Return to the Computer Help Forum | Post a Follow-Up

 o
Firefox and Explorer Hijacked. OS=W8.1

Posted by jerry_nj (My Page) on
Sat, Jan 11, 14 at 22:27

While using my Firefox browser a few minutes ago, not doing an update the browser was hijacked to
"search.findwide.com....." I could not get the browser to move to my ISP home page. I opened Exchange and it too was homed on "search..." It then started to scan or I know not what and I could not make ti stop so I hit the power switch and forced the computer down. I powered up and after a bit longer than normal W8.1 recovered giving me a login and then the Tiles. I opened Firefox and it again came up at the "search...." I opened tools and forced my ISP URL back into my start up and regained control. I know not for how long. But I was able to get here.

Any idea on what is going on?


Follow-Up Postings:

 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Here's some interesting reading while you're waiting on someone more knowledgeable in malware removal...

http://malwaretips.com/blogs/remove-findwide-search-virus/


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Thanks, I'm now on my W7 computer and it isn't infected, or is an XP machine that was also online, same home network.

I'll run the malware software I have on the W8.1 machine.

I had been, you contributed to my question, been running to unzip a file WinRAR. I accomplished that just before this problem raised its head, may be related. I will warn the person who sent me the RAR file.


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

I haven't installed WinRAR for ages, and I'm not clear that you did either, but maybe the "malware" came with it? Just guessing.

Perhaps you could look in System Restore and if Windows happened to set a restore point right before installing WinRAR(assuming you did), you could just restore to the point right before you installed it? If so, maybe that would be quicker and easier?

Again, I'm just guessing, I'm not much of a Windows person.

Edit: Oops, reading your other post, it looks like the offender is probably WinZip and not WinRAR.

This post was edited by chuggerguy on Sat, Jan 11, 14 at 23:50


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

"I'll run the malware software I have on the W8.1 machine."

No! That's not going to do any good. Run the program below
Please download AdwCleaner, see link, onto your Desktop

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click the Scan button and wait for the process to complete.
[*]Click the Reportbutton and the report will open in Notepad.
[*]NOTE: If you get an error message, it means that nothing was found. Exit from AdwCleaner.
[*]Click on the Clean button follow the prompts.
[*]A log file will automatically open after the scan has finished and the PC has rebooted.
[*]Please post the content of that log file with your next answer.
[*]You can find the log file at C:\AdwCleaner

Here is a link that might be useful: adwcleaner

This post was edited by zep516 on Sun, Jan 12, 14 at 1:28


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Zep

Thanks sounds like you've been "here" before.

One question for future, when I ran Malwarebytes" it found a couple hundred problems, but it seem the only way to remove those found is to check then one-by-one. I didn't and when I clicked/checked a few and clicked "remove" it did and dropped back to restart.

I will send an emial to the source of the file I unzipped shortly before just in case.

Can anything be learned by running Avira/Megabygtes/.. on the file I suspect, relative to learning if it is the problem?


 o
Wow, RE: Firefox and Explorer Hijacked. OS=W8.1

Wow, did I say WOW !!
Zep, that was fast, must have been less than one minute for to program to find a "bunch" of problems in most categories.

My Firefox is now clean and running much faster if this first use is an example of the future.

Now here's the bad news: I'm an old guy and can't remember a list well, I ran "scan" and then "clean" I forgot to run "report" so I guess the report is lost. Sorry if I lost useful data, but I'll let you/all know what I learn from the suspected source.


 o
adware file RE: Firefox and Explorer Hijacked. OS=W8.1

Zep, turns out some information was saved. First I checked Chrome, it too was/is infected. Seems a specific step has to be taken to get adware to clean.

In any case here's what I got from adware.

# AdwCleaner v3.016 - Report created 12/01/2014 at 08:13:29
# Updated 23/12/2013 by Xplode
# Operating System : Windows 8.1 (64 bits)
# Username : Gerald - JERRYGAYEWAY2
# Running from : C:\Users\Gerald\Downloads\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16384

-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Users\Gerald\AppData\Roaming\Mozilla\Firefox\Profiles\ys8fctmc.default-1382538210551\prefs.js ]

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Gerald\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [2845 octets] - [12/01/2014 07:33:40]
AdwCleaner[R1].txt - [1015 octets] - [12/01/2014 08:12:11]
AdwCleaner[S0].txt - [2933 octets] - [12/01/2014 07:36:55]
AdwCleaner[S1].txt - [938 octets] - [12/01/2014 08:13:29]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [997 octets] ##########


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

You ran scan and clean, those are the important two. The report simply lists what happened and as you now feel your confuser is clean that is great.

I would suggest you now run a full scan with Malwarebytes. Last week I had occasion to run Adwarecleaner but it did not clean the computer fully, I set a full Malwarebytes scan in motion and left telling the owner what to do at completion. Before I left there were 45 things showing, I did not verify whether these were all simply cookies or bad guys (wish I had now but hindsight.....) sufficient to say it did shake my confidence just a little with Adwarecleaner.


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

It is worth reminding the readers, no malware detection application is certified as full proof and 100%. This is why it is regularly recommended to have a tiered approach.

I recommend to users who I discuss this with to have multiple detection applications downloaded, installed, configured on demand, and to keep them regularly updated. This protocol allows that in the event of a concern resources are ready and available. I further advise them to run them all, one at a time.

In a maintenance environment the user can pick and choose.

DA


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Guess my problem wasn't so..ooo unique after all. I am careful about what I download and especially what I give control of my computer too... I still think the problem got into my computer when I "un-zipped" a "RAR" (forget, I think that was the extension). That's the only unusual thing I did before the takeover happened.

Obist, one problem I have with Malwarebytes and even more with Avira scan is they take so long and my laptop puts them to "sleep" if I just walk away - and plugged into electricity too. I suppose I can reset the "power" or some other control to make the laptop stay awake longer, but how long, and hour? or just to not go into sleep unless I request it? I could go for that.

I also note that Chrome was not cleared for the hijack - but then I don't use Chrome, that may mean the Adw.. didn't detect it.


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Zep - THANK YOU!

I just discovered that somehow Conduit had invaded my system and was driving me mad as I tried to get rid of it - Malware bytes and Adwcleaner did the trick!

How do I prevent this from getting installed again?

I am running Win8 -

Thanks!


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

I ran Adwcleaner (scan and clean) to compare reports. (i'm on win7) . All I can make out is several registry items were deleted. Maybe the first item Service Deleted Application Updater refers to opting out of cloud backups during installation of Adwcleaner. Am I missing anything?

***** [ Services ] *****

[#] Service Deleted : Application Updater

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Application Updater
Folder Deleted : C:\Program Files (x86)\YouTube Downloader Toolbar
Folder Deleted : C:\Users\xxxxx\AppData\LocalLow\Search Settings
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Search Settings
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Mobogenie.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Key Deleted : HKLM\SOFTWARE\Classes\AppID\(0A18A436-2A7A-49F3-A488-30538A2F6323)
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\(007EFBDF-8A5D-4930-97CC-A4B437CBA777)
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\(3CA2F312-6F6E-4B53-A66E-4E65E497C8C0)
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\(761F6A83-F007-49E4-8EAC-CDB6808EF06F)
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\(76C45B18-A29E-43EA-AAF8-AF55C2E1AE17)
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\(7CD74AFF-3433-4E34-92E2-D98DFDB30754)
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\(96EF404C-24C7-43D0-9096-4CCC8BB7CCAC)
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\(97720195-206A-42AE-8E65-260B9BA5589F)
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\(986F7A5A-9676-47E1-8642-F41F8C3FCF82)
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\(B18788A4-92BD-440E-A4D1-380C36531119)
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(3CA2F312-6F6E-4B53-A66E-4E65E497C8C0)
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\(3CA2F312-6F6E-4B53-A66E-4E65E497C8C0)
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\(3CA2F312-6F6E-4B53-A66E-4E65E497C8C0)
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\(3CA2F312-6F6E-4B53-A66E-4E65E497C8C0)
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(3CA2F312-6F6E-4B53-A66E-4E65E497C8C0)
Key Deleted : HKCU\Software\AVG SafeGuard toolbar
Key Deleted : HKCU\Software\Search Settings
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\Application Updater
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\DeviceVM
Key Deleted : HKLM\Software\Search Settings
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mobogenie
Key Deleted : [x64] HKLM\SOFTWARE\DeviceVM

***** [ Browsers ] *****


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

I don't understand your concern, all the items deleted were add / ware.

service : ApplicationUpdater.exe

This is an undesirable program.

This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

This startup entry is installed as a Windows service.

%ProgramFiles%\Application Updater\ApplicationUpdater.exe

Thanks
Joe :)

This post was edited by zep516 on Mon, Jan 20, 14 at 17:18


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Hi Zep,

-- not concerned so much as wanting to learn more. Figured I must have some nasties since I use AVG and it hasn't garnered praise here.

Read up on ApplicationUpdater.exe --- malware pure and simple. What an innocuous sounding name. Thanks.


