Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Homepage Hijack


  • Please log in to reply
16 replies to this topic

#1 wandering_goat

wandering_goat

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 31 May 2011 - 08:21 PM

Hey there. I've just started getting a weird browser hijack across my computer (Windows 7 64-bit, using Firefox 4 and Internet Explorer). What it does - as far as I can tell so far - is set the homepage of the browsers to http://www.quick-quote-insurance.com/ . Also, when I highlight text in Firefox, right click and Google Search it, it takes me to a modified Google results page (the address for a search of "example" is http://www.google.com/cse?cx=partner-pub-6894140000573490%3A7655943223&ie=UTF-8&q=example&sa=Search&siteurl=www.quick-quote-insurance.com%2F ). Changing the home-page, whether through the browser or registry, takes it away, but it's right back again upon log-off / reboot.

I've tried several virus / spy-ware programs to detect the problem (MSE and Defender scans, HijackThis, Ad-Aware, and Spybot), as well as some other tools (TDSSKiller, CWShredder, and resetting the HOST file via the Microsoft web download). None of them have done anything. Neither does re-installing Firefox.

Does anyone have any ideas about what this may be? I haven't actually seen it re-direct me to any strange pages besides the initial homepage and the embedded Google search, so I'm not sure it's a typical browser re-direct virus. Just that not only is this annoying (changes homepage / unselects function to re-open prior tabs), but I'm kind of worried to be logging into any really private sites like banking.

Edited by wandering_goat, 31 May 2011 - 08:22 PM.


BC AdBot (Login to Remove)

 


#2 wandering_goat

wandering_goat
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 03 June 2011 - 02:51 PM

Well, I think I figured out the problem, finally. I had previously checked the start-up programs in MSConfig and everything seemed normal. However, I noticed that booting in safe mode didn't cause the homepage to be changed back, so I figured there must be something running to do it. After some searching, I finally found that there was a start-up program masquerading as a Windows file, called "svhost". I thought I remembered seeing it before, but I believe that what I remembered was svchost. Stopping it from starting with Windows fixes the problem, as far as I can tell. Hopefully that helps anyone having a similar issue.

One question though: What I did was stop the program from booting, reboot, and then deleted the file and its entire folder (C:\Program Files (x86)\Microsoft). Interesting in that the folder seems empty at first glance, but going to properties showed it had 4 files and was about 300-400 KB. Since no malware / anti-virus program detected / fixed this, is this all I need to do to be rid of this virus?

#3 Comp39

Comp39

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 03 June 2011 - 04:02 PM

Can test it all out with http://www.pctools.com/spyware-doctor/download/ Free scan, but you will need to hunt down virus yourself, set Spyware doctor for FULL scan.

Please be REAL careful what you delete.

#4 Don Bon

Don Bon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 05 June 2011 - 01:37 PM

I've encountered the same problem. It happened after opening a fake torrent. I've disabled the start-up program "svhost" and deleted C:\Program Files\Microsoft. Everything seems to be back in order EXCEPT when I search it takes me to the modified Google results page (the address for a search of "example" is http://www.google.com/cse?cx=partner-pub-6894140000573490%3A7655943223&ie=UTF-8&q=example&sa=Search&siteurl=www.quick-quote-insurance.com%2F ).

Any solution to this search problem?

#5 wandering_goat

wandering_goat
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 05 June 2011 - 05:34 PM

The search thing can be fixed by changing a few files around (or, I assume, by re-installing Firefox, if that's what you're using). For Firefox, you will find an XML file (google.xml) in two places: C:\Program Files (x86)\Mozilla Firefox\searchplugins & C:\Users\[Your Name]\AppData\Roaming\Mozilla\Firefox\Profiles\[Random Stuff].default\searchplugins . Deleting the file will disable the in-browser google search. You can replace it with the default file instead, which I'll PM you.

For anyone else, the content of the default XML file (as taken from an unaffected Firefox install on a different computer), is:

- <SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/">
  <ShortName>Google</ShortName> 
  <Description>Google Search</Description> 
  <InputEncoding>UTF-8</InputEncoding> 
  <Image width="16" height="16">data:image/png;base64,AAABAAEAEBAAAAEAGABoAwAAFgAAACgAAAAQAAAAIAAAAAEAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADs9Pt8xetPtu9FsfFNtu%2BTzvb2%2B%2Fne4dFJeBw0egA%2FfAJAfAA8ewBBegAAAAD%2B%2FPtft98Mp%2BwWsfAVsvEbs%2FQeqvF8xO7%2F%2F%2F63yqkxdgM7gwE%2FggM%2BfQA%2BegBDeQDe7PIbotgQufcMufEPtfIPsvAbs%2FQvq%2Bfz%2Bf%2F%2B%2B%2FZKhR05hgBBhQI8hgBAgAI9ewD0%2B%2Fg3pswAtO8Cxf4Kw%2FsJvvYAqupKsNv%2B%2Fv7%2F%2FP5VkSU0iQA7jQA9hgBDgQU%2BfQH%2F%2Ff%2FQ6fM4sM4KsN8AteMCruIqqdbZ7PH8%2Fv%2Fg6Nc%2Fhg05kAA8jAM9iQI%2BhQA%2BgQDQu6b97uv%2F%2F%2F7V8Pqw3eiWz97q8%2Ff%2F%2F%2F%2F7%2FPptpkkqjQE4kwA7kAA5iwI8iAA8hQCOSSKdXjiyflbAkG7u2s%2F%2B%2F%2F39%2F%2F7r8utrqEYtjQE8lgA7kwA7kwA9jwA9igA9hACiWSekVRyeSgiYSBHx6N%2F%2B%2Fv7k7OFRmiYtlAA5lwI7lwI4lAA7kgI9jwE9iwI4iQCoVhWcTxCmb0K%2BooT8%2Fv%2F7%2F%2F%2FJ2r8fdwI1mwA3mQA3mgA8lAE8lAE4jwA9iwE%2BhwGfXifWvqz%2B%2Ff%2F58u%2Fev6Dt4tr%2B%2F%2F2ZuIUsggA7mgM6mAM3lgA5lgA6kQE%2FkwBChwHt4dv%2F%2F%2F728ei1bCi7VAC5XQ7kz7n%2F%2F%2F6bsZkgcB03lQA9lgM7kwA2iQktZToPK4r9%2F%2F%2F9%2F%2F%2FSqYK5UwDKZAS9WALIkFn%2B%2F%2F3%2F%2BP8oKccGGcIRJrERILYFEMwAAuEAAdX%2F%2Ff7%2F%2FP%2B%2BfDvGXQLIZgLEWgLOjlf7%2F%2F%2F%2F%2F%2F9QU90EAPQAAf8DAP0AAfMAAOUDAtr%2F%2F%2F%2F7%2B%2Fu2bCTIYwDPZgDBWQDSr4P%2F%2Fv%2F%2F%2FP5GRuABAPkAA%2FwBAfkDAPAAAesAAN%2F%2F%2B%2Fz%2F%2F%2F64g1C5VwDMYwK8Yg7y5tz8%2Fv%2FV1PYKDOcAAP0DAf4AAf0AAfYEAOwAAuAAAAD%2F%2FPvi28ymXyChTATRrIb8%2F%2F3v8fk6P8MAAdUCAvoAAP0CAP0AAfYAAO4AAACAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAQAA</Image> 
  <Url type="application/x-suggestions+json" method="GET" template="http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&hl={moz:locale}&q={searchTerms}" /> 
- <Url type="text/html" method="GET" template="http://www.google.com/search">
  <Param name="q" value="{searchTerms}" /> 
  <Param name="ie" value="utf-8" /> 
  <Param name="oe" value="utf-8" /> 
  <Param name="aq" value="t" /> 
- <!--  Dynamic parameters 
  --> 
  <Param name="rls" value="{moz:distributionID}:{moz:locale}:{moz:official}" /> 
  <MozParam name="client" condition="defaultEngine" trueValue="firefox-a" falseValue="firefox" /> 
  </Url>
  <SearchForm>http://www.google.com/</SearchForm> 
  </SearchPlugin>

You should be able to edit the affected 'google.xml' and replace the contents (which have "quick-quote-insurance" all over the place) with the above.

Edited by wandering_goat, 05 June 2011 - 06:13 PM.


#6 Don Bon

Don Bon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 05 June 2011 - 08:12 PM

I'm using Google Chrome, I guess my best bet would be to try re-installing?

#7 Samo Ivan

Samo Ivan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 08 June 2011 - 06:51 AM

Hi I'm new, so is this qqi s****. I notice that nothing including my antivirus software works. So here is a plan. Can you retrace your steps in last week or two, to see if we can find any similarities that we all did.
I use Bit torrent and have downloaded few movies, using Facebook, Firefox 4, go to few web pages that i normally use for news and updates, same stuff i always do, nothing new. Who is next?
Let's track this piece of s*** and kill it together.

#8 Don Bon

Don Bon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 08 June 2011 - 11:11 PM

Samo - Yea it is definitely from a torrent. I ended up downloading a fake one, and that's when it started. I have the homepage thing all fixed, its just the custom google search that's still messed up..

#9 Hdl

Hdl

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 09 June 2011 - 04:43 AM

I have this one too. Almost foaming at the mouth I'm so angry at myself, since I usually stay very safe. It was in a torrent, masquerading as a video codec. My virus protection went off and acted like it put something away - so I deleted the torrent and the files.
I'm no puter wiz - so I'm trying to find very clear (and moron-proof) instructions before I start removing it. My Avira found 2 dubious files and moved to quarantine. Spybot s&d found nothing new. I'm on another computer right now since on the infected one I cannot find ANY useful virus/spyware info through the browsers. They all got hijacked and set to quick-quote-insurance, same as you all :/

#10 JuicyJtheMane

JuicyJtheMane

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 10 June 2011 - 02:18 AM

Yo!

Just thought to stop by and let those troubled by that "quick-quote-insurance" hijack know that I stumbled upon an extremely capable piece of software that solved the problem for me. Having determined that the culprits were indeed the "svhost.exe" file and its associates located in the Program Files/Microsoft folder, I proceeded to remove it in safe mode and also tried a shutdown in MSConfig but to no avail. Thereafter I searched the internet for earlier "svhost.exe" related issues and discovered that there is a line of "svhost.exe" named trojans/rootkits that are unconventionally resistant to regular AV and Anti-Malware programs such as AVG or Spybot. HiJackThis also did not work. One of the posts regarding an earlier incarnation of "svhost.exe" credited a program called UnHackMe with successful removal of the trojan/rootkit. The program can be downloaded from the following site:

http://www.greatis.com/unhackme/

After installing UnHackMe, I ran a scan after reboot and the program immediately detected the "svhost.exe" threat. I asked the program to fix it, and guess what? It actually did. Subsequent to the reboot I used HiJackThis to check for running processes and saw that "svhost.exe" was still running but asked HiJackThis to fix the problem, which it also did, this time permanently. When I checked the Program Files/Microsoft folder, the size thereof had shrunk from ca 350 KB to about 66 KB. I deleted the Program Files/Microsoft folder and it has not reappeared. Browser homepage is now in order. Fixing the address bar search problem might require a browser reinstall. Otherwise big props to the creators of UnHackMe, a program that actually works as opposed to most modern AV/Anti-Malware programs the development of which is apparently aimed at the creation of a nice performance-intensive UI rather than a tool that effecively and permanently removes dangerous software from users' computers.

#11 Hdl

Hdl

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 12 June 2011 - 06:47 PM

I thought you was spamming. But worked on all but the custom search thingy. Thanx aplenty :)

#12 janzel

janzel

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 19 June 2011 - 10:11 AM

I had same problem and I figured it out by installing Malwarebytes antimallware. Also I downloaded fake torrent of movie with codecs, which i installed (what a stupid boy I am:). When I was searching by google (before I removed the virus). It sometimes reported me unusual behaviour and I had to enter code from picture so perhaps virus was sending some information.

#13 thefix

thefix

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 19 July 2011 - 09:02 PM

the fix is to restore system .i got mine from fake codec (stupid boy ,me too).restore worked for me.

#14 Two Rivers

Two Rivers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 29 August 2011 - 05:27 PM

Wandering Goat's solution of 5th June is spot on - it worked for me after I'd tried for ages with a techie friend (we only missed the deletion of the svhost.exe) If you have Windows XP you need to do a search for google.xml for the second google.xml file as it's not in the same place as Goat says for that version of windows. You will also need to manually reset the 'restore tabs/windows' command in the startup options if you had that selected in Firefox before the loading the demon software: Tools>options>general>Startup - then select the option 'Show my windows and tabs from last time' available in the 'When Firefox starts section'.

Like many others here, I also got conned into launching this as a codec - what an idiot! But to my credit I did check the name of the executable and they'd hijacked the name of a reputable exe which loads all codecs - so it goes - I probably won't do it again for a while ...

#15 Two Rivers

Two Rivers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 29 August 2011 - 05:30 PM

PS you CAN'T get rid of it by reinstalling Firefox you HAVE to both delete svhost.exe as well as overwriting the google.xml files




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users