Who/What is hijacking web pages? (Firefox Setup 38.0.1.exe)
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Who/What is hijacking web pages? (Firefox Setup 38.0.1.exe)
I have installed the latest Firefox from the recent link offered in Eileen's Lounge; not an hour ago. (and re-loaded Firefox of course)
I have updated Windows Defender which tells me everything is hunky-dory. (although I haven't run a full scan).
This morning's session has flung up a series of (to me) rogue web pages from various proper sources.
Proper sources: I am browsing pages of The Toronto Star, GO Transit Ontario, and other well-established web sites which, I assume, have reasonably good scanning of their links.
That is, I suspect that the problem is not on these sites, but is somehow related to my laptop installation.
Before we get into specifics, I'd like to establish a model/method/template/procedure for ferreting out malware that rears its ugly head when we click on a link.
Click on a link: After doing a Google search for, say "Go Transit station in Peterborough" I click on a search result and receive TWO pages, one being the desired result, the second being an audio (aaaaargh!) page with some sort of technical news. The screen shot above shows (left to right) that I was (Tab 1) reading the Google News page, then clicked on a link to a (Tab 2) story in The Toronto Star and was saddled with a third page (Tab 3) for "Pc-Keeper".
FWIW I am - unusual for me - in a local Starbucks coffee shop because the local public library is closed for the long weekend.
I'll be home in 15 minutes and will turn Windows Defender loose on a full scan while I make lunch.
I suspect that this is a browsing problem rather than a web problem; I suspect that it is the browser side of things that needs to be dis-infected rather than the machine in total.
But I'll follow instructions on my return and see if the problem goes away.
I'll even return to this cafe (at $3.10 a shot!!!!) if I can establish a good procedure for thwarting this latest scourge.
The staff here are very sweet.
I have updated Windows Defender which tells me everything is hunky-dory. (although I haven't run a full scan).
This morning's session has flung up a series of (to me) rogue web pages from various proper sources.
Proper sources: I am browsing pages of The Toronto Star, GO Transit Ontario, and other well-established web sites which, I assume, have reasonably good scanning of their links.
That is, I suspect that the problem is not on these sites, but is somehow related to my laptop installation.
Before we get into specifics, I'd like to establish a model/method/template/procedure for ferreting out malware that rears its ugly head when we click on a link.
Click on a link: After doing a Google search for, say "Go Transit station in Peterborough" I click on a search result and receive TWO pages, one being the desired result, the second being an audio (aaaaargh!) page with some sort of technical news. The screen shot above shows (left to right) that I was (Tab 1) reading the Google News page, then clicked on a link to a (Tab 2) story in The Toronto Star and was saddled with a third page (Tab 3) for "Pc-Keeper".
FWIW I am - unusual for me - in a local Starbucks coffee shop because the local public library is closed for the long weekend.
I'll be home in 15 minutes and will turn Windows Defender loose on a full scan while I make lunch.
I suspect that this is a browsing problem rather than a web problem; I suspect that it is the browser side of things that needs to be dis-infected rather than the machine in total.
But I'll follow instructions on my return and see if the problem goes away.
I'll even return to this cafe (at $3.10 a shot!!!!) if I can establish a good procedure for thwarting this latest scourge.
The staff here are very sweet.
You do not have the required permissions to view the files attached to this post.
There's nothing heavier than an empty water bottle
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
I should add that I got about a dozen rogue pages over a half an hour.ChrisGreaves wrote:... This morning's session has flung up a series of (to me) rogue web pages from various proper sources....
While I might make an occasional slip-of-the-fingers, there were too many instances of rogue pages for this to be an occasional slip.
There's nothing heavier than an empty water bottle
-
- BronzeLounger
- Posts: 1242
- Joined: 25 Jan 2010, 22:25
- Location: Pickering, Ontario, Canada
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
Hi Chris,ChrisGreaves wrote:I should add that I got about a dozen rogue pages over a half an hour.ChrisGreaves wrote:... This morning's session has flung up a series of (to me) rogue web pages from various proper sources....
While I might make an occasional slip-of-the-fingers, there were too many instances of rogue pages for this to be an occasional slip.
I just updated FF to the same version and tried searching (with both Google and Bing) for Toronto Star and Go Transit... as you did, and did not get the rogue pages.
So, time for you to go for another coffee and try again.
Regards,
Bob
Bob
-
- BronzeLounger
- Posts: 1242
- Joined: 25 Jan 2010, 22:25
- Location: Pickering, Ontario, Canada
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
Hey Chris,
Just did a search for PCKeeper and found a few nasty comments about the product.
Here is one link
There are many more articles. If you search using Google, hopefully you will not keep getting those rogue sites.