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

I moved from AVG to AVIRA several years ago. I don't recall why but think it was due to pressure from AVG to pay for the full service. I get sales pitches from AVIRA but nothing I interpret to be a threat to cut me off.


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Hi iris gal,

AVG is not designed to stop that sort of ad/ ware. None of the Anti Virus free or paid for target those browser hijacks, they target Real Viruses and Trojans mostly . Malwarebytes has changed it's definition file base recently and is targeting this stuff more aggressively now. If you're using Chrome you may want to read this too.

http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/

In short the extensions in both Firefox and chrome are real magnets for this stuff, as well as Internet Explorer. I see more of it in Chrome and Firefox, probably because there used more.

Safe surfing habits is key, watch where you download programs.

I'll be graduating from Malware removal school soon, and will move people more aggressively to another forum where full scans can be done, diagnostic scans, and a better approach can be taken as opposed to just running AdwCleaner. If at some point you want to do a more thorough check, you can start a topic at the link below in the spyware forum and I'll assist you or just take a closer look, as always landz down is available too. I'd follow up on your computer with a Malwarebytes scan for now.

Here is a link that might be useful: http://www.help2go.com/forum.php


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Zep wrote:- ..... and will move people more aggressively to another forum where full scans can be done ......

Sorry but I find this bad form. What is wrong with using that same expertise you are learning right here on Gardenweb instead of poaching for another forum?


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Thanks Zep. I'll put that on my speed dial (Opera). Didn't know 'bout Malware removal school. Good.

I haven't run Malwarebytes on this computer and it's been over a year. Whoops.

Have never used Chrome and that's a good reason not to.


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

zep-

An ounce of prevention is worth a pound of cure.

I hope your newfound understanding of malware (and presumably other annoying or dangerous foreign agents that act on PCs) will motivate you to aggressively recommend to readers here the importance of using the most effective and protective software security products. And that you'll let them know which which ones those are. Also, many readers could benefit from information from you concerning safe and unsafe internet practices.

With efforts like that, you could eliminate or at least minimize the need to use malware removal techniques.


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

bostonpat---- "I just discovered that somehow Conduit had invaded my system - Malware bytes and Adwcleaner did the trick!
How do I prevent this from getting installed again? "
Conduit is one the many spyware/malware/cookie/adware entities that apparently pay "legitimate" websites for your information. I don't pay for software to protect from those intrusions but have tried numerous protections -- none of which prevent the adware from the computer. I have resorted to daily scans to keep the junk from slowing my older computer.


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

When it comes to bugs, read virus and malware, I see no problem with a referral. Many times the remediation is intricate,extensive, and requires special attention from experienced individuals.

If I go to my primary care physician with a concern and he refers me to a specialist I don't even give it a second thought. So when it comes to this electric box why would I then?

The goal is to make a member whole.

To keep things in proper perspective: to start referring members to alternate sites without proper cause, that would be improper.

I really have more of a problem with any member Googling information pertaining to a thread, then copy and pasting the results into a presentation as if it were their own knowledge. Yes, it is the information that counts, but what is wrong with giving credit or reference where it is do. You know in some worlds it might be called plagiarism.

DA

This post was edited by damccoy on Thu, Jan 23, 14 at 19:57


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

DA if you read Zep's post and interpret as I did you may conclude that he will be offering his expertise at the other forum, not necessarily passing the person off to other individuals. My question was, and is, is why can't he offer that same treatment here. Your analogy suggests going to a higher knowledge in which case it would appear to make sense.

I have no problems with Joe (Zep), I think he is very knowledgeable and extremely willing to go the full distance to get a result for a poster with a problem.

On occasion I have suggested people visit sevenforums and eightfroums but those instances are where there is a good tutorial available to someone seeking help.


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

@owbist
"My question was, and is, is why can't he offer that same treatment here."

Can't do it here, because the forum is written in HTML. All my codes and instructions are written in BulletinBoard format, for instance here's a common instruction given to a user to do something. This forum will not interpret the code and it looks awful. I have 100's of these pre set instruction sets coded like this.

Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
No installation required.
Simply unzip [b]Autoruns.zip[/b] file, and double click on [b]autoruns.exe[/b] file to run the program.
Go [b]File>Save,[/b] and save it as [b]AutoRuns.[u]txt[/u][/b] file to desktop
You must select [b]Text[/b] from drop-down menu as a file type:
[URL=http://s175.photobucket.com/user/ZEP516/media/p4436801_zps3defde9d.gif.html][IMG]http://i175.photobucket.com/albums/w159/ZEP516/p4436801_zps3defde9d.gif[/IMG][/URL]

Upload the file(s) here: http://www.sendspace.com/
Click on [b]Browse[/b] button and navigate to the file you want to upload.
Click on [b]Upload button.[/b]
Click on FIRST [b]Copy Link[/b] button and paste the link in your next reply.

