Welcome to Omgili,
Omgili ( Oh My God I Love It ;) is a search engine for discussions. With Omgili you can find answers and solutions, debates, discussions, personal experiences, opinions and more... To learn more about Omgili click here.
This is a complete preview of the discussion as it was indexed by Omgili crawlers. Use this preview if the original discussion is unavailable.
Click here to view the original discussion.
 |
|
 |
|
Microsoft: Windows XP Pro - Firefox Home Page effectively hijacked by Yahoo Search
It seems that my Firefox has been hijacked by
http ://au.yhs.
Search.yah oo.com/avg /search?fr =yhs-avg&a mp;type=ya hoo_avg_hs 2-t-web_au &p=au.
Yhs.search .yahoo.com
It causes disablement - maybe because there is a conflict between it and my chosen home page, which is STILL showing as the one I chose.
Sometimes my chosen home page wins out for a short while, but then gets replaced by the yahoo search;
Sometimes my own does not even get a chance.
This conflict appears to disable other browsers from accessing the internet as well.
I have received notifications like "A program on your computer has suggested a new default search provider for Internet Explorer." and even a dialog box with a choice of whether I really want to change.
It is to no avail, YHS remains dominant.
I've even replaced 'default search provider' in the Registry with my own choice, but after rebooting Yahoo is back in that key.
How can I get rid of YHS and get my own choice back ?
|
|
 |
|
 |
|
|
|
|
If there is nothing in Add or Remove that allows you to remove this Toolbar, see if the Firefox Add-ons has something.
Remove Cooliris and Crawler Search
thread779-1545030: Remove Cooliris and Crawler Search
I see lots of recommendations here for programs like -
Malwarebytes' Anti-Malware
http://www.malwarebytes.org/mbam.php
SuperAntispyware
http://superantispyware.com/
Maybe you could System Restore to a day before you inherited this Toolbar?
|
|
|
|
|
|
|
|
|
<<If there is nothing in Add or Remove that allows you to remove this Toolbar>>
Why do you suspect a TOOLBAR ?
<<see if the Firefox Add-ons has something.>>
Any hints on how to do that ?
Whatever is wrong with Yahoo, I dont think it fits into malware or spyware category.
System Restore is an option, if I can track down when hijacking started.
I did not at first recognise it as such.
|
|
|
|
|
|
|
|
|
We had this same problem where I work and it was malware.
as per linney
Malwarebytes' Anti-Malware
http://www.malwarebytes.org/mbam.php
Installed it, ran it, and problem gone (at least for us).
Mel
|
|
|
|
|
|
|
|
|
Open Firefox, Select Tools, Add-ons.
How to stop yahoo search?
http://u k.answers.
Yahoo.com/ question/i ndex?qid=2 0090928000 829AA5JE9p
See "Removing a search engine"
http ://support .mozilla.c om/en-US/k b/Search+b ar?s=remov e%20search
http ://www.goo gle.com/se arch?hl=en &rls=c om.microso ft%3Aen-au &q=yah oo%2Bsearc h%3F+-stat istics+%2B remove+OR+ uninstall& amp;btnG=S earch& aq=f&o q=&aqi =
|
|
|
|
|
|
|
|
|
Melmits
<<Malwarebytes' Anti-Malware - Installed it, ran it, and problem gone (at least for us).>>
So did I.
It did find 28 infections, and labelled many (all ?) of them as Trojans.
Said it could not delete them all, but they would be deleted at reboot.
It made no improvement, but did remove ASK from Opera, so not even Opera could access the internet afterwards.
Linney - I did discover the options to remove Firefox addons, but none of that improved the situation.
|
|
|
|
|
|
|
|
|
Try running GMER and see if that picks anything up and/or create and boot from this CD:
http:// www.free-a v.com/en/t ools/12/av ira_antivi r_rescue_s ystem.html
|
|
|
|
|
|
|
|
|
I have run the Malwarebytes' Anti-Malware a second time;
This time it found 3 Trojan.Agents and after I clicked on "Remove Selected" it reported success.
Firefox now opens in Yahoo - its Home Page;
Chrome opens in its Homepage, but I.E.
Is still disabled - cannot display webpage.
So I'd say IMPROVEMENT, without total success.
LATER
Success was shortlived - all the browsers are now disabled.
|
|
|
|
|
|
|
|
|
Hi,
Try using the removal software mentioned here ( ComboFix) - it seems able to remove most browser hijackers:
http://www .bleepingc omputer.co m/combofix /how-to-us e-combofix
Also be sure your system restore is turned OFF during this process.
To Paraphrase:"The Help you get is proportional to the Help you give.."
|
|
|
|
|
|
|
|
|
If you check the logs produced by Malwarebytes' Anti-Malware it will give you a detailed list of files and registry keys infected.
As some nasty malware is able to regenerate itself, and some is difficult to remove, it may be a valuable exercise to physically check the locations mentioned to see whether the malware was actually removed successfully.
Are you surfing the Internet as an Administrative user rather than a Limited user and possibly reinfecting yourself?
What do you mean by browsers being disabled?
Do you still have an Internet connection?
WinXP Connectivity Issues
FAQ779-4625: Lost Connectivity after Registry or Malware Cleanup
|
|
|
|
|
|
|
|
|
Linney
I did in fact do what you suggested.
I'm in a hurry right now and can't go into all the detail, but to my suprise the actual files listed were able to be deleted.
However some Registry 'references' could not be found.
I am a user with administrative credentials/privileges (?)
I do have a lot of trouble with the internet connection as well - it comes and goes mysteriously - Since I wrote that they were disabled, the browsers HAVE accessed the NET.
I'm beginning to suspect that the (Virgin) network gets overloaded before and after school times.
Turkbear
Thank you for that link.
I'll report on it when I've been able to try it
|
|
|
|
|
|
|
|
|
I'd toss in to try running malwarebytes in safe mode - maybe even safe mode without networking and see if it has better luck keeping the stuff cleared out after you reboot.
As others suggested, it's probably not a bad idea to shut off system restore.
This will probably delete all your restore points, but stuff likes to live in that area and then reinfect the computer after cleaning.
You can always turn it back on after you get the computer cleaned up.
|
|
|
|
|
|
|
|
|
I wouldn't just rely on one tool, either.
I'd also try at least these:
SuperAntiSpyware
DrWeb CureIt
And a clean-up with the following 3 might be good as well:
CCleaner
IObit Advanced System Care
Glary Utilities
What AV software are you using?
You may seriously need to look into another.
AVG is still pretty good, though I'm gradually moving systems away from that to Avira Antivir.
If you want a paid solution, I'd suggestion putting Nod32 on there.
Also, what sort of firewall protection do you have?
Is this a personal PC, or a school-owned PC?
If personal, I'd make sure to have my own firewalled router.
If not, then you may want to at least let the IT person/dept know at your school to be checking their firewall logs, and making sure the network isn't infected as well.
For your comptuer itself, I'd suggest putting either Online Armor (what I use) or Comodo Security on your PC as a software firewall.
Also, you'll need to turn off system restore, and once you've finished cleaning the system for sure, reboot at least once, and then re-enable system restore.
This will make sure none of the junk also snuck into your system restore points.
And then it wouldn't hurt to also have these as back-ups on system protection:
Windows Defender (installed by default if you have Vista) and
SpywareBlaster
Advanced System Care also checks system settings for security.
SuperAntiSpyware also has some active protection besides scanning as well.
--
"If to err is human, then I must be some kind of human!" -Me
|
|
|
|
|
|
|
|
|
"it's probably not a bad idea to shut off system restore"
I should have mentioned that - for the nasty stuff, it's a great idea as long as the PC is stable and booting fine (no blue screens or freezing).
Some of that stuff really tries to come back.
Now try GMER and the other one I mentioned for mop up duty and/or superantispyware
and/or
http:// www.free-a v.com/en/t ools/12/av ira_antivi r_rescue_s ystem.html
and/or combofix (as suggested)
|
|
|
|
|
|
|
|
|
Kjv1611
I'm using AVG
I also have Windows Defender;
Spybot Search & Destroy and AdAware
I don't have the Windows firewall on because it is incompatible with one of the four above.
The PC is my private one.
My 'black-box' is a unit that receives signals wirelessy, and to the PC of interest, sends them wirelessly.
There is also an ethernet connection to THIS WinMe system from which
I'm doing communicating.
So is it a modem, a router, is it firewalled - who knows ?
<<....checks system settings for security>>
I have recently done a SECUNIA scan;
It listed numerous 'security' updates that were supposed to be lacking;
But in the list were just ordinary updates (Skype) AND a Java update THAT HAD ALREADY BEEN INSTALLED !
Moreover, it did not allow me to save the scan, so all that information and the links disapeared when I HAD to close the PC down.
It would be handy to know how such a document could be saved.
goombawaho
When I get my life back, I'll try your suggestiom.
I HAVE downloaded GMER already.
|
|
|
|
|
|
|
|
|
Quote: : I'm using AVG
I also have Windows Defender;
Spybot Search & Destroy and AdAware
I don't have the Windows firewall on because it is incompatible with one of the four above.
|
|
|
|
|
|
|
|
|
<<Are you telling us that the box which acts as the router/firewall is a computer running Windows ME?
>>
NO, what I am telling you is that the modem/router is connected wirelessly to the WinXP with which I am having the issues, but also to a WinMe PC by ethernet cable.
<<That just does NOT seem like a good idea at all.>>
I am VERY aware of the revulsion most geeks have to WinMe.
But is has - and continues - to serve me well for 'basic' computing, and I have found it more reliable than MY WinXP.
Of course there are things that it can't do [which is NOT at issue], and that is what I have WinXP for.
AS AN ASIDE - my ISP told me they would not 'support' WinMe, but I was very proud to get it connected AND working despite their refusal to help.
But it was a big effort.
I will take on board your recommendations about security software.
I AM familiar with Avir and COULD change to it.
I have JUST finished the fourth scan with Malwarebytes' Anti-Malware, this time with System Restore off and in Safe Mode and not connectred on-line.
It again found the two resistant Registry infections, and again told me it had removed them.
I will do one more scan to see if this time they disappeared.
|
|
|
|
|
|
|
|
|
Yeah, it sounds like you've ended up with a mess on your hands.
Glad to hear it at least seems to be getting cleared up.
Okay, Windows ME as a personal desktop PC is not necessarily TERRIBLE.
I just thought from your original mention, it sounded like it could have been for a firewall/server.
Regardless, if it works for you, that's fine, and up to you of course.
If you're just doing web browsing and documents on it, though, you could install Ubuntu Linux on it instead of ME, and then keep XP on your main machine.
If you wanted to see what it's like you can download the free ISO image, burn to CD, and run without actually installing to the hard drive.
I do like Ubuntu, though my personal favorite desktop Linux that I have tried was Mandriva - it just seems to work better, drivers and such.
Then again, the latest Ubuntu seems to work really well, just tried again the other day.
Anyhow, my ultimate recommendation at this point is that if you have the disk, and you have the time, this'd be a good time to do a fresh install of XP on your main machine.
If you wanted to make absolute certain all the malware and such is gone, I'd say do this:
Download Darik's Boot 'n' Nuke, DBAN, and burn to a CD - or use another similar utility such as Active KillDisk If your system has a restore partition, it'd be good to back that up using a partition program - Acronis TrueImage, Norton Ghost, or one of the free ones...
DriveXML comes to mind...
I think that's the name.
If you have the plain Windows XP CD, I'd go with that, but it'd be adviseable to download your network driver(s) first, and put them on another hard drive, CD, thumb drive, whatever.
Backup any personal data you want to keep Start the DBAN wipe before going to bed, or before you are going to be gone somewhere for a good long while - at least an hour or two.
After it's finished, pop the DBAN disk out - actually, you can always pop it out once the process has started..
Pop in your Windows XP CD Install Windows If Windows didn't install your network driver(s) already, then load them from the backup.
Make sure Windows is updated at least to SP2 Install Avira Antivir - or whatever else you choose;
AVG, Avast!, a paid one perhaps - NOD32, whatever.
Make sure you've got all the rest of your Windows updates Make sure all drivers are installed/up to date as best you can, by checking in Device Manager, and verifying with Windows Update.
For some drivers, your best leaving Windows Update alone, however.
Install a good software firewall (Online Armor and Comodo Security are the best), and a couple anti-malware apps (SuperAntiSpyware and MalwareBytes are good...
Plus I prefer to always include Windows Defender and SpywareBlaster) After all that's done, then install whatever other software you wanted/needed - Office, games, whatever.
If you need a certain app for something, there are a few good spots to look at.
I prefer download.com, filehippo.com, and sometimes softpedia.com or soft32.com, but I think you have to be more careful with the latter 2.
Also download.com can trip some people up with all the ads surrounding your search results.
FileHippo is nice, in that it's a clean interface, and it limits what it keeps available for download, or so it seems.
On your ME machine, I'd just be careful.
If my memory serves me correct - it's possible it doesn't - Me is just wide-open, security-wise, compared to XP, Vista, Linux.
98 and ME are likely just more vulnerable, b/c they are just so far out of date.
I actually had ME once before.
So my disgust with ME is specifically based on user experience.
When I first tried XP, I thought I had died and gone to heaven...
In a computer geekiness sorta way, I suppose.
;p --
"If to err is human, then I must be some kind of human!" -Me
|
|
|
|
|
|
|
|
|
BTW, sorry if that last post was just too long.
It's probably more than you're asking for, but I personally believe you'd be best served going this route.