Just did a search for PCKeeper and found a few nasty comments about the product.
Here is one link
There are many more articles. If you search using Google, hopefully you will not keep getting those rogue sites.
Regards,
Bob
Bob
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
Thanks Bob; I'll do just that.BobArch2 wrote:So, time for you to go for another coffee and try again.
First though, a session(In progress!) at the Library to see if it happens there.
If so it is a problem on my system; if not, then I'll head back to that Starbucks and see if it re-occurs there.
There's nothing heavier than an empty water bottle
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
Thanks Bob, but the problem was NOT with PCKeeper installed on my machine; it was a problem that after I had done a Google search and clicked on an innocuous link, I received TWO new browser tabs - one with my required content and another for a "rogue" site.BobArch2 wrote: If you search using Google, hopefully you will not keep getting those rogue sites.
In the example I showed that rogue site happened to be PCKeeper, but there were at least three different sites that popped up as superfluous tabs.
There's nothing heavier than an empty water bottle
-
- Administrator
- Posts: 12604
- Joined: 16 Jan 2010, 15:49
- Location: London, Europe
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
This certainly sounds like you have a browser hijack exploit on your PC. If you can't find it with virus scanners then it might be worth sharing a list of browser add-ons to see if we notice anything untoward
StuartR
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
OK.ChrisGreaves wrote:This morning's session has flung up a series of (to me) rogue web pages from various proper sources....
It's happening in the library, too. So it wasn't the coffee shop environment.
It seems to me that I go to a web site and click on a link within that web site (that is, it's a two-stage process) and a rogue page arrives. I've had three occurrences and they seem to follow the same pattern.
In the first occurrence I went to a blog whose URL was published in the hard-copy edition of Toronto Star: The URL was http"//www.thiscrazytrain.com/ and I've purposely NOT made it a clickable link here. That blog suggested I check out another site http"//www.triplinx.ca which I did, and found myself asking the guy next to me to mute his laptop. It turns out the sound was leaking out of the earbuds which i regularly plug into my laptop to avoid problems with noise. Bioy! Was my face red.
A separate instance of Firefox had opened with a raucous "news" item.
In the second occurrence I went to a local tabloid site The Toronto Sun and clicked on a link about a shooting in Toronto. The page of news opened up (without the news text) accompanied by an extra unsolicited tab as shown below:- The third occurrence came after reading DenGar's post http"//www.eileenslounge.com/viewtopic.php?f=44&t=19982 and clicking on his link to "tech myths". After hovering (but not clicking) the mouse above the page for a few seconds, I get a third rogue web page.
Now I can not believe that This CrazyTrain/Triplinx and TorontoSun/News and Eileen'sLounge-Dengar/BusinessInsider are all in cahoots to extract money from me, even by getting paid $0.00001 each time I visit a page.
So I think there must be some sort of program code that is recognizing my mouse movements OR inspecting my mouse clicks.
FWIW the nice man to whom I complained about his (!) noise agrees with me that it HAS to be on my machine; the odds of three reputable sites providing links to three reputable sites and all three pairs being corrupted are not to be considered.
SO: It's time to disinfect my machine like crazy.
I'd appreciate suggestions for thorough (run-overnight, I don't care) disinfectant routines especially geared to Browser malware.
You do not have the required permissions to view the files attached to this post.
There's nothing heavier than an empty water bottle
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
Thanks Stuart; our postings crossed.StuartR wrote:This certainly sounds like you have a browser hijack exploit on your PC. If you can't find it with virus scanners then it might be worth sharing a list of browser add-ons to see if we notice anything untoward
I went into Firefox and found some stuff that I don't recognize as being the sort of things that folks applaud. Before
After
Before
The Foxit reader plugiun is disabled.
I think I'll RevoUninstall Foxit Reader, reboot, and see what happens.
Back in a minute ....
You do not have the required permissions to view the files attached to this post.
There's nothing heavier than an empty water bottle
-
- Administrator
- Posts: 78467
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
Have you tried a scan with Malwarebytes Antimalware? The free version is sufficient.
Best wishes,
Hans
Hans
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
Fired up RevoUninstaller in date-installed sequence and didn't recognise the three items Buzzlock, GlassBottle and WinPCap.ChrisGreaves wrote:Back in a minute ....
Removed Buzzcap which appeared to take GlassBottle with it.
Removed WinPCap, Shutdown (powered right off) rebooted and am now going to re-investigate those three sites.
Back in a minute ....
We didn't have all these problems when we used punched cards. Interestingly enough the VERY nice young man sitting next to me uses FORTRAN but not, it turns out, FORTRAN II that I am/was familiar with 45 years ago ...
You do not have the required permissions to view the files attached to this post.
There's nothing heavier than an empty water bottle
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
Well that looks a lot better.ChrisGreaves wrote:... am now going to re-investigate those three sites.
Moral: When/if it happens again, check with RevoUninstaller to see what's been added lately and also check the browser AddOn/Extensions/Plugins tabs.
Thanks Stuart. Now to Hans's response ...
There's nothing heavier than an empty water bottle
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
Thanks Hans, and no I hadn't.HansV wrote:Have you tried a scan with Malwarebytes Antimalware? The free version is sufficient.
I used to have it installed with WinXP but recall someone suggesting that Defender was sufficient.
I shall d/l the latest version and let it run a full-scan this evening while I have a cuppa and do the crossword.
P.S. I understand about having only one of them active at any time.
P.P.S. downloaded with latest updates and running, so i shall pack it in and run it from home.
There's nothing heavier than an empty water bottle
-
- Administrator
- Posts: 78467
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
The free version of Malwarebytes runs a manually started scan, it is not active all the time so it doesn't conflict with other security programs.
Best wishes,
Hans
Hans
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
Right. Got it!HansV wrote:... is not active all the time so it doesn't conflict with other security programs.
It was just that I was getting confused about which anti-crud packages conflicted with which other anti-crud packages.
It's always risky when someone like me gets confused about confusion!
BTW: THANKS!
This is what MalwareBytes found after I'd RevoUninstalled and powered off/on:- Once Again: Stuart & Hans
You do not have the required permissions to view the files attached to this post.
There's nothing heavier than an empty water bottle
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
At the risk of flogging this topic to death, I should report another benefit from this exercise: I am no longer plagued by a series of http"//www.canada.com (and the like) search results forcing their way to the top of the list in my Google Search results.ChrisGreaves wrote:This morning's session has flung up ...
I am not certain that these Malware things did that, but asking for help on avoiding canada.com et al. was close to the top of my list for help.
Those annoying non-hits seem to have disappeared overnight.
(signed) "Happier than I've been for weeks" of Toronto.
You do not have the required permissions to view the files attached to this post.
There's nothing heavier than an empty water bottle
-
- Administrator
- Posts: 78467
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
It looks like you unwittingly installed adware/malware such as OpenCandy together with software such as WinAmp, Primo PDF, Easeus and NetWorx...
Best wishes,
Hans
Hans
-
- PlutoniumLounger
- Posts: 15615
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
It certainly does; although I'm not 100% sure.HansV wrote:It looks like you unwittingly installed adware/malware such as OpenCandy together with software such as WinAmp, Primo PDF, Easeus and NetWorx...
I rebuilt from original CD Win7 about a month ago.
At that time I installed all my "regular" applications (WinAmp, Primo PDF, Easeus from your list) from older established files stored on my data partition.
For a month or more I have not experienced web page hijacking.
The weird Google search results began about two weeks ago and were beginning to aggravate me, which leads me to suspect ONE type of MalWare that was, somehow, rigging Google search results.
The rogue pages began last Monday (in the coffee shop) and began aggravating other people (the really very nice young man I snapped at yesterday!) yesterday.
I tend not to install fantastic new programs, don't visit porn or gaming or gambling sites etc.
I suspect that these problems might have been caused by me clicking on a link to a web site, the link innocently emailed to me by a close friend.
I may never know.
At any rate, the next time this happens I shall:-
(1) Check my browser addins and all that stuff
(2) Run an intense Malware scan over and above the regular weekly scan I will now impose upon myself
(3) Use RevoUinstaller to shred any software unrecognised by me.
(later) I suspect that I should also run Malwarebytes on my twin backup drives, but I suspect running it across my four Win7 Backup System Images is futile.
Now: back to trying to get my Twitter account unlocked ...
There's nothing heavier than an empty water bottle
-
- Administrator
- Posts: 78467
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
I cannot be sure either, of course, but GlassBottle, Bandoo, OpenCandy, ClientConnect and WorldSetup are 5 separate forms of adware/malware, and they were located in files/folders associated with other software such as WinAmp...
Best wishes,
Hans
Hans
-
- PlatinumLounger
- Posts: 5685
- Joined: 24 Jan 2010, 19:16
- Location: Cape Cod, Massachusetts,USA
Re: Who/What is hijacking web pages? (Firefox Setup 38.0.1.e
Chris,
Like Hans said but in different words, it sure looks like you got pooped on when installing something that had these things "piggy backed" with it.
Like Hans said but in different words, it sure looks like you got pooped on when installing something that had these things "piggy backed" with it.
BOB
______________________________________
If I agreed with you we'd both be wrong.
______________________________________
If I agreed with you we'd both be wrong.