Page 1 of 3 123 LastLast
Results 1 to 15 of 33

Thread: Browser Hijack?

  1. #1
    Bronze Member
    Join Date
    Dec 2002
    Location
    Derbyshire, England
    Posts
    98

    Question Browser Hijack?

    A short time ago my browswer (IE5.5, recently upgraded from 5.0) started showing evidence of being hijacked. Sometimes when it started up and sometimes during use it would link to one of a number of pages and thence on to various porn sites. In fact on start up it would sometimes do this even though not connected to the internet.

    The original links seen have been to pages on www7.paypopup.com, kathic.offshorechicks.com, www.xtrocash.org,www.exitorcash.com,www.cashexits.com.

    Scans with AdAware and SpyBot Search and Destry have revealed nothing in particular and currently I've got my machine protected by AdSubtract and PopUpCop, which are doing fine in closing down the windows but are also having a detrimental effect of closing things I might want.

    I have been a little suspicious of a module IstSVCwnd because I don't know what it is or where it came from and it sometimes is the cauise of machine hangs.

    A recent connection also gave cause for doubt (incuding the word 'ist') when PopupCop said that a site was trying to download 'FREE SEX-XXXTOOLBAR' with a requesting web page of http://www.slotch.com/ist/scripts/istsvc_ads.php?version=1005...etc
    and a download location of http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab


    I'm running Win2000pro behing Outpost firewall and with (up to date) AVG virus scanner.

    Any suggestions would be appreciated.
    Last edited by Reverend; July 22nd, 2003 at 21:42 PM.

  2. #2
    Friendly Neighborhood Super Moderator phishhead's Avatar
    Join Date
    Apr 2002
    Location
    San Diego, Ca.
    Posts
    3,409
    you need to get yourself ad aware
    sounds like you got some nasty spyware.
    Last edited by Reverend; July 22nd, 2003 at 21:43 PM.



  3. #3
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,737
    Also delete your temp internet files and cookies.

    =========== Please Read The Forum Rules ===========

  4. #4
    Bronze Member
    Join Date
    Dec 2002
    Location
    Derbyshire, England
    Posts
    98
    From my original message you'll see that I said, "Scans with ***AdAware*** and SpyBot Search and Destry have revealed nothing in particular".

    I've also cleared all temp. Inet files, including cookies. But it surely needs a program to be running to insert code into my local home page in order to cause the links to be set.

    K.

  5. #5
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,737
    Ken,try a small program called HijackThis:

    HijackThis, a general homepage hijackers detector and remover.

    Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks.

    It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.

    download here

    =========== Please Read The Forum Rules ===========

  6. #6
    Bronze Member
    Join Date
    Dec 2002
    Location
    Derbyshire, England
    Posts
    98
    Many thanks Rev. I've had a look with HijackThis and it's shown up a lot of clearly dodgy things!

    Suspicion is clearly pointed at IstSVC!

  7. #7
    Titanium Member efc's Avatar
    Join Date
    Sep 2002
    Location
    North Central Arkansas
    Posts
    2,103

    Try another browser

    Also consider trying Mozilla. It has easy to configure tools to block the material that is giving you problems.

    www.mozilla.org
    Linux Mint Debian Edition

  8. #8
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,201
    I like mozilla very much. I have checked and it uses far less resources than say Internet explorer. This is great for people with older hardware that still want to surf. Give mozilla a shot, and press CONTROL-T to launch a new tab. I hit that combination 5-6 times, and then can surf on all my favorite sites at once

    I also like Opera too.

  9. #9
    Techzonez Governor Super Moderator Conan's Avatar
    Join Date
    Apr 2002
    Location
    Philippines
    Posts
    3,920
    This thread sounds like it was a response to a problem in another thread, is it?

  10. #10
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,212
    remember to look in add/remove programs in control panel for any suspicious looking programs and remove them,

    something is turning your computer into a possible webserver.

    use this online scanner to see if it finds anything avg missed
    http://housecall.antivirus.com/housecall/start_corp.asp

    you should also contact lavasoft (ad-aware) and inform them of this software that is causing you grief.

    they may already know about it and might have an update you can try.
    contact them here
    mailto:[email protected]

    let us know any results

    cheers
    egghead
    ------------------------------------------------------------



  11. #11
    Techzonez Governor Super Moderator Conan's Avatar
    Join Date
    Apr 2002
    Location
    Philippines
    Posts
    3,920
    That could be the LOP spyware as it is very hard to remove, even Spybot cannot remove it.

  12. #12
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,212
    Lop.com
    Last updated Sep. 25, 2002
    Lop.com has become one of the most hated names on the internet. All over cyberspace, from message boards to newsgroups to IRC chat rooms I've seen people begging for help in getting rid of this annoying software.

    What is lop.com? Lop.com is a web site owned by C2 Media. It is mainly a pay-per-click search portal where other web sites pay for each click-through to their site via lop. This isn't a terrible idea, but rather than create a quality web site to get surfers to their site and clicking those links, they instead created a program which is labeled variously as an mp3 search program, a porn search program, or some other such thing. The installer turns the user's web browser into a device with a seemingly endless supply of links to lop.com.

    An early version (installer name download_plugin.exe) installs two files in the user's wallpaper folder, one an html file and the other a shockwave file. The html file contains code to load the shockwave file. The installer sets the html file as the user's wallpaper so that the flash search engine program is sitting on the desktop at every boot. The flash file does little more than open and close a series of collapsible menus containing more lop internet shortucts and a search function which queries - take a guess - lop.com.

    A later version (installer name mp3serch.exe) omits this desktop feature as its bugginess reportedly led to its being discontinued. Both versions install a stripped down browser which uses the Internet Explorer web browser engine. This browser automatically launches the following URL:
    h**p://www.mp3search.com.

    Not content to leave the user with this browser, the lop installer also makes dramatic changes to Internet Explorer, Mozilla Navigator, and most likely Netscape Navigator. The default search engine pages, toolbar settings, and start page are changed. The lop installer adds scores of internet shortcuts in Internet Explorer's Favorites folder and in Mozilla's Bookmarks.htm file. The download_plugin.exe version does not alter Mozilla Navigator.

    These lop installers create a BHO which produces an accessories toolbar in Internet Explorer full of - you guessed it - even more lop.com internet shortcuts. This BHO also takes control of the browser to make it redirect to lop.com if there is some error loading a page. This BHO is named plg_ie0.dll. As with all BHOs, it can be disabled with BHODemon, although I've had two users report that after disabling it, another BHO was automatically generated with the name plg_ie1.dll.



    read the rest here,
    http://www.spywareinfo.com/articles/lop/
    ------------------------------------------------------------



  13. #13
    Friendly Neighborhood Super Moderator phishhead's Avatar
    Join Date
    Apr 2002
    Location
    San Diego, Ca.
    Posts
    3,409
    have you updated the DAT files for adaware? then rescan.



  14. #14
    Titanium Member efc's Avatar
    Join Date
    Sep 2002
    Location
    North Central Arkansas
    Posts
    2,103
    Conan - You are right. I sure got my signals crossed here. I was trying to respond to the hijacked browser issue. Don't know how I started a new thread.

    By the way BB - You can also open a link in a new tab by pressing the scroll wheel. I find that more convienient than the two handed Contrl-T command. Also it the tab bar is open, you can right click on a blank part of the bar to get a drop-down menu to do a number of tab functions.
    Last edited by efc; July 23rd, 2003 at 17:23 PM.
    Linux Mint Debian Edition

  15. #15
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,201
    Thanks for the tip, but it doesn't work on my laptop. No scroll wheel

    Merged EFC's Thread with this one

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •