Question Multiple, but not all browsers hit by hijack

Daedalus_mbj

Distinguished
Jun 25, 2008
3
0
18,510
0
I have three browsers I use for various things. Edge, Firefox and Chrome

Edge and Firefox keeps getting randomly hijacked by something that diguises itself as a contest from my ISP, but the url is something along eu.whaterverlongprizenametheyuse.top and have shown at least 3 different ones so far.
Inspecting source elements shows conversation tree if I click the prize buttons but can't find any url links in there so makes it seem useless.
It happens constantly, wether page is actively being viewed or in a tab yet to be seen. Its happened on news sites, Imgur, google searches, comic pages etc.

Windows defender finds nothing
Adware finds nothing.
Adwcleaner found two "legacy" things related to an ISO creator but even after cleaning that and restarts it still happens.

I use very few extensions.
Edge has LastPass
Firefox has LastPass, Popup blocker, flash player and a youtube extension.

All extensions are at least two months since install and this hijack has only happened since start of july.

All I can think of that's been installed from a not mainstream/big site is that ISO creator (other thing is a GOG game) but even after a cleaning it should not be possible for a program that isn't running (have checked taskmanager) to create a new hijack.

EDIT: CHROME TOO NOW AAARGGHHHH!
doesn't seem to happen in incognit/private modes. Now me thoroughly confused.
 
Last edited:

Mandark

Distinguished
I use uBlock Origin or sometimes uBlock Plus AdBlocker. give the site, I will see what happens.

Use Autoruns64 from Sysinternals.com and see what gets run at startup. you can delete that junk you don't want.
 
If autoruns or processexplorer do not assist...

a www.freefixer.com scan will display (in relatively-easy to read fashion) all of the following:

  • Open TCP/IP ports cross referenced to applications
  • Browser Helper Objects
  • Internet Explorer Toolbars
  • Registry Startups
  • scheduled tasks (from task scheduler)
  • all processes (many MS/Intel/Nvidia, DropBox, etc., processes will be 'greenlisted' and can't be manipulated/deleted by mistake)
  • list of all services (many also 'green listed'
  • Explorer.exe modules
  • rundll modules
  • shell services
  • application modules
  • drivers installed (2/3rds of most common are greenlisted)
Delete things afterward carefully, and at your own risk, of course, this is done entirely manually, but you can examine all of the above risk free
 

Daedalus_mbj

Distinguished
Jun 25, 2008
3
0
18,510
0
Update time.

malwarebytes found nothing
adwcleaner found nothing new
Have run autoruns64. saw nothing not verified or suspicious
Have removed the ISO thing, only program installed right before this crap started.
Can't run freefixer, get "application has requested runtime terminate in unusual way" immediately after clicking yes on the admin run panel

Trