Another Browser Hijacking

[mendel_leisk]

<p> Just redirected to:</p>

<p><a href="http://getyoursecuritynowv2.com/1/?sess=p2T20jzxMS01JmlwPTcwLjY4LjEyMy4xMzkmdGltZT0xMjU1MEAMPQZN">http://getyoursecuritynowv2.com/1/?sess=p2T20jzxMS01JmlwPTcwLjY4LjEyMy4xMzkmdGltZT0xMjU1MEAMPQZN</a></p>

<p>From a Photo.net page, neglected to note which one. The page loads for a few seconds, stalls, and then goes over to the above, with the usual pop-up saying I'm infected, etc.</p>

[mendel_leisk]

<p>For what it's worth, I suspect the Photo.net page is immaterial, that there's some ad causing the problem. Hope this get's resolved, this is two days running that this is happening, and maybe 1/2 dozen times in total. I don't know what this guy's game is, and so far it's just an irritant, but please let's send him packing.</p>

[michaeljlawson]

<p>Mendel, This is a scam site trying to sell antivirus software. I still think the underlying problem is likely an infection on your PC, it's malware not a virus so AV programs don't pick it up. Instead of delivering the ad on photo.net, it delivers their own ad. You would probably see the same thing happen if you used another site with the same ad services. Have you downloaded and run Malwarebytes as I suggested in one of your other posts about this? It's free and certainly worth a try to stop your aggravation with this.</p>

[mendel_leisk]

<p>Josh Root was thinking along similar lines, suggesting a couple of malware product to try. I tried one of his recomendations: AdAware, which I'd used in the past and it found a few "tracking cookies", I think similar to Norton Internet Security which I have running.</p>

<p>Hmm, so maybe the ad service is unique to Photo.net, at least for me so far, but if I'd encountered it elsewhere on the net the malware would again crop up, ie: it's tailored to a certain ad service? Could be. Especially in light of no other feedback, others with the same issue.</p>

[michaeljlawson]

<p>I used to be a big AdAware\Spybot guy, but have found that Malwarebytes out preforms them more often than not.<br>

Assuming you are running windows, you may want to open the hosts file located at C:\WINDOWS\system32\drivers\etc with notepad and see if there are any entries that may be redirecting you to their server. This file is rarely used anymore and probably doesn't have many entries in it other than one or two for your own PC. Suspicious entries should jump out at you if they are there.</p>

 

[waltchapman]

<p>I recently ran across a similiar problem, but it was happening with all web sites. It would try and push you to a site to buy an anti-virus program. Suggest you search your harddrive for these 2 files. Sysguard.exe and iehelper.dll. If you find them on the drive, open your Windows Task Manager and look at the processes tab and see if sysguard.exe is running. Next time you have the pop-up come across check for this exe file running under the task manager, leave the pop-up open and then kill the sysguard.exe process from the task manager's end process controll button, the open pop-up should close. There are more detailed instructions avialable on the internet malware sites about these files if you have found them on your system. Hope this helps.</p>

[WJT]

<p>The same type of pop-up appeared on an associate's computer at the office last week. The installed antivirus did not detect it, but it was easy to fix. Do a google search for Microsoft Malicious Software Removal Tool then download and run the tool as a "full scan". This could take about 30 minutes to complete depending on your system. On the office system the problem was a trojan that produces a fake virus message. The tool cleaned it without a problem. Regards.</p>

[mendel_leisk]

<p>Man, I'm starting to feel like a guinea pig, a test tube subject. Ok:</p>

<p>To Michael Lawson: I checked the "etc", no files newer than 2007, so I think ok. Will look into MalwareBytes later, once the process (see below) wraps up.</p>

<p>To Walt Chapman: Searched C: for both those files. No exact match. Did find "AcroIEHelper.dll" in Adobe\Acrobat\ActiveX.</p>

<p>To Walter Tatulinski: I downloaded/ran MMSRT, and started a full scan. It's been going for over 4 hours now, nothing found so far...</p>

[mendel_leisk]

<p>Ok I shut down MMSRT when it finished with C: and moved on to D:, at around the 5 hour mark. Nothing found.</p>

[joshroot]

<p>The biggest thing that points to this being a problem on your computer vs the Photo.net servers is that I'm not getting any other complaints about the same problems. And when something is affecting everyone, I hear about it like crazy. Seriously, when something breaks, I get 100 emails right quick.</p>

[WJT]

<p>Mendel, you should have let the MS tool finish on its own (just run it over night). It can indeed take that long to run. A complete defrag prior to running it helps. A big help is if you clear out any temporary internet files, your caches, and the Recycle Bin. When I run this tool at the office it frequently does not find anything wrong until the very end of the scan. That is the way it works. Regards.</p>

[mendel_leisk]

<p>I don't know Walter, it was done with c:, working with a separate drive, which only has data files. I think odds are very strong the infestation would be on c:.</p>

<p>To Michael Lawson, I ran Malwarebytes last night. It found 3 positives, which I told it to resolve. At first I was thinking "Well, now we're getting somewhere". But then I googled what it found, Registry keys and settings. In a nutshell as set they disable warnings about virus protection and firewall shortcomings. Which at first blush sounds ominous. But the consensus was that various third party virus scanning and Internet Security programs will disable these, to avoid conflicts. And that Malwarebytes has no way of knowing the why, so rightly does what it does. But there's a strong likelyhood it's benign, especially considering I'm using Norton's Internet Security.</p>

<p>And to Josh, I agree, it sounds fishy that no one else is chiming in. OTOH, maybe I'm just spending way too much time here of late, as evidenced by the 3 cans, so that I'm at the forefront of virus catching. I've been unemployed for a while, but it's back to the grind this coming Monday, so maybe things will quite down ;)</p>

<p>So anyway, the floggings continue ;)</p>

[mendel_leisk]

<p>Thought I was out of the woods, but it just happened again, redirected to:</p>

<p><a href="http://live-virus-scanner5.com/1/?sess=p2T33jDxMS01JmlwPTcwLjY4LjEyMy4xMzkmdGltZT0xMjU1OUAMPQVN">http://live-virus-scanner5.com/1/?sess=p2T33jDxMS01JmlwPTcwLjY4LjEyMy4xMzkmdGltZT0xMjU1OUAMPQVN</a></p>

<p>As far as statistics go, it's always photo.net that's the start point for this redirection.</p>

[phil_koenig]

<p>This is a common problem these days, it is usually the advertising networks that are injecting this stuff onto "legit" sites. The New York Times got hit a couple weeks ago, for example.<br>

The virus-writing crowd has shifted from kids messing around trying to make a name for themselves, to underground crime networks. And as email malware mitigation tactics have gotten more effective, the evil-doers are increasingly migrating to web exploits. Typically they either exploit insecure web servers, or use unscrupulous or insecure advertising networks to inject unexpected code (generally javascript) into the ad stream.</p>