Avast WEBforum

Other => Viruses and worms => Topic started by: Scrittore on April 19, 2012, 02:40:04 AM

Title: Browser Hijacking
Post by: Scrittore on April 19, 2012, 02:40:04 AM
When using Explorer in Sandbox - after doing a search-request with BING or Google, etc - when clicking on the list of search-returned URLs -  instead of the URL requested a new (non-search-return-provided) URL appears in the Address bar resulting in being HIGHJACKED and re-directed to unrequested sites.

I thought Avast and operating in Sandbox would prevent browser highjacking - so - opinion anyone?


Some examples of re-directing URLs (there are others which I have copied from the address field [some disappear within seconds] - provided as examples):



hxtp://click.scour.com/ads-clicktrack/click/jump2.do?affiliate=45435&subid=a10&terms=who funds the coast guard




Finally - if AVAST is not currently set up to recognize/identify these browser-highjacking URLs as "MALWARE" - could someone start thinking about doing that? It is becoming a really big nuisance as attested to by forum after forum elsewhere complaining about them and websites on how to eliminate them (AND SOME OF THOSE WEBSITES ARE FAKE, masquerading AS legitimate providers, some using legitimate provider's names as part of their own impersonating URL)

Suggestions, thoughts, etc., appreciated
Title: Re: Browser Hijacking
Post by: Pondus on April 19, 2012, 08:11:40 AM
edit all links...make them unclickable  http = hxxp    www = wxw
Title: Re: Browser Hijacking
Post by: essexboy on April 19, 2012, 09:42:39 PM
Those are indications of a Firefox/IE infection - as the browser has the bad extensions then yes they will also run in sandbox
Title: Re: Browser Hijacking
Post by: Scrittore on April 20, 2012, 04:22:42 AM
@essexboy - Thanks for the response.

A "Firefox/IE infection", however, seems unlikely - as I just restored the computer to out-of-the-box status (formatted and reinstalled factory settings/software) and immediately ran MS Update - then purchased and installed Avast.

Could be I suppose - but given the extremely limited exposure to the net "unprotected" as explained above - how? - and why isn't anything "seeing it"?

The biggest problem is that it seems NONE of the virus - malware - spyware, etc., are classifying browser re-dircecting malware as "malware" - thus not recognizing it and removing it.

Any other thoughts?
Title: Re: Browser Hijacking
Post by: Scrittore on April 20, 2012, 04:40:15 AM
@Pondus - thanks for the response - but not sure what you are suggesting.

Do you mean change the URL in the address bar?

If so, that doesn't really deal with the problem at the "cause" level.

When clicking on a search-returned URL, the whole idea of clicking on it is to access the data returned (as you of course know) - so what's rendering the link "unclickable" going to do for me?

As a work-around  I right-click on a returned link, get the properties, copy and past that into the address bar which circumvents any re-directing url launched by whatever these people are doing to attach themselves to a Bing or Google link attempting to be retrieved.

While that works - it is a tedious link by link process and hardly deals with the underlying issue involved.

I have run MalwareBytes and a couple of others to try and identify the Hijack source (you can no longer remove with "Uninstall" in Control Panel - the bad guys have wised up and hidden themselves better). I hope more of all of you tell AVAST to start recognizing browser highjacking as "Malware" and get on creating a solution.

Any other suggestions - anyone ???
Title: Re: Browser Hijacking
Post by: DavidR on April 20, 2012, 12:22:12 PM
The avast Web Shield is by comparison to other AVs very good at finding 'malicious' script redirects, but there will be a balance of being too strict and blocking a legit redirect or one gets through (so nothing will be 100%). Don't forget even if the redirect works, the Network Shield is also there is the redirected site is on its malicious sites list, as is the Web Shield to do its normal scanning.

However, what you are describing could well be google search poisoning, given you say this is a (formatted and reinstalled factory settings/software). This is especially so in the google image searches it isn't unusual to click on a link for an image and not go there, the URL is malformed, having the redirect embedded in the URL string.

The fact that you are running your browser in the sandbox won't combat that, as that isn't the purpose of the sandbox, it is there to isolate your browsing from the system; so should you experience any malware attack it limits the potential damage by keeping it within the sandbox. You can then clear the sandbox and start a fresh instance of running the browser sandboxed.

Are you getting browser redirections on all searches in all browsers that you have tried ?
Title: Re: Browser Hijacking
Post by: essexboy on April 20, 2012, 03:46:44 PM
How many FF extensions/addons did you install ?

What were they

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop
C:\Windows\assembly\tmp\U\*.* /s
>C:\commands.txt echo list vol /raw /hide /c
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
type c:\diskreport.txt /c
erase c:\commands.txt /hide /c
erase c:\diskreport.txt /hide /c

Title: Re: Browser Hijacking
Post by: Scrittore on April 23, 2012, 02:51:25 PM
@DavidR - thank you for the response. I have had family issues to deal with so thus the delay in reading. Your post helped understand (as a "Newbie") appropriately understanding what AVAST is and is not designed to accomplish (especially with regard to "Sandbox" which was a new concept for me).

Since I could not seem to stop the mal-re-directing (which is why I tried to "wipe the slate clean" with "Restore" to factory settings) even after I did that - I decided to entirely abandon both Bing and Google as my default search engine and went to "Dogpile".

I have had no problems since doing that - so perhaps if others are experiencing the problem I originally posted about - that solution will help.

Thanks again for taking the time to repsond.
Title: Re: Browser Hijacking
Post by: Scrittore on April 23, 2012, 02:59:55 PM
@esexxboy - thanks for the additional response. Please see the post answering @DavidR for what I did to "work around" the problem.

I will also try your suggestion (but am embarassed not to know what "FF extensions/addons" stands for). I still experienced the browser-redirecting even though after returning the computer to "original factory settings" all I installed were the updates from MS after which I purchased AVAST.

That was all I installed/added - so - I have to presume from my limited knowledge that either my IP address is on a malware target list somewhere because I was once infected (recently with a Trojan the browser-redirecting SCOUR brought with it) - or some other reason I was still being redirected by browser-URL-string malware.

I'll look back here before I apply your suggestion to run and post - just to see if you have anything to comment about given the above and the response to DavidR.

Thanks again for also taking the time to do this.
Title: Re: Browser Hijacking
Post by: DavidR on April 23, 2012, 03:50:19 PM
You're welcome.

I would however suggest running OTL as suggested by essexboy (very experienced malware removal specialist), OTL produces an analysis or areas if interest should this be malicious search redirects. So at the very least it would be peace of mind.

Switching to a different search engine, isn't so much a work around but avoidance of the issue, but if it were malicious, that would still be present. So the OTL information would be able to confirm or deny this and ultimately provide information for a fix (if required).