Bytes Anti-Malware?

    malwarebytes.org
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    Run spybot S&D as well as HiJackThis - remove any concerning/unknown entries.

    Alternatively, post the results of HiJackThis here and I will inspect and advise what you should/can remove.


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  4. #4
    Disgruntled Postal Worker fourdc's Avatar
    Join Date
    Jul 2002
    Location
    Vermont, USA
    Posts
    797
    Spybot S&D says I'm clean, Ad Aware says I'm clean, Malwarebytes found Rougue.error removed it, came up clean 2nd time (7 hours of scanning) Avast says I'm clean. The process is still there.

    Currently I'm sorting through the 52 processes that are running when I've got my browser open to a Google search results page.

    Will try to Hijack this on it but I've got a lot of other projects this week. I appreciate the suggestions. Gut feeling is that I've got a new "bug" that hasn't been profiled yet, when it does it will be found, at this point it's just a nuisance.

    In the mean time, I've trained the family to use Chrome instead of FF, IE and Opera.
    ddddc

    "Somehow saying I told you so just doesn't cover it" Will Smith in I, Robot

  5. #5
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Question

    Taken from > windowsclick.com redirect (UACd.sys.trojan) removal

    Post> #19

    Quote Originally Posted by t34b4g5 View Post
    I recently had to fix a friends computer that was doing the same thing..

    here's the way that i was able to fix it.


    try going to my computer.
    Click the folder button and make sure view hidden files/folders is turned on and check your drives for "resycled" and "autorun.inf" files/folder
    They will appear in the root directory..

    If they are there then go to a command prompt and change the attrib settings to the "resycled" folder and the “autorun.inf” file

    attrib -r -s -h

    then while still in the command prompt just use the del command on both.

    then do a search for autorun.inf on your drives and after the scan just right click on each one and open with notepad or wordpad and check each one, and if any happen to have "boot.com" before a string of jumbled letters numbers then delete.
    the "boot.com hides in the “recycled” folder and when the “autorun.inf” files is loaded it loads the “boot.com” file and your browser will continually get redirected.

    restart computer and then go to my computer and click folder and check to make sure there both gone..

    this thing was not only not letting me access the computers drives it also decided that it would re-direct the browser to www{X}copy-book{X}com {Note don't click site got active malware} all the time a little and i did the above and it should solve the issue.


    Also
    Start Windows in safe mode, then click Start -> Run. Type in regedit and click okay.

    Now at the top of the registry editor,
    click Edit -> Find.
    Type boot.com and click Find Next. Every time it finds a new boot.com, press the delete key and then enter. It should find a dozen or so copies.

    Now, plug in any external drives or flash drives you have used with this computer.
    Open
    My Computer. Click Tools -> Folder Options -> View and select "Show Hidden Files and Folders" and click okay.

    For each drive, open it and delete the “recycled” folder and “autorun.inf”. Back up each “autorun.inf” before deleting them off external drives, because they might be important.

    Restart the computer and the problem should be gone.

    Any removable usb drives you've plugged into that computer will also be infected with the virus, so make sure you clean them out too (note if you clean your comp, then plug-in the usb drives it'll re-install itself)
    any computers you've plugged that usb drive into are also infected

    a summary of what this thing does - its installed itself as a windows driver with a random dll file name, you'll have to track down ALL instances of it and eradicate it completely. Booting in safe-mode will assist, the drivers wont show up in control panel or admin tools either as its hidden

    other things you will need to remove this damn virus
    malware-bytes anti malware
    SmitFruadFix Scan
    hijack this
    gmer

    this thread should help you: http://www.bleepingcomputer.com/forums/topic191577.html

    if you download and install the latest version of those programs they should work fine without and update, the virus re-directs the update URL's as well. You will find its system-wide not browser specific!

  6. #6
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    You will need to use gmer as this infeciton uses rootkit. Find the driver, unload it, then the rest of the components should show.

  7. #7
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    gmer tool is good, perhaps using EndItAll to kill the process prior to scanning would also help?

    gl
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  8. #8
    Disgruntled Postal Worker fourdc's Avatar
    Join Date
    Jul 2002
    Location
    Vermont, USA
    Posts
    797

    oh well

    Got home from work this morning, downloaded gmer, installed it an ran it.

    Popped off for a nap. woke up 4 hours or so later Windows was cycling in a boot mode. Wouldn't safe boot.

    Used a Ubuntu live cd to copy my documents to a portable drive and I'm in the process of formatting my hard drive for a full Windows install. So I won't know what the malware was and I'll spend my day off tomorrow building my system back up. I got hit with CoolWebSearch two years ago and had to do the same thing.

    I've run Linux and Windows on my home network (7 computers with a wireless as well as a wired lan) and I have never had a problem with Linux, Friggin Windows Sucks!

    Thanks for your help everyone, I was hoping to find out what the little buggie was.
    ddddc

    "Somehow saying I told you so just doesn't cover it" Will Smith in I, Robot

  9. #9
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Quote Originally Posted by fourdc View Post
    I'm in the process of formatting my hard drive for a full Windows install.
    Probably for the best. It is hard to tell how deep that stuff digs sometimes...
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  10. #10
    Disgruntled Postal Worker fourdc's Avatar
    Join Date
    Jul 2002
    Location
    Vermont, USA
    Posts
    797
    I know, I'll be clean (for a while), but like I said I wanted the post mortem, i wanted to know what killed it. It bothered me that none of the stuff I ran even noticed it.

    When I got CoolWebSearch all of the virus/spyware programs caught it but nothing could take it off. This bug was only detectable by the user, and only if you were using a search.
    ddddc

    "Somehow saying I told you so just doesn't cover it" Will Smith in I, Robot

Similar Threads

  1. Need help to deal with IE Browser Hijacking
    By jamicach in forum Newbie Security Questions
    Replies: 12
    Last Post: August 10th, 2005, 12:54 PM
  2. Opera announces Voice Oper. Browser
    By mikem0327 in forum AntiOnline's General Chit Chat
    Replies: 0
    Last Post: March 24th, 2004, 04:36 AM
  3. Browser Hijacking
    By Spyrus in forum Microsoft Security Discussions
    Replies: 8
    Last Post: September 12th, 2003, 08:02 AM
  4. Multiple browser timed document.write cross domain policy vulnerability
    By Szafran in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: September 7th, 2003, 09:41 PM
  5. 2002 * Linux Web Browser Review
    By E5C4P3 in forum Product / Book / Training / Conference Reviews
    Replies: 2
    Last Post: March 3rd, 2002, 03:24 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •