Browser hijack from the LQ website

Has anyone else had browser hijacks specifically from the Linux Questions website? I now know of at least two occasions, and suspect it's happened much more often - only I hadn't clicked that it only happened on LQ.

Now I know this will attract some negativity (serves you right etc) but on all occasions I was browsing from a Windows machine using M$ IE. Yes I know it's a crime, but I have to conform to my work policy and to my home policy for some things (I will try to be more assertive in future).

Anyway hitting the back button sometimes from a thread back to a search list (twice in the last week, and a few other times before that, but I spend maybe an hour a day on the site) results in losing LQ completely and instead getting a popup dialog telling me I've got security troubles and would I like WinFixer (I think that's the one) to be installed. So after closing that I get a full-sized window inviting me to install error safe (if you really want to try the following link, remove the 'not' between 'error' and 'safe'):
http://www.errornotsafe.com/pages/sc...ex=1&p=&ax=1&h=

I don't know how to reproduce this on demand.

So when this happened at work I thought I was in trouble, and I anti-virused and spyware scanned and looked for nasty processes wherever I could think to, but turned up nothing. And I know on that machine, I've not had any previous trouble, because I'm fairly careful. I did find some dodgies at home, but then that was kind-of expected, given the use it gets from the 'family'. I ssh from work to the home network, but not to the W$ machines, so don't think there are any ways bad stuff could spread from home to work.

All I have read about hijacking says that there must be something on my system, messing with my browser. But, surely it's possible that there could be something else, somewhere between me and the LQ server that diverts my request and sends me this garbage instead. Can anyone educate me on this and reassure me that it's not me that's dirty?

And, for the record I do use linux - I have a (low-ish spec) gentoo headless file-server in a cupboard and a laptop running Ubuntu (but the screen and keyboard is not as good as this thing). I'm trying to convert the flatmates to the real thing, but this is a slow and diplomatic process. You can't have just a little bit of linux, can you?

But that's not actuallly the question of this thread - the question is why do I get redirected from LQ. Is this some weird Gates revenge, programmed into IE? Or something sinister that I need to scrub thoroughly for?

It's probably a piece of spyware/adware. Try running Lavasoft Ad-Aware personal or Spybot Search and Destroy.

http://www.virusspy.com/spyware/removewinfixer.html

Nothing on LQ should ever cause that. We don't do popups (or pop-anything), nor do we allow advertisers to run anything but straight banner ads (and mostly text ads at that). Something else on your PC is almost certainly causing this.

--jeremy

Quote:

Originally Posted by bernied Is this some weird Gates revenge, programmed into IE? Or something sinister that I need to scrub thoroughly for?

I just re-read your post and the answer is Yes and Yes. IE is most certainly Gates' revenge and something sinister needs to be scrubbed more thoroughly.

pljvaldez, thanks, I have run both of these anti-spyware apps and Symantec anti-virus and come up clean. Could they be compromised? (And I didn't allow installation of any of the stuff that was suggested to me - to it's credit IE would not let anything in without asking my permission - I think)

jeremy, so do you think there is no possibility of a link to the website? So this is just coincidence because i'm such a forum freak? I wasn't necessarily suggesting that it came from the LQ server, just somewhere between here and there - is that possible?

The alternative is that I've got two compromised W$ machines, one at home and one at work, and some potentially very grumpy network admins to answer questions to (yes, I have told them about this). But I'm sure I've been a good boy at work, so that maybe means I've taken my dirt from home to work. Not a nice feeling.

So, the next question is, what do you do when you think a machine is compromised but you can't find the beast? And I suppose the answer is that you start again - clean the whole thing off. But it's only a web browser hijack, right?

thanks for the help
bernie

You don't have to reinstall if you can figure out what registry entries need erasing. Google may be of some help. This thread helped fix the problem for someone else, but unfortunately the expert didn't explicitly tell the guy which enteries were deleted by the fixer program...

If you're not comfortable editing your registry (as you can seriously bork your system), then wiping and re-install may be your only option.

One thing you might do is update all your definitions for ad-aware, spybot, and virus defs. Then reboot into safe mode without networking. Then run all three of those a couple of times and see if it finds them and removes them. I always do this type of work in safe mode...

Right, thanks for the tips.
What I really need to know is how did this thing get onto the work machine - because I could do without the grief. There is the vague possibility of course that it was nothing to do with me - we live by small delusions.
I will have to retrace my steps and try and find out what this thing is and where it came from.

The fact that this behavior is observed with a Windows machine seems important. I'd suggest downloading and running the following 3 utilities. Run weekly or so. Good luck with it

Spywareblaster
Spybot Search&Destroy
Ad-Aware

I've just registered with LQ and the very first time I used the HCL link I was hit with exactly the same Winfixer hijack as you. I had actually cleaned my system last night. A Spybot scan now shows tracker entries from both Winfixer and Errorsoft. Looks like more than a coincidence to me.

What ad was showing when you got this? We have a grand total of two advertisers on LQ and both of them (Google and O'Reilly) are extremely well respected technology companies whom I can't see serving spyware. That being said, if I get further detail I'd be happy to look into the situation further.

--jeremy

Ok as I wasn't expecting it to happen my recollection might not be perfect. What happened was I hit the HCL link followed by the Audio devices link. At that point my IE window was shrunk to the bottom right hand corner of the screen to reveal a Winfixer dialogue offering a free registry scan. I tried to close the dialogue using the red 'X' and it started to run anyway. At that point I invoked the Task Manager and terminated the only application running which was called something like Errorfix. Following this I ran Spybot as I said in my other post. The only other page I had visited before coming to LQ was Google (my home page). any good?

Well thegeorge is describing the same beast as I have, only I was able to prevent the downloads. I still haven't cleaned it and it is escaping my detection for now. I'll be very curious to know whether thegeorge has actually got it with Spybot (cause I couldn't find it with that) - or just the downloads that it springs. It's a shy little bugger, as it hasn't popped up again. Behaving very subtley for a browser hijacker. I'll try to keep an eye out for the advertising if (when) it happens again, but I don't think I'll have a chance to see what is showing because it takes LQ away completely, and fast. And normally I ignore the advertising completely.

It is DEFINATLY a browser hijack, Windows client specific. It will popup on any site.

To fix it, try HijackThis. It finds things that AdAware and SpybotS&D do not.

This is the exact reason why I've gone 'Linux Happy'. Why do I need:

• An antivirus with paid subscriptions?
• A Spyware remover?
• An Ad remover?
• A Browser Hijack remover?
• Three updates a week from Microsoft to fix their OS?

Of course, I do run ClamAV. But nothing else is needed, except a check once inna while for security updates....

Does this have something to do with the LiveJournal brouhaha?

http://it.slashdot.org/article.pl?sid=06/06/24/1420251

Not directly related as we have no affiliation with LiveJournal, but we are still looking into it.

--jeremy