Browser Hi-Jacked???

Hi,
one of our systems appears to have had the browser hi-jacked. If they IE7 or Chrome, search using google, and click on the results, they are sent to a random page, and sometimes see Skooble or k-directory

We have scanned with Eset and various malware providers, deleted cookies, and tried various things - anyone seen this before?

Thanks

 

Have you created a log from SysInspector and checked it for suspicious files?

 

Just done that - no files are categorised as Risky - a few unknown, but they SHOULD be OK

 

I'd check all files from level 4 (yellow) or better from level 2. If you're not familiar with a particular file, upload it to VirusTotal. If it's detected by some AVs, submit such files along with the ESI log in a password protected archive to samples[at]eset.com.

 

Another thing I would do is update to IE8, if you must use IE, I use firefox. Also make sure all the systems on the network are up to date with the Microsoft security bulletins. Tomorrow is Microsoft's security patch day (second tuesday of each month) so also make sure all systems receive them too.

IE is prone to hyjacks & remote code is easily executed within the browser by hackers. This would enable them to redirect searches to sites which are probably full of malware.

I use a combination of Firefox, the addon Adblock Plus, this stops adverts from displaying on websites. Pages load much faster as they are not loading a ton of flash objects, some of which can be unsafe.

 

It sounds like you have a rootkit, download and run either sophos or mcafee rootkit detective.and mabe also try HijackThis and look for things out of the ordinary.

 

This has now appeared on another system.
When searching google and clicking on a link, it is going to search.pro or skooble.

I disconnected the network, and connected using 3g. The page it was attempting to go to was
www.google.co.uk/click?sa=T&ct=res&...sdn.microsoft.com/en-us/library/bb158517.aspx

I did a full scan of this system today, and nothing was found. This is now getting quite worrying

Ran the Sophos rootkit and it didn't find anything on either machine.

 

It sounds like a rootkit still, but I don't know, you said you've checked & didn't find any.

I would advise against clicking that link, most redirects are caused by spyware or viruses, which redirect to more malware on these websites. I would ask that admin removed this link being as it is the result of a redirected search.

You could try:

Running windows updates for ALL the systems on the network.

Installing Internet Explorer 8 or Firefox on ALL the systems.

Try using another browser, Chrome, Firefox or whatever. See if they also get redirected. If not chances are your 'hyjack' is IE related.

This is why it's so important to keep all systems on Automatic Update, so when Microsoft patch the holes that let hyjackers in, your system is protected.

Sometimes this happens if you install by accident a feature that changes the homepage or redirects searches. It happened to me once when an MSN addon installed ask.com onto my PC, which changed & locked my homepage to ask.com. Not dangerous, but damn right irritating. I too found no malware on spybot or NOD32. I eventualy sussed it by finding it in my programs list from start lol.

Do a system search of one of the systems doing this for the name of the site/s it's redirecting to, you might just find some adware/spyware installed thats 'safe' but a bloody nusense.

IE to be honest is not a good browser for use on systems that are used by multiple users. It's slow, easy to crack and has little in the way of privacy & security. If you must use it, my advice would be to always use the very latest version, which is IE8.

You can get IE8 from the Microsoft site, and PC's on Auto Update should receive it via that.

 

Hi,
thanks for replying.

All systems are on auto-update, and the one that wasn't running IE8 is now running it.

Using chrome we still get redirected.

2 strange things - using Bing works ok, and using a 3G connection instead of the network connection seems to cure it - very strange

 

Ok thats odd. Sounds like you actualy have a program (or a rootkit) on these machines. Rootkits are a devil to remove & some AV won't pick them up. You could try a free rootkit remover & see what that throws up I spose.

Did you search the machines for keywords, like the name of the sites your getting redirected to? I found this ask.com program & it was easy to remove via it's own uninstaller.

Also delete the temporary internet files & clear the browser caches.

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx This is a microsoft site that gives you some info on rootkits. Although I wouldn't attempt half of it if your not an expert.

The last option would be to do a complete re format of these machines, but there must be a less invasive solve to
this.

The fact that Bing doesn't do it points to the fact this is a google centric program installed on these machines which has attatched to that connection, hence why it cannot connect on the 3g. It'll be coded to redirect google searches as google is the most widely used engine, again pointing to some form of malware.

Try a scan with spybot search & destroy. It's one of the best spyware sweepers around, it's a quick scan & it scans for most of the known bots. Download it here: http://www.safer-networking.org/index2.html
I use it just to back up NOD32 & run a scan with it every now & again.

Also check in the computer's event veiwers & see if there are any errors or events from installed programs.

Could you run off a hijackthis log & a screenshot of the running processes from one of the 'infected' machines & post it here so we can take a look? This might show if any spyware or suspicious program is active at the time of the redirects.

 

sorry to admit this, but mcafee rootkit detective is better than sohpos antirootkit.it will actually let you remove the hidden stuff, but sophos is not advanced enough to do so.Make sure if you run rootkit detective that you go into the settings and select all of all for all before you start the scan.then when it's done you have to click the various radio buttons to see the different results.if it finds anything, then it will rename it, then making it possible for you to remove manually.

 

Afraid Macafee won't run on windows 7 - and running it in compatibility mode causes a BSOD

I can reformat this machine - as I only set it up over the week-end.
My big fear is that ESET didn't catch it the last time around - so what would be different this time around

 

If it's spyware, it might be showing as an active process, if you could post a screenshot of the computer's active processes & a hijack this log, we might be able to help more.

Also remember that Windows 7 is still not fully stable & is still unsupported by a lot of programs so issues are likely to arise.

 

Also check for unusual looking add-ins in Internet Explorer, and what DNS servers the PC's in question are using, as their DNS settings may have been altered.

 

Hi,
Ah - DNS
They are set to
93.188.166.105
93.188.161.105
1.2.3.4

which lookuping up looks to be suspicious.

Read to run smitfraud.exe but eset blocked its download

This appear to be on the right lines?

Thanks

Pete

 

Yes I would just change the DNS servers back to those of your own network or ISP.

You could run Smitfraud as well, but if there are no dodgy-looking BHO's in Internet Explorer, and your SysInspector log is definitely clean (no rootkits etc)., then it may just be those DNS settings which were causing the issues.

 

Second this, IE has a nasty habbit of installing unwelcome addons from various places. Another reason I stopped using it. Firefox suits my needs much better & I control what addons I have, not the browser. Any addon has the potential to redirect searches. Spyware can install addons to link with DLL's on the computer to do this also.

I use a few addons, but the best one is by far adblock. I've not seen an online ad for about 2 years

I really hope Windows 7 comes with an option to install your own browser, because IE sucks.

I would also go back to the your original ISP DNS setup.

 

Cheers guys for the help - it was redirected DNS.

Set them to use opendns.

Still don't know the cause - but so far things SEEM ok

Thanks again

Pete