is there a way to recover from browser hijacking?

T

trained_monkey

n00b
Joined
Dec 18, 2010
Messages
23
my browser got hijacked! it must have been one of the freeware programs i installed. i always have a strict rule to scan every downloaded exe file before installing it but unfortunately, i still got infected. what's happening is when i go to a particular site, the browser will be directed to another site. i can turn off javascript and stop this from happening but this is non-browser specific because when i use another browser, it's also being directed to that site. i'm thinking there's a running process that's injecting the javascript code whenever i visit the site i want to visit so i used sysinternals autoruns and procmon to tried to find the malware but wasn't able to.
am i correct that there's a malware process that's injecting the javascript code to redirect the page? if so, how to i find and get rid of it? and if it's not a malware, where does the malicious javascript code come from?
it's frustrating trying to locate this malware....i'm almost to the point of reinstalling windows.
 
Does it happen no matter which site you are trying to visit?

Check your DNS settings
Check system proxy settings - proxies can redirect and modify http content
Check hosts file - works kind of like DNS, but with local resolution

Aside from that - if it's happening with all browsers, you might have a nasty one. My go to recommendation is to not worry about fixing it. Scan it with Malwarebytes to confirm. If infected - back up your important data, reformat/reinstall OS. Scan your data you backed up, and if clean go ahead and restore it onto your fresh install.
 
Last edited:
it only happens when i go to circledock.wikidot.com, it redirects me to feedflash.net. like i said, i can turn off javascript to stop the redirect but i just don't know how this javascript got injected into the browser because it happens in both firefox and internet explorer.

my dns is set to automatically configured and the hosts file looks like a default one. i don't have a proxy and malwarebytes and avast didn't find anything, as usual.

if anyone knows how to use sysinternals autoruns and procmon or hijackthis or other tools to find this malware, please let me know.
 
Have you tried using Chrome as well?

What about Inprivate/Incognito?

Try safe mode with networking to see if the same results occur.
 
Sounds like a run of the mill malware re-direct. Instead of manually locating it I'd recommend the following:

1.Download ADWCleaner (Bleeping Computer is a great source for all these btw) and run
2. Download HitmanPro and run

After the two programs run and clean your system your should be back up and running normally.
 
In future browse inside a sandbox.
If it goes titsup, delete the sandbox contents and start with a fresh browser.
 
as usual, adwcleaner and hitmanpro didn't find anything. safe mode didn't work but i was able to get to the site without issues on chrome. this is probably because i didn't have chrome installed on my pc at the time of the infection. i even tried reinstalling firefox but to no avail.

at this point, i think the only way of killing this malware other than having to reinstall windows is to use tools like sysinternals. i just don't know how to use them effectively.
 
trained_monkey said:
as usual, adwcleaner and hitmanpro didn't find anything. safe mode didn't work but i was able to get to the site without issues on chrome. this is probably because i didn't have chrome installed on my pc at the time of the infection. i even tried reinstalling firefox but to no avail.

at this point, i think the only way of killing this malware other than having to reinstall windows is to use tools like sysinternals. i just don't know how to use them effectively.
Click to expand...


Try an older version of Firefox portable. It keeps everything self-contained. Uninstalling/Reinstalling Firefox won't remove everything, especially with an infection.

I'd just heed my original advice and not waste anymore time and just backup and restore. Sucks, but it's the best way to be sure.
 
Spybot S and D
Malarebytes
CCleaner

start with those 3 and it will probably remove all of the issues
 
so i booted into my pc with linux system rescue live cd and tried to access the website and bam! got redirected again! i thought the malware was on my hard drive but now i have no idea where it could be. i already re-partitioned and reformated my hard drive. it can't be on the live cd, i created the cd on the laptop that wasn't infected and ram memory gets deleted everytime you reboot the pc....wow. i got infected before but never one that i couldn't get rid of by reformating the hard drive.
 
You mentioned a laptop. Does it browse correctly the sites that get hijacked on your PC?

Possible your router is the thing compromised. Did you change the admin login/password combo on the router? Bad folk know the defaults for the popular models and can program them into a malware script to change the info your router hands out during DHCP. Examine your router with a non-infected computer. Consider updating the router firmware as well. Possible the PC browser cached the router login info.

Manually setup your IP info on the PC and use the google DNS Cmustang87 provided.
 
as far as i can tell, the laptop and other pc's on the router don't seem to be infected. they browse correctly to the site.

i re-partitioned and reformatted my hard drive again and reinstalled windows 7 from an old retail dvd rom while having the ethernet cord unplugged. i made sure not to plug the ethernet cord back in until i changed my pc name, mac address, ip address, set up google dns, disabled ipv6 protocol, disabled tunneling adapter. i updated the router's firmware and rebooted it. plugged the ethernet cord into a different port on the router. i was sure that would fix the problem, then i got redirected again when i go to the site in question.

i don't understand where this malware is located or how it's tracking my pc. i'm completely baffled! how is this even possible! it seems almost as if the malicious javascript code resides on the website itself but that can't be because other pc's with windows 7 and firefox can get to the site with no problem.
 
It might be a problem in your router.
Not a definitive test but its a start, try giving your IP to one your other machines and see what happens.
Try another local IP on your PC.
 
trained_monkey said:
so i booted into my pc with linux system rescue live cd and tried to access the website and bam! got redirected again! i thought the malware was on my hard drive but now i have no idea where it could be. i already re-partitioned and reformated my hard drive. it can't be on the live cd, i created the cd on the laptop that wasn't infected and ram memory gets deleted everytime you reboot the pc....wow. i got infected before but never one that i couldn't get rid of by reformating the hard drive.
Click to expand...

Are you sure it's a problem with your PC? Might be a problem with the website or DNS provider. Have you tried accessing the website from a different device and/or network? Could be some advertiser fuckery going on I guess as well.

EDIT: Oh I missed your other post. Hmm.. might be a super cookie issue? have you tried wiping out all cookies?
 
Nenu said:
try giving your IP to one your other machines and see what happens
Click to expand...
well...i don't want to infect my other pc's if it's somehow ip-related

i guess the question is, can the malware be hiding in the memory circuit on either the video card, motherboard, or cpu cache? i refuse to believe that any malware can survive a hard drive re-partition.
 
I'm not suggesting your router has been hacked.
It might have corrupted or become misconfigured.
 
Certain websites do redirect on click of links ect and also upon visiting sites. Could be the advertiser has been compromised and the website owner doesn't know malware has been injected into the advertisements.

Also could be a cookie in your firefox/IE configuration.
 
finally figured out what the problem is!

the website i'm visiting has a hidden adobe flash content on the home page. if you don't have adobe flash plugin installed, you will be directed to a page to install adobe flash. since that page is no longer maintained, you get a generic "buy this domain" page. the site will not allow you to access their home page without adobe flash. you can disable it but you have to have it installed. this makes it seem like your browser has been hijacked!. this also explains why i was still being redirected when booting off of systemrescue cd. my laptop has adobe flash installed and was able to access the home page without being redirected.

i'm not sure if i should tell their webmaster about this issue but thank god this is not some super malware like i thought it was. most visitors to the site won't figure this out and won't be able to use the site, and since they made me waste a lot of time on this issue, i think i'm gonna let them keep losing visitors...
 
Looks like it's an advertisement. The flash content is displayed on the right side of the homepage:


upload_2017-6-13_9-33-49.png


This website looks archaic as all hell, and I probably shouldn't have even visited. It's hard to say what other content it's trying to display live that could be compromised as well. Looks like the last time that site was updated was 2010 - I doubt the webmaster is even responding to emails at this point.
 
yep, i should've looked at the html code first. that would've saved me a lot of time and frustration. i just didn't want to believe that any webmaster would intentionally make their website seem like it's been infected with a malware.
 
You must log in or register to reply here.
Back
Top