Browser hijacked?

[Fierce Critter]

This happened last night, and happened again today.

I'll be on DGN browsing forums. When I go to click into a given forum, I get redirected to a porn site instead.

Last night, this happened seemingly out of the blue. The affected forum was this one.

Today, same thing happened. Been browsing and all of a sudden, if I try to get into this forum, porn-a-roo.

To fix it both yesterday and today, I deleted all temp internet files.

This is a brand new computer, and I have Windows XP, which comes with a firewall. I had it turned off to download something. Should I turn it back on - and is there a particular file secreted away somewhere on this computer I can hunt down and delete to stop this from happening again?

Thanks in advance for help.

[phee]

Well Miss....

It is hard to tell if your firewall would have helped you, I would if I were you go and get a good "anti-spyware" program from the store, I would not recommend downloading one, as a lot of the downloadable anti-spyware programs actually are spyware themselves.

That is my help from Comcast technical support...

[Fierce Critter]

AOL comes with anti-spyware that, up until now, seemed to work REALLY well.

I'm not so sure this didn't happen as a result of my having to piggy-back on isp.com. I bring up ISP.com and sign on using their server. I can then x-out of MSIE and start up AOL.

Once in a while, I just go ahead and use MSIE directly, which is admittedly dumb because then I'm not protected at ALL. I'm thinking that might be how I got infiltrated, and also why I ask if there's a particular file I should look for and delete.

[phee]

Yes there is.... but there is vertually no way of telling which program it is, it will have a name that tries to blend in with the rest of the programs in your PC.

[bav]

You can try a google search on the site that it takes to and see if it comes up in any of the tech forums about it.

Also try downloading Spybot & Ad-Aware and run them to see if they'll help clean it off.

Part of the problem sounds like that whatever hijacked you altered your registry settings somewhere, so no matter if you get rid of your temp files, the computer will still do it again.

Spybot and Ad-aware are pretty reliable programs that I use at work. They don't cover everything, but they cover a lot and I haven't seen any problems with them giving you spyware.

You may also want to look into Mozilla Firefox as an alternative browser to MSIE. It's not as broken as IE and has some good bells and whistles to boot.

I would also recommend using it over AOL browser. If you can just get rid of AOL, you may want to look into it. Uninstalling the programs won't affect whether or not your email account (which you can access from the Web) and your AIM (which you can just grab an IM client like Trillian that has AIM, YIM, ICQ, IRC, and MSN clients all rolled into a convenient one-program package. Or you can look into just running the AIM client with the DeadAIM add-on.

But the AOL software itself is a resource hog, and has spyware that reports back to AOL. So if yer not using AOL as your ISP, you don't really need the connection software.

Just some tips and suggestions to throw out to you.

[Head Wreck]

http://housecall.trendmicro.com

[The_Dark]

Most of the anti-spyware software you can purchase at the store, though not spyware in and of itself, will not help all the much. None of them work all that well, if at all. You can on the other hand get your stuff cleaned up. Ad-Aware, which you can get at LavaSoft works rather well. Some would have you use SpyBot Search and destroy, which you can get at Spybot S&D . I don't really care for it that much. You may also want to get Coolwebsearch Shredder. You can get that at Merijin.org . While your there, get Hijack This!. Spyware and Browser hijacks suck.... but can be taken care of with a little time. Welcome to the internet.

[Troy Spiral (13)]

if you surf the web at all, its about impossible to be 100% protected from adware/spyware unless you plan on never ever running anything that any website wants you to run. (near impossible nowadays if you want full functionality from most sites)

Basicly just run as much firewalll / spyware/adware protection as you can without choking your system, and be prepared to occasionally have to hunt something down.

Also dont be to influnced by the horror stories you hear. Download some spyware/adware off reputable sites and just keep the above in mind.

http://www.download.com/sort/3150-8022_4-0-1-5.html?

Between Ad Aware, Spybot, the yahoo anti-spy stuff, my firewall, anti virus software and even the damn microsoft anti-spyware beta, if the spyware >still:tongue:

[Jarodaka]

Uninstalling the programs won't affect whether or not your email account (which you can access from the Web) and your AIM (which you can just grab an IM client like Trillian that has AIM, YIM, ICQ, IRC, and MSN clients all rolled into a convenient one-program package.  Or you can look into just running the AIM client with the DeadAIM add-on.

<{POST_SNAPBACK}>

For IM, also check out GAIM.

[Ginevra]

When my browser was hijacked, I was using MSIE v6, I believe it was. First thing I had to do was stop using that browser. My second step, as Dark already pointed out, was to head over to Merijn and start reading up and getting some of their software downloads. These helped out a great deal. There's a LOT of information there.

[Scary Guy]

http://www.microsoft.com/spyware

still in beta, but it works good.

[Fierce Critter]

Thanks for all the responses.

I'll be re-reading this thread when I have the time to sit down and focus on what I want to do.

Looks like I'll probably start with spybot. If that doesn't fix things. I'll go from there.

Again, I'm not interested in leaving AOL. Stated the reasons many times in the past, so I won't go into it again here. Suffice it to say that whenever something like this has happened, it's inevitably been due to something I did, not something AOL DOESN'T do.

[fallennon]

I use Ad-Aware and I have XP with my firewall up. It tends to work well for me, though not as efficeint as I'd hope.

[nodrew]

Don't use the XP firewall. It has been shown to have several holes in it that make it ineffective against many pieces of spyware. try using <a href='http://www.zonealarm.com' target='_blank'>Zone Alarm</a>. They off a free version which works very well.

Also of note (I don't know if someone said this already) but AOL's browser is based on IE6, so it has many of the same vulnerabilities. While they're spyware blocker is alright, it isn't the best. Try installing Spybot (as mentioned several times above) and activating its 'Immunization' feature. This will help to block many of the nastier pieces of spyware out there, as it will add registry entries that blocks certain sites from loading. Spybot also contains a program called TeaTimer which will run in memory and inform you of when programs are trying to make changes. While this can be annoying, if you insist on using the AOL browser, this is your best bet, as it will allow you to stop a program from changing your registy to make itself autoload.

Overall, and I cannot stress this enough, IE is unsafe to browse the web with. It haven't used IE or any related browser (AOL) in over two years. I really do not notice any issues aside from some sites that require ActiveX.

Personally, since Xupiter hijacked my browser (IE) 3 years ago, I have not gotten a single piece of spyware. This is due to not using IE, validating all cookies as they get requested and not patronizing sites that actively use spyware to make money. One power we do have in a commercial society is the ability to decide whom we patronize. While many of use believe the internet (outside of ISP costs) to be free, it is not. Especially when you pay someone like me $150 to come to your house and fix your spyware / virus issues. This is what I charge and I am at about half of many of the inhome services in Metro Detroit.

Just remember, IE may seem the easy choice, it is only that way because sites prefer you use it so that they may take advantage of you and make money by being the referer for the spyware you get.

Do as you will.

P.S. I'm not telling you to leave AOL as an ISP, but to use a different browser.

[Dubh Aingeal]

Especially when you pay someone like me $150 to come to your house and fix your spyware / virus issues. This is what I charge and I am at about half of many of the inhome services in Metro Detroit.

<{POST_SNAPBACK}>

How do you charge it? On a average per hour (ie 50 per hour 3 hour min) or a lump 150 per visit regardless of hours taken to fix? Just curious as I only charge a 30 per hour 2 hour min... Unless I find out they can cook... Then I tend to charge a dinner... But for me its just a side thing as its not my primary source of income. So I can be a little more discriminating on what I charge than some can... All though with the way things are going here at work I might be looking to make it a primary source of income...

[Fierce Critter]

Update:

It turns out the spyware blocker I THOUGHT was running on AOL wasn't. The icon it put on my desktop was an INSTALL icon, not a "this has been installed and is running" icon. So I wasn't protected in the first place.

That's been fixed now.

But I also downloaded & installed spybot - I believe that's what got rid of the porn hijackers.

Oh = meant to update... it was a series of different porn sites that would show up instead of the DGN forums. Not just one. So I couldn't search on any single one, Bav. But good tip that I'll get to in a second.

Anyway, I believe that issue is fixed. However, I'm now battling another one. Globe-Finder has hijacked my MSIE homepage - the one that comes up when I initially sign on to ISP.com's server. (I'm thinking that, somehow, GF & the porn hijacking are related.) I did do a search on that, and it's infamous on many tech forums.

Right now, antispyware.nextdesigns.net is helping me with that. Before contacting them, I tried CWShredder, and that didn't work. Neither did my solo attempts at using HijackThis. They're talking me through it using HijackThis, but sofar, it's not working.

Still working on it, though. What a MAJOR pain in the ass.

[Ginevra]

Yeah, I'm sorry you're having this issue, FC. Hijacking is no fun and unless it's nipped early, all it's going to do is snowball. That's what ended up happening to me. Homepage was hijacked, random links hijacked, . . . . . . bah, it was a mess.

Glad you found some help for your unique situation

[Daniel]

I should write a fucking book on spyware.

First recommendation, I second the recommendation above to download Firefox. It is a nice browser that seems a lot less bloated than IE. I use both, as it gives me two different browsers to use, particularly if I get some nasty spyware, which can really happen to anyone.

Now, some of the nasty ones Ive been seeing (I fix this crap for friends/family constantly) take over your home page a do redirects. Spyware programs haven't been finding them. Open your IE, go to "tools" and then "manage add ons". You want to look and see what is listed. It is ok for Quicktime, AIM, YIM, etc to be in there. If you see some weird things titled "Browser Helper Object" or "Toolbar", etc... disable them. Also, write down the name of the file you are disabling. Often times it will be a randomly generated name, like prxh.dll.

After you disable them, you need to find those files on your drive. Generally, they will be in c:\windows\system32. What I have been doing is renaming them to prxh_temp.dll, and them creating a blank notepad txt file and renaming it to prxh.dll and marking it as read only. If you can't find the files, do a search for them, and do the same process.

After that, if you know how to use regedit, I search for references to these files in regedit and delete them. Be careful with this if you do not know what you are doing, as fucking up your registry is BAD. It is also good to run msconfig and see if any of these files are initialized there on start up. If so, disable them. It is also good to look for anything else suspicious in msconfig. Some hijacks use a completely different file to recreate all of the files you just got rid of, using different random names.

generally speaking, I can get rid of most browser hi jacks this way. Sometimes it can take a while. This one from toolbar.cc seriously had almost thirty entries in the registry! Unbelievable!

But, a quick fix is just download and use firefox. Seriously, it is The Poop.

[Fierce Critter]

Daniel - thanks for that. I shared what you said with the antispyware board that's helping me. They've had me download and run a half dozen different antispyware packages and similar scanners, and thusfar nothing is working. I appreciate their help, and ordinarily am very patient when someone is taking precious time out of their day to help me. But this is getting kinda frustrating. I download programs, run scans, run fixes, post logs, over and over and we're not getting anywhere.

I posed this question there, and I'll pose it here, too. I just got this computer about a month ago. I have precious little loaded as far as programs, and what I have loaded, I can reload. Is it at all possible that reloading windows will fix this? I'm planning on starting up my eBay business next week. This is causing some computer slowdowns, so I'd hoped to have it fixed before then.

[Daniel]

Reloading will help if you have a system that came with a "reload" disc. If it is a name brand, store bought computer, it will. Just reinstalling windows will do it if you reformat the disc. Personally, I think that is killing a fly with an atom bomb. If you really need help, I would be willing to walk you through some of this stuff. I could either do it through an IM program or the phone, either way is fine, though my cell phone tends to like to drop calls.

If they keep telling you try program after program, they don't know what the hell they are talking about. That crap works, but fundamentally, all those spy ware programs do is remove files, registry entries, etc. They are programs that have instructions for known spyware. Some spyware is new and hasn't made it into the new definition files. But, most of that crap functions the same way other spyware functions. I've seen some that really are a nightmare to remove manually, but they aren't actual viruses, and can be removed somehow or another. The trick is to just make sure all traces of the program have been removed, or it will recreate itself. I know how to walk you through that. We will need to figure out specifically what software you've been hit by, and then go from there.

[Fierce Critter]

To give you an idea of what they've had me to so far, I've downloaded & run the following programs: spybot, cwshredder, hijackthis, escan, antihook, etc.

At this point, they've had me run hijackthis several times, and just had me install escan and want me to post a log. The log is too freakin' big to post - so I've asked for an e-mail address to send the logfile to.

If you want to see what's going on, you can read the thread here.

I do have a reload disc - this is an emachines model with all startup software included.

If you take a look at all that and really think they're going in circles that aren't going to end anytime soon, I might want to take you up on that offer. We could do it in IM's with me on my laptop so I can restart the PC as needed. The only interruption would be if I need to get online for something.

Let me know what you think. I'd be available on Monday or after.

Thanks.

[Daniel]

Those dudes are giving me a headache reading that crap. You don't likely have a virus, and if he thinks reloading your machine will fix it, he is out of his mind. It will, it is just overkill.

The bottom line is that basically, we just need to know what specific spyware you've been hit by. It is easy to figure out.

I work 1-10pm, so if you are around early after Monday, I can do it then. It should only take thirty minutes or so. If we can't figure out what it is, you can just reload it.

[Fierce Critter]

That sounds great. I won't even bother with the latest they want me to do.

Let me know what time Monday or after that, and we'll connect.

I only suggested reloading because, while I appreciate the kind of help this board and you have to offer, I don't like inconveniencing people when they're basically giving me free assistance. I get embarrassed after a while and figure I should offer a quick fix that'll stop infringing on people's time.

[Daevion]

hmmm...I don't know much about AOL, but I would suggest ditching it if thats an option. I think your better off using IE with a decent firewall, antivirus and adaware, which seems to work well for me.

Right now I'm running Black Ice defender for my firewall, which works very well. I get virtually no popups at all. The drawback with the BID is that its kinda of costly, not sure how much it is though. Zone alarm is good if don't want to spend money.

I definitely wouldn't rely on the XP firewall, getting yourself another good firewall is key. Gotta love those malicious porn sites, hehe.....damn things will fuck your IE up the ass.