LQ Suggestions & FeedbackDo you have a suggestion for this site or an idea that will make the site better? This forum is for you.
PLEASE READ THIS FORUM - Information and status updates will also be posted here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Has anyone else had browser hijacks specifically from the Linux Questions website? I now know of at least two occasions, and suspect it's happened much more often - only I hadn't clicked that it only happened on LQ.
Now I know this will attract some negativity (serves you right etc) but on all occasions I was browsing from a Windows machine using M$ IE. Yes I know it's a crime, but I have to conform to my work policy and to my home policy for some things (I will try to be more assertive in future).
Anyway hitting the back button sometimes from a thread back to a search list (twice in the last week, and a few other times before that, but I spend maybe an hour a day on the site) results in losing LQ completely and instead getting a popup dialog telling me I've got security troubles and would I like WinFixer (I think that's the one) to be installed. So after closing that I get a full-sized window inviting me to install error safe (if you really want to try the following link, remove the 'not' between 'error' and 'safe'): http://www.errornotsafe.com/pages/sc...ex=1&p=&ax=1&h=
I don't know how to reproduce this on demand.
So when this happened at work I thought I was in trouble, and I anti-virused and spyware scanned and looked for nasty processes wherever I could think to, but turned up nothing. And I know on that machine, I've not had any previous trouble, because I'm fairly careful. I did find some dodgies at home, but then that was kind-of expected, given the use it gets from the 'family'. I ssh from work to the home network, but not to the W$ machines, so don't think there are any ways bad stuff could spread from home to work.
All I have read about hijacking says that there must be something on my system, messing with my browser. But, surely it's possible that there could be something else, somewhere between me and the LQ server that diverts my request and sends me this garbage instead. Can anyone educate me on this and reassure me that it's not me that's dirty?
And, for the record I do use linux - I have a (low-ish spec) gentoo headless file-server in a cupboard and a laptop running Ubuntu (but the screen and keyboard is not as good as this thing). I'm trying to convert the flatmates to the real thing, but this is a slow and diplomatic process. You can't have just a little bit of linux, can you?
But that's not actuallly the question of this thread - the question is why do I get redirected from LQ. Is this some weird Gates revenge, programmed into IE? Or something sinister that I need to scrub thoroughly for?
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,602
Rep:
Nothing on LQ should ever cause that. We don't do popups (or pop-anything), nor do we allow advertisers to run anything but straight banner ads (and mostly text ads at that). Something else on your PC is almost certainly causing this.
Is this some weird Gates revenge, programmed into IE? Or something sinister that I need to scrub thoroughly for?
I just re-read your post and the answer is Yes and Yes. IE is most certainly Gates' revenge and something sinister needs to be scrubbed more thoroughly.
pljvaldez, thanks, I have run both of these anti-spyware apps and Symantec anti-virus and come up clean. Could they be compromised? (And I didn't allow installation of any of the stuff that was suggested to me - to it's credit IE would not let anything in without asking my permission - I think)
jeremy, so do you think there is no possibility of a link to the website? So this is just coincidence because i'm such a forum freak? I wasn't necessarily suggesting that it came from the LQ server, just somewhere between here and there - is that possible?
The alternative is that I've got two compromised W$ machines, one at home and one at work, and some potentially very grumpy network admins to answer questions to (yes, I have told them about this). But I'm sure I've been a good boy at work, so that maybe means I've taken my dirt from home to work. Not a nice feeling.
So, the next question is, what do you do when you think a machine is compromised but you can't find the beast? And I suppose the answer is that you start again - clean the whole thing off. But it's only a web browser hijack, right?
You don't have to reinstall if you can figure out what registry entries need erasing. Google may be of some help. This thread helped fix the problem for someone else, but unfortunately the expert didn't explicitly tell the guy which enteries were deleted by the fixer program...
If you're not comfortable editing your registry (as you can seriously bork your system), then wiping and re-install may be your only option.
One thing you might do is update all your definitions for ad-aware, spybot, and virus defs. Then reboot into safe mode without networking. Then run all three of those a couple of times and see if it finds them and removes them. I always do this type of work in safe mode...
Right, thanks for the tips.
What I really need to know is how did this thing get onto the work machine - because I could do without the grief. There is the vague possibility of course that it was nothing to do with me - we live by small delusions.
I will have to retrace my steps and try and find out what this thing is and where it came from.
The fact that this behavior is observed with a Windows machine seems important. I'd suggest downloading and running the following 3 utilities. Run weekly or so. Good luck with it
I've just registered with LQ and the very first time I used the HCL link I was hit with exactly the same Winfixer hijack as you. I had actually cleaned my system last night. A Spybot scan now shows tracker entries from both Winfixer and Errorsoft. Looks like more than a coincidence to me.
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,602
Rep:
What ad was showing when you got this? We have a grand total of two advertisers on LQ and both of them (Google and O'Reilly) are extremely well respected technology companies whom I can't see serving spyware. That being said, if I get further detail I'd be happy to look into the situation further.
Ok as I wasn't expecting it to happen my recollection might not be perfect. What happened was I hit the HCL link followed by the Audio devices link. At that point my IE window was shrunk to the bottom right hand corner of the screen to reveal a Winfixer dialogue offering a free registry scan. I tried to close the dialogue using the red 'X' and it started to run anyway. At that point I invoked the Task Manager and terminated the only application running which was called something like Errorfix. Following this I ran Spybot as I said in my other post. The only other page I had visited before coming to LQ was Google (my home page). any good?
Well thegeorge is describing the same beast as I have, only I was able to prevent the downloads. I still haven't cleaned it and it is escaping my detection for now. I'll be very curious to know whether thegeorge has actually got it with Spybot (cause I couldn't find it with that) - or just the downloads that it springs. It's a shy little bugger, as it hasn't popped up again. Behaving very subtley for a browser hijacker. I'll try to keep an eye out for the advertising if (when) it happens again, but I don't think I'll have a chance to see what is showing because it takes LQ away completely, and fast. And normally I ignore the advertising completely.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.