If you do that, just be SURE - EXTRA SURE - that you have anything you want to keep backed up.
Also, if you have MS Office installed, or any Adobe software (paid), or any other such "professional" software, make absolutely sure you back up any license data.
And if you don't know your Windows XP key, which with a Dell reinstall disk, you shouldn't need anyway, you can get that off your PC using the MagicJellyBean program.
It'll find your Windows and Office keys for you, so you can save to a text file, just in case.
--
"If to err is human, then I must be some kind of human!" -Me
|
|
|
|
|
|
|
|
|
Firstly
The scan done in Safe Mode as Administrator after System Restore and Internet Connection had been disabled, finally resulted in NO remnant infections, but Firefox STILL had its
addressbar hijacked by the ASK/AVG/YAHOO/SEARCH URL !
So it seems the infections were irrlevant to my problem.
I was interested to see if I could fix that problem - and so far I have not succeeded - but in repayment for the very extensive instructions listed above, I want to tell you the following, [and you can't stop me from telling you] :
I have long ago learned how to avoid 'going back to square one'.
Whenever I want to do something where I am not sure of the outcome, I do it to a CLONE of my system, so that if it is unsatisfactory, I can discard it and go back to a system NOT contaminated by that experience.
This hijacking was unexpected, rather than an experiment going wrong.
By routine cloning after [satisfactory] changes to the system, I rotate my system through 6 HDDs, so at any one time I have HDDs with working system going back 6 modifications - so if something unwanted and irremovable slips in, I can go back to a system BEFORE that happened.
[I have graduated to 40Gb HDDs.]
Amongst other DISadvantages are the fact that the connectors, both power and signal, are not designed for frequent removal and re-attachment, so that gives me troubles - but I achieve a high confidence in getting back to 'clean' system without having to start over.
|
|
|
|
|
|
|
|
|
Sebastian42,
Yeah that should work.
However, you could get around the multiple hard drives by creating images files on ONE hard drive on whatever time basis you want to use.
Then, when you want to restore, you just have to boot to a bootable partition manager, and delete the existing partition, restoring whichever saved image you want to use.
The easiest option for this type setup, I think, is to just pick up a copy of Acronis TrueImage, and let it do all the work for you.
Yeah, it costs $30, but it'd be cheaper than multiple hard drives.
And you could still keep even all your images backed up twice - use one data hard drive, and one back-up of data.
But whatever works for you.
I just think this method would be much wiser, considering the multiple connections you're mentioning.
Either doing multiple image files on your own, or else using Acronis TrueImage.
Of course, Norton Ghost does the same, I've just not used it very much at all.
--
"If to err is human, then I must be some kind of human!" -Me
|
|
|
|
|
|
|
|
|
Kjv1611
That sounds a very up-market way of achieving my goal without the wear and tear on me and on the HDD connections.
In fact, I wouldn't even have to use images - which I do NOT understand anyway.
I could make several partitions on a large slave HDD, and use my current cloner, Casper5, to clone to one partition after another in turn.
I could keep using the same HDD as my Master, and never touch the connectors again (for THIS purpose)!
For Identification purposes I might have to gradually increase the size of the partitions e.g.
40Gb, 41Gb, 42Gb etc
Back to my original problem - I have also run Microsoft Malicious Software Removal Tool - it found NO infections !
Since GMER showed me a category called Rootkit/Malware, I have used Sophos anti rootkit, but its results included all but the kitchen sink as 'unknown hidden files' and it warned
me not to delete anything 'without informed consent'.
And I am left with a system that appears to respond to network congestion by fabricating a hijacked looking URL !
I say that because 'the fault' is quite intermittent and most prevalent around 8am and 4pm.
What a quandarry !
|
|
|
|
|
|
|
|
|
You have fried a lot of brain cells on this.
Next steps:
1. Back up data
2.
DBAN to wipe the drive
3.
Reload XP
4. Restore data
5.
Happiness
|
|
|
|
|
|
|
|
|
Goombawaho
Data is a valuable part of what would be lost if I reformatted
the HDD, but by NO means the only valuable part.
Years of adding, updating and tweaking of programs would also be lost.
and so DBan/Fdisk/Repartitioning and re-installing would be the absolute LAST thing I would consider.
I might even prefer to live with the intermittent non-access to the internet...
|
|
|
|
|
|
|
|
|
Hi,
I did not see any response to my idea about using ComboFix...
This is the only program I found that could eliminate the overclick.cn trojan( virus/rootkit, whatever) which is known for hijacking search engine URLs .
If you haven't tried it yet, I recommend it highly..
