Computer Related > Browser hijack? Miscellaneous
Thread Author: Fenlander Replies: 39
View Threaded 

New Mon 14 Feb 11 09:43 
 Browser hijack? - Fenlander
Google is our home page and search engine of choice.

On saturday we noticed when you clicked on a search result from Google you'd be redirected to another search engine or an unrelated website. Every time for just a few seconds we noticed the redirect started via something like www.bilwy.net

If you clear the cache it stops for a short while but starts again. Then it might not happen for an hour but it always seems to return. Any ideas?
Reply to this message | Report message
       
New Mon 14 Feb 11 09:55 
 Browser hijack? - John H
Run the well respected:
free.antivirus.com/hijackthis/
and ask for help if you do not know what the results come up with.

Read the FAQ and follow their advice re. seeking help.
Last edited by: John H on Mon 14 Feb 11 at 09:56
Reply to this message | Report message
       
New Mon 14 Feb 11 11:39 
 Browser hijack? - John H
>>advice re. seeking help.
>>

I have just looked at some of these "helper" forums, and it seems that the "google results redirect" problems are prevalent of late.

www.bleepingcomputer.com/forums/forum22.html
www.geekstogo.com/forum/forum/37-virus-spyware-malware-removal/
help.lockergnome.com/general/HijackThis-Logs-forum-48.html

Follow their instructions carefully and note their warning (eg. Bleepingcomputer tell you "Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.")

Last edited by: John H on Mon 14 Feb 11 at 11:40
Reply to this message | Report message
       
New Mon 14 Feb 11 12:18 
 Browser hijack? - Fenlander
Thanks John. I downloaded the program and looked at the results which were meaningless to me. I felt a bit out of my depth looking at the tasks the helper forums asked folks to undertake. So I looked about and downloaded/scanned with Spybot.

That found two malware items that couldn't be deleted as they are in use at startup. They are Fraud.sysguard and WinSpywareProtect... both apparently causes of the issues I'm seeing.

I'm looking about for an automated removal tool.
Reply to this message | Report message
       
New Mon 14 Feb 11 12:25 
 Browser hijack? - RattleandSmoke
If automated tools where that easy I would not have job. Now you might want to try Malwarebytes and run it in safe mode. It sometimes will get rid of your symptons but won't help if (I hate to say it - you have a rootkit!).

If that dosn't work there are a few other tools you could try, but they are a bit more lethal and only really designed for people who know and understand what they are doing.

I would also run Kaspersky's TDSKiller which can indicated if there is a rootkit on there.

Edit you may also want to make sure you're not being redirect to a proxy or you don't have a DNS hijack. Google for information on how to do that.
Last edited by: RattleandSmoke on Mon 14 Feb 11 at 12:28
Reply to this message | Report message
       
New Mon 14 Feb 11 12:32 
 Browser hijack? - Zero
Out of interest FL, what virus protection are you using?

Its nothing dreadful BTW this one. Its far to obvious.
Last edited by: Zero on Mon 14 Feb 11 at 12:33
Reply to this message | Report message
       
New Mon 14 Feb 11 12:43 
 Browser hijack? - Fenlander
Thanks Rattle... I'll look into it a bit more. I have the McAfee internet protection type thing... up to date.
Last edited by: Fenlander on Mon 14 Feb 11 at 12:44
Reply to this message | Report message
       
New Mon 14 Feb 11 14:16 
 Browser hijack? - Fenlander
Might have a result... at least for now. Picked up on your safe mode comment Rattle so ran Spybot in safe mode. Very slow but it said it had deleted the problems. Booted up normally... ran the scan again and it still shows as all clear.

I'll scan it each morning for a week or so to check it doesn't re-appear.
Reply to this message | Report message
       
New Mon 14 Feb 11 15:54 
 Browser hijack? - devonite
Edit: whoops! beaten to it Sorry!
Last edited by: devonite on Mon 14 Feb 11 at 15:55
Reply to this message | Report message
       
New Wed 16 Feb 11 08:05 
 Browser hijack? - Fenlander
>>>Might have a result... at least for now.

*For now* being the crucial part of that phrase. Seems this issue will re-establish itself after every startup.... ie it appears am soon after starting the PC.... you delete it with Spybot or whatever and it shows clear... no problems all day... then the same cycle the next day.

Oddly also it only seems to redirect from Google and changing to Bing as our home page/search engine has stopped it... for now!
Reply to this message | Report message
       
New Wed 16 Feb 11 08:10 
 Browser hijack? - Zero
Have you tried a system restore to a date prior to the event?
Reply to this message | Report message
       
New Wed 16 Feb 11 09:04 
 Browser hijack? - Fenlander
No not yet.

I wonder if I should do a sweep/delete (I now have Spybot & Malwarebytes) first and then a restore.... or the other way round?
Reply to this message | Report message
       
New Wed 16 Feb 11 09:07 
 Browser hijack? - Zero
Dont think it will make much difference, but try the first way, it wont hurt and will make you feel better ;))
Reply to this message | Report message
       
New Wed 16 Feb 11 16:32 
 Browser hijack? - Victorbox
>> I wonder if I should do a sweep/delete (I now have Spybot & Malwarebytes) first
>> and then a restore.... or the other way round?

Clean-up then System Restore - that's the way I've always fixed these spyware/malware problems. Of course your anti-virus may throw a temporary wobbly after the System Restore until you update its virus signatures again.

Last edited by: Victorbox on Wed 16 Feb 11 at 16:33
Reply to this message | Report message
       
New Wed 16 Feb 11 10:47 
 Browser hijack? - VxFan
>> *For now* being the crucial part of that phrase. Seems this issue will re-establish itself
>> after every startup.... ie it appears am soon after starting the PC.... you delete it
>> with Spybot or whatever and it shows clear

Does spybot or whatever indicate where the offending article is on your hard drive?

I suspect an .exe file has been saved to your C drive, set to run every now and again. Spybot or whatever is only healing the infection, not getting rid of the source.

If you can identify its whereabouts on the hard drive, boot the PC up in safe mode and delete the .exe file.
Reply to this message | Report message
       
New Wed 16 Feb 11 10:56 
 Browser hijack? - Fenlander
Not sure if it means anything but this is the report from a scan/delete yesterday...

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats
{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats
{AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0}
(Adware.VideoEgg) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunglnmbh
kl
(Trojan.FakeAlert.N) -> Value: glnmbhkl -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunqtcrwm
ki
(Rogue.AntivirusSuite.Gen) -> Value: qtcrwmki -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Reply to this message | Report message
       
New Wed 16 Feb 11 13:54 
 Browser hijack? - smokie
That log looks promising. The offending files are often hidden deep in your internet cache and are not easily found manually. I had one once called c.exe which although I deleted every copy of it, something made it keep coming back. You may spend weeks before this is finally eradicated.
Reply to this message | Report message
       
New Wed 16 Feb 11 15:44 
 Browser hijack? - Tooslow
Just a thought, do MacAfee not offer any help?

John
Reply to this message | Report message
       
New Wed 16 Feb 11 23:54 
 Browser hijack? - Fenlander
I could go to the McAfee forums John but that would be an out of the frying pan experience for me.

Today was interesting. Tried several times with Spybot & Malwarebytes before and after a system restore (to 10 days ago) and I angered *it*.

I found my McAfee AV was being turned off (if I turned it back on it would only remain for a couple of secs), Windows Defender wouldn't load and when I decided it would be prudent to right click and disconnect from the net within 10secs it would reconnect itself!

Panic time.... I wondered if a quick download of a different free AV program would fool it for a while so downloaded Avast. That ran OK without cutting off.

