Author Topic: Browser Hijacking  (Read 2371 times)

Offline Scrittore (Jim)

  • Jr. Member
  • **
  • Posts: 27
    • Personal Message (Offline)
Browser Hijacking
« on: April 19, 2012, 12:40:04 AM »
When using Explorer in Sandbox - after doing a search-request with BING or Google, etc - when clicking on the list of search-returned URLs -  instead of the URL requested a new (non-search-return-provided) URL appears in the Address bar resulting in being HIGHJACKED and re-directed to unrequested sites.

I thought Avast and operating in Sandbox would prevent browser highjacking - so - opinion anyone?

-------------------------

Some examples of re-directing URLs (there are others which I have copied from the address field [some disappear within seconds] - provided as examples):

hxtp://www.happili.com/v_nq/innerxy.php?q=superantispyware&xy=47539-543-direc40

hxtp://80618.thespecialsearch.com/xtr_new?q=escatsy%20of%20gold&enk=JrFGiQa5j4lG4ybjB4HGiQfjJplmoca5RomGgY%20J

hxtp://click.scour.com/ads-clicktrack/click/jump2.do?affiliate=45435&subid=a10&terms=who funds the coast guard

hxtp://63.209.69.107/search/web/hijack+this/a10/45054-101/v5

hxtp://communicationcourse.info/

--------------------------------------

Finally - if AVAST is not currently set up to recognize/identify these browser-highjacking URLs as "MALWARE" - could someone start thinking about doing that? It is becoming a really big nuisance as attested to by forum after forum elsewhere complaining about them and websites on how to eliminate them (AND SOME OF THOSE WEBSITES ARE FAKE, masquerading AS legitimate providers, some using legitimate provider's names as part of their own impersonating URL)

Suggestions, thoughts, etc., appreciated
« Last Edit: April 19, 2012, 11:40:50 AM by Milos »

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21696
  • Gender: Male
    • Personal Message (Offline)
Re: Browser Hijacking
« Reply #1 on: April 19, 2012, 06:11:40 AM »
edit all links...make them unclickable  http = hxxp    www = wxw
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28981
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Browser Hijacking
« Reply #2 on: April 19, 2012, 07:42:39 PM »
Those are indications of a Firefox/IE infection - as the browser has the bad extensions then yes they will also run in sandbox

Offline Scrittore (Jim)

  • Jr. Member
  • **
  • Posts: 27
    • Personal Message (Offline)
Re: Browser Hijacking
« Reply #3 on: April 20, 2012, 02:22:42 AM »
@essexboy - Thanks for the response.

A "Firefox/IE infection", however, seems unlikely - as I just restored the computer to out-of-the-box status (formatted and reinstalled factory settings/software) and immediately ran MS Update - then purchased and installed Avast.

Could be I suppose - but given the extremely limited exposure to the net "unprotected" as explained above - how? - and why isn't anything "seeing it"?

The biggest problem is that it seems NONE of the virus - malware - spyware, etc., are classifying browser re-dircecting malware as "malware" - thus not recognizing it and removing it.

Any other thoughts?
« Last Edit: April 20, 2012, 02:40:58 AM by Scrittore »

Offline Scrittore (Jim)

  • Jr. Member
  • **
  • Posts: 27
    • Personal Message (Offline)
Re: Browser Hijacking
« Reply #4 on: April 20, 2012, 02:40:15 AM »
@Pondus - thanks for the response - but not sure what you are suggesting.

Do you mean change the URL in the address bar?

If so, that doesn't really deal with the problem at the "cause" level.

When clicking on a search-returned URL, the whole idea of clicking on it is to access the data returned (as you of course know) - so what's rendering the link "unclickable" going to do for me?

As a work-around  I right-click on a returned link, get the properties, copy and past that into the address bar which circumvents any re-directing url launched by whatever these people are doing to attach themselves to a Bing or Google link attempting to be retrieved.

While that works - it is a tedious link by link process and hardly deals with the underlying issue involved.

I have run MalwareBytes and a couple of others to try and identify the Hijack source (you can no longer remove with "Uninstall" in Control Panel - the bad guys have wised up and hidden themselves better). I hope more of all of you tell AVAST to start recognizing browser highjacking as "Malware" and get on creating a solution.

Any other suggestions - anyone ???

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Browser Hijacking
« Reply #5 on: April 20, 2012, 10:22:12 AM »
The avast Web Shield is by comparison to other AVs very good at finding 'malicious' script redirects, but there will be a balance of being too strict and blocking a legit redirect or one gets through (so nothing will be 100%). Don't forget even if the redirect works, the Network Shield is also there is the redirected site is on its malicious sites list, as is the Web Shield to do its normal scanning.

However, what you are describing could well be google search poisoning, given you say this is a (formatted and reinstalled factory settings/software). This is especially so in the google image searches it isn't unusual to click on a link for an image and not go there, the URL is malformed, having the redirect embedded in the URL string.

The fact that you are running your browser in the sandbox won't combat that, as that isn't the purpose of the sandbox, it is there to isolate your browsing from the system; so should you experience any malware attack it limits the potential damage by keeping it within the sandbox. You can then clear the sandbox and start a fresh instance of running the browser sandboxed.

Are you getting browser redirections on all searches in all browsers that you have tried ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28981
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Browser Hijacking
« Reply #6 on: April 20, 2012, 01:46:44 PM »
How many FF extensions/addons did you install ?

What were they

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post both logs

Offline Scrittore (Jim)

  • Jr. Member
  • **
  • Posts: 27
    • Personal Message (Offline)
Re: Browser Hijacking
« Reply #7 on: April 23, 2012, 12:51:25 PM »
@DavidR - thank you for the response. I have had family issues to deal with so thus the delay in reading. Your post helped understand (as a "Newbie") appropriately understanding what AVAST is and is not designed to accomplish (especially with regard to "Sandbox" which was a new concept for me).

Since I could not seem to stop the mal-re-directing (which is why I tried to "wipe the slate clean" with "Restore" to factory settings) even after I did that - I decided to entirely abandon both Bing and Google as my default search engine and went to "Dogpile".

I have had no problems since doing that - so perhaps if others are experiencing the problem I originally posted about - that solution will help.

Thanks again for taking the time to repsond.

Offline Scrittore (Jim)

  • Jr. Member
  • **
  • Posts: 27
    • Personal Message (Offline)
Re: Browser Hijacking
« Reply #8 on: April 23, 2012, 12:59:55 PM »
@esexxboy - thanks for the additional response. Please see the post answering @DavidR for what I did to "work around" the problem.

I will also try your suggestion (but am embarassed not to know what "FF extensions/addons" stands for). I still experienced the browser-redirecting even though after returning the computer to "original factory settings" all I installed were the updates from MS after which I purchased AVAST.

That was all I installed/added - so - I have to presume from my limited knowledge that either my IP address is on a malware target list somewhere because I was once infected (recently with a Trojan the browser-redirecting SCOUR brought with it) - or some other reason I was still being redirected by browser-URL-string malware.

I'll look back here before I apply your suggestion to run and post - just to see if you have anything to comment about given the above and the response to DavidR.

Thanks again for also taking the time to do this.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Browser Hijacking
« Reply #9 on: April 23, 2012, 01:50:19 PM »
You're welcome.

I would however suggest running OTL as suggested by essexboy (very experienced malware removal specialist), OTL produces an analysis or areas if interest should this be malicious search redirects. So at the very least it would be peace of mind.

Switching to a different search engine, isn't so much a work around but avoidance of the issue, but if it were malicious, that would still be present. So the OTL information would be able to confirm or deny this and ultimately provide information for a fix (if required).
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now