Read the full details on its that link I posted:
http://www .bleepingc omputer.co m/combofix /how-to-us e-combofix
If you did use it and still have an issue, have you uninstalled/rebooted/reinstalled firefox to see if that helps?
To Paraphrase:"The Help you get is proportional to the Help you give.."
|
|
|
|
|
|
|
|
|
Turkbear
I downloaded DDR (is it ?) but have not yet got to use it as you suggest.
This is still a work in progress.
The main stumbling block at the moment is the intermittency -
just becaue I can access the internet does not mean I wouldn't encounter ask/avg/yahoo/search in the address line next time.
Thank you for 'sticking with it'.
|
|
|
|
|
|
|
|
|
Hi,
Not DDR, ComboFix.exe from a link on the site I posted - There are full instructions there on using it ( it is very powerful, so read first, then use as directed).
To Paraphrase:"The Help you get is proportional to the Help you give.."
|
|
|
|
|
|
|
|
|
Sorry - I thought DDR was what downloaded from the ComboFix -
I'll have to re-cover that ground.
|
|
|
|
|
|
|
|
|
I know this is getting away from the original topic, but since
kjv1611 suggested gathering all my clones into one HDD to avoid wear and tear on connectors, I want to recount what happened : I bought a new 3.5" 320Gb IDE HDD for the purpose
Fdisking from a boot floppy showed only 32Gb.
CheckDisking (to remedy that) did not seem to start.
Paragon Partition Manager on Hiren's Boot CD, could 'see' 298Gb, and divide them suitably.
With Nortons Partition Magic (also on Hiren's Boot CD) I could format all 8 partitions.
However Window Explorer shows the drive but no size and 'Manage' in Properties of My Computer shows only 128Gb !
|
|
|
|
|
|
|
|
|
Hmm, that is strange.
I would think it'd be your BIOS, but if so, I'd think it'd be the same accross all programs.
Then again, it's worth a check.
Try checking with the motherboard manufacturer's site for any BIOS updates, and see if they correct such errors.
I know that many BIOS had to be updated when the large disks first started becoming available.
--
"If to err is human, then I must be some kind of human!" -Me
|
|
|
|
|
|
|
|
|
That first 320Gb HDD was seen as 320Gb by BIOS.
It was Windows Explorer that did not recognise the partitioning and it was Manage in My Computer that showed only 128Gb.
The shop I bought it from kindly let me try another HDD from their stock.
Without doing any fdisking or partitioning, I went directly to
MY Computer's Manage, and it ALSO showed only 128Gb.
The shop then connected it to their PC and in Manage it showed as 320Gb
That points the finger of blame at my PC or the combination of my PC and that batch of HDDs.
I got a refund for that HDD and intend to get one from another shop, as a first step.
B.T.W.
The original problem of address-bar hijacking by ASK/AVG/YAHOO/SEARCH is not occuring currently - on a drive that was NOT treated to all the scanning reported on above.
|
|
|
|
|
|
|
|
|
Sure enough - when I changed the o/s with which I tried to look at the 320Gb HDD, from just raw WinXP-Pro, to WinXP-Pro/SP3, the problem went away (i.e.
320Gb was recognised).
OF COURSE there is a new problem : After using Casper5 to (very efficiently) partition the 320Gb into 6.2Gb and then incrementally increasing partitions from 40Gb up, Casper told me it couldn't clone the 5.8Gb WinXP-Pro/Sp3-plus-Casper5 to the 6.2Gb partition because there were valuable files in it !
I definitely need a bootable system in that first small partition (and it must contain the cloner, Casper5, too).
|
|
|
|
|
|
|
|
|
Making that first partition a little bigger fixed that problem
|
|
|
|
|
|
|
|
|
I was about to say that your problem was sounding like it was missing an update for Windows.
So yeah, that's why XP SP3 worked when "plain ole" XP didn't...
I'm assuming your "plain ole" XP partition is running before SP1 and/or SP2.
Service Pack 2 (SP2) had a TON of important updates for Windows.
But it may have actually been SP1 that fixed the drive size issues - I forget.
I wouldn't doubt if one of the other guys around here can tell you date and time when that fix occurred, as well as its kb number (the reference number of the update).
--
"If to err is human, then I must be some kind of human!" -Me
|
|
|
|
|
|
|
|
|
The post from which I got that idea did mention SP1.
For the moment, both the drive partitioning problem, and the home page hijacking no longer impede my progress.
I suspect hijacking will be back, but in some strange way it seems to be related to Network Congestion.
So adieu to all the helpfull contributors in this record-making long thread.
|
|
|
|
|
|
|
|