Then noticed Avast has a boot scan/repair facility. This took hours but found and deleted half a dozen (related no doubt) nasties and it booted up fine.

So... for now... it's OK again.
Reply to this message | Report message
       
New Thu 17 Feb 11 11:40 
 Browser hijack? - Zero
So what AV were you using?

McAffee? Avast? MSE?
Last edited by: Zero on Thu 17 Feb 11 at 11:40
Reply to this message | Report message
       
New Thu 17 Feb 11 11:53 
 Browser hijack? - Fenlander
To get me out of last night's hole I downloaded Avast which is on now. I have McAfee still loaded but turned off and Windows Defender seems to be on.
Reply to this message | Report message
       
New Thu 17 Feb 11 12:55 
 Browser hijack? - John H
>> To get me out of last night's hole I downloaded Avast which is on now.
>> I have McAfee still loaded but turned off and Windows Defender seems to be on.
>>

Is this on your new laptop?

Is the problem just with IE or does it affect other browsers too?

and, why have you not followed Zero's advice to install MSE? ;-)

Reply to this message | Report message
       
New Thu 17 Feb 11 13:55 
 Browser hijack? - Fenlander
No it's on the 3yr old main PC. I only use IE so don't know about others. Had Zero told me to use MSE I might have looked at it... is it a worthwhile/free thing... or is that you being ironic?

Whatever I had was really good... at one point yesterday it spoofed a McAfee you need to renew your AV subscription screen... it appeared 100% genuine except the link pointed to a crafty corruption of the McAfee web address.
Reply to this message | Report message
       
New Thu 17 Feb 11 14:38 
 Browser hijack? - John H
>> about others. Had Zero told me to use MSE I might have looked at it...
>> is it a worthwhile/free thing... or is that you being ironic?
>>

No, I was serious. It is free, and it from Microsoft.
www.microsoft.com/security_essentials/

As Zero has said in the past, you don't need anything else.
MSE will remove the outdated Defender automatically, but you will need to remove other programs yourself.
www.microsoft.com/security_essentials/support.aspx?s=1#mainNav
read - "Uninstalling existing antivirus or antispyware programs before installing Microsoft Security Essentials"

Reply to this message | Report message
       
New Thu 17 Feb 11 16:46 
 Browser hijack? - Zero
My only protection is the built in windows firewall and security, the router firewall and MSE.

MSE is light, fast, unobtrusive, capable and free.

McAffee is a bloat, and Norton is the spawn of the devil. The only alternative I would consider other than MSE is Avast (and ideally to keep it fast and agile you need to delete it every six months and put it back on again - it seems to clog itself up.)

So yes to Microsoft Security Essentials.
Reply to this message | Report message
       
New Thu 17 Feb 11 17:07 
 Browser hijack? - RattleandSmoke
MSE is fine, but Kaspersky is even better.

Reply to this message | Report message
       
New Thu 17 Feb 11 17:11 
 Browser hijack? - Zero
You and I will have to agree to differ.
Reply to this message | Report message
       
New Thu 17 Feb 11 18:28 
 Browser hijack? - Tooslow
'scuse me butting into F's thread, I don't feel too guilty as it seems he's winning. I abandoned KIS because I got cheesed off with it reporting trojans which Google could only find as discussions in the KIS forum of false positives and nowhere else.

And now onto a question. Would MSE be ok on my little netbook running XP or would I need a firewall too? I'm slightly embarrassed to ask, I ought to know, but I can't remember if XP has any firewall capability built in. I think it has a firewall for incoming only?

Thanks,
John
Reply to this message | Report message
       
New Thu 17 Feb 11 18:34 
 Browser hijack? - Zero
Yes XP does has a firewall (came in with SP2? or SP3? cant remember but its there) Yes its only incoming, and yes MSE is IDEAL (with a big I) where machine resources are limited.
Reply to this message | Report message
       
New Thu 17 Feb 11 18:47 
 Browser hijack? - Tooslow
Thanks Z. My only reservation on MSE was the firewall capability of XP but I reckon I'll go give it a shot.

John
Reply to this message | Report message
       
New Thu 17 Feb 11 17:12 
 Browser hijack? - John H
>> MSE is fine, but Kaspersky is even better.
>>

And the price is ?

Reply to this message | Report message
       
New Thu 17 Feb 11 17:18 
 Browser hijack? - Focusless
Independent comparison from 2010:
www.av-test.org/certifications?order=protection_desc&lang=en
Reply to this message | Report message
       
New Thu 17 Feb 11 17:23 
 Browser hijack? - John H
>> Independent comparison from 2010:
>> www.av-test.org/certifications?order=protection_desc&lang=en
>>

their test version is "Microsoft: Security Essentials 1.0!
whereas current version is 2.0.657.0

another report www.nsslabs.com/download.html?code=Q310_AV_GTR_AMW

Last edited by: John H on Thu 17 Feb 11 at 17:25
Reply to this message | Report message
       
New Thu 17 Feb 11 19:54 
 Browser hijack? - Fenlander
OK I've dumped McAfee and Avast then downloaded MSE. All running OK.

Just one question... Windows Defender still shows on the task bar and has a warning it's not turned on. Does MSE cover all its functions so it's no longer needed?

I did like Avast and if I get any issues like I've just had would be looking to it again for the excellent boot scan facility if MSE didn't resolve things.
Reply to this message | Report message
       
New Thu 17 Feb 11 20:03 
 Browser hijack? - Zero
MSE should have dumped Defender. It has the same lcon tho as defender
Reply to this message | Report message
       
New Thu 17 Feb 11 20:06 
 Browser hijack? - Fenlander
Perhaps I had an old version defender... its icon was a castle. MSE has put on an icon like a green house with a green flag.
Reply to this message | Report message
       
New Thu 17 Feb 11 20:09 
 Browser hijack? - Zero
Ah yes you are right

The green and flag is good tho!
Reply to this message | Report message
       
New Thu 17 Feb 11 21:20 
 Browser hijack? - John H
>> Just one question... Windows Defender still shows on the task bar and has a warning
>> it's not turned on. Does MSE cover all its functions so it's no longer needed?
>>

social.answers.microsoft.com/Forums/en-US/msestart/thread/509ff1bf-9c29-4afc-881a-79d66912a07a

Stephen Boots MVP, Moderator (A Microsoft Most Valuable Professional MVP ) says

"when you have Defender installed on XP already, MSE will remove it. (In some case, that has been reported as not happening)
When you install on Vista or Windows 7, Defender should be disabled by MSE (It cannot be removed)."

On computers running XP: "It is supposed to remove it completely if it finds Defender installed. However, it might not do that in all cases. If Defender is still installed after you install MSE, you can safely remove Defender from Add/Remove Programs in Control Panel. "

Reply to this message | Report message
       
New Thu 17 Feb 11 21:57 
 Browser hijack? - Fenlander
Ahh thanks John that's OK. PC is Vista HP and I see MSE stops you turning Defender on but doesn't delete it. Similarly I've just loaded the new laptop (was on a McAfee 30day trial) with MSE and Windows 7 has behaved the same.
Reply to this message | Report message
       
New Thu 17 Feb 11 22:05 
 Browser hijack? - RattleandSmoke
It should be added that a computer technician as sightly different requirements in an AV packlage. When we install anti virus software we don't want the customer calling back every few seconds asking is I should allow or block this etc.

MSE is brilliant as it is so simple.

Kaspersky has done quite badly in the latest scores, I may think twice about recomending it in the future but I need to do some more research of my own first.

Those results back my own resent experience of AVG, what was the original best free AV is now crap.
Last edited by: RattleandSmoke on Thu 17 Feb 11 at 22:05
Reply to this message | Report message
       
Latest Forum Posts