I'd love to do it right here, but the HTML is to much to overcome for me.

Also this forum rejects some of the Log files asked for, user can't post them here, some HTML issue.

This post was edited by zep516 on Thu, Jan 23, 14 at 23:29


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Good points that I had not considered Joe. Yes most forums do use BBCode rather than the HTML used here. Yes, this forum has some peculiarities and can tend to reject innocent statements.

Humble apologies offered to you and to Jerry for hijacking his thread.


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

I hope we still see you around here for other issues, you have been a big help to me on problems that you handle very well with a few lines of text - "this is how/do" and I know others have also benefited.

Isn't it ironic that a computer help forum isn't able to handle computer formats.

I, among many readers here, don't know why or what BBoard is about - I remember the name being used back in the early 1990s as the "OS" for early "web-site" services.


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Wasn't taking any side as I really didn't think it was a territorial issue or a big deal at all . Just threw out a nugget of logic. As i said, "The goal is to make a member whole."

DA


 o
RE: Firefox and Explorer Hijacked. OS=W8.1

Joe, I'm not saying this would or would not be useful, I just found it with a search...

http://www.bbcode-to-html.com/

Personally though, just because I like to do things the difficult way I'd probably throw copies of all the text files containing the bbcode into a folder and attempt to develop a script to convert them all in one go. I'm not saying I could do it, but I'd likely try.

For instance, this rough beginning using "sed" works on the bbcode you posted above. It's missing a bunch of tags, even the regular [URL] one, but maybe it wouldn't be that difficult to extend. Or maybe it would, I don't really know.

  
sed -e 's/\[b\]/\<strong\>/gi' \
-e 's/\[\/b\]/\<\/strong\>/gi' \
-e 's/\[u\]/\<u\>/gi' \
-e 's/\[\/u\]/\<\/u\>/gi' \
-e 's/\[url=\([^]]*\)\]/\<a href="\1"\>/gi' \
-e 's/\[\/url\]/\<\/a\>/gi' \
-e 's/\[img\]/\<img src\=\"/gi' \
-e 's/\[\/img\]/"\>/gi'

Running the bbcode you posted above through that script yields this HTML:

Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
No installation required.
Simply unzip <strong>Autoruns.zip</strong> file, and double click on <strong>autoruns.exe</strong> file to run the program.
Go <strong>File>Save,</strong> and save it as <strong>AutoRuns.<u>txt</u></strong> file to desktop
You must select <strong>Text</strong> from drop-down menu as a file type:
<a href="http://s175.photobucket.com/user/ZEP516/media/p4436801_zps3defde9d.gif.html"><img src="http://i175.photobucket.com/albums/w159/ZEP516/p4436801_zps3defde9d.gif"></a>

Upload the file(s) here: http://www.sendspace.com/
Click on <strong>Browse</strong> button and navigate to the file you want to upload.
Click on <strong>Upload button.</strong>
Click on FIRST <strong>Copy Link</strong> button and paste the link in your next reply.

Which when posted here gives:

Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
No installation required.
Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.
Go File>Save, and save it as AutoRuns.txt file to desktop
You must select Text from drop-down menu as a file type:

Upload the file(s) here: http://www.sendspace.com/
Click on Browse button and navigate to the file you want to upload.
Click on Upload button.
Click on FIRST Copy Link button and paste the link in your next reply.

The good thing about it is that once written, it would just as easily handle five hundred files as one. The bad thing is, I don't know "regular expressions", although I wouldn't mind learning. Actually, I did learn a wee bit just now. Thanks. :)

Edit: line-spacing

This post was edited by chuggerguy on Fri, Jan 24, 14 at 16:46


 o Post a Follow-Up

Please Note: Only registered members are able to post messages to this forum.

    If you are a member, please log in.

    If you aren't yet a member, join now!


Return to the Computer Help Forum

Information about Posting

  • You must be logged in to post a message. Once you are logged in, a posting window will appear at the bottom of the messages. If you are not a member, please register for an account.
  • Posting is a two-step process. Once you have composed your message, you will be taken to the preview page. You will then have a chance to review your post, make changes and upload photos.
  • After posting your message, you may need to refresh the forum page in order to see it.
  • Before posting copyrighted material, please read about Copyright and Fair Use.
  • We have a strict no-advertising policy!
  • If you would like to practice posting or uploading photos, please visit our Test forum.
  • If you need assistance, please Contact Us and we will be happy to help.


Learn more about in-text links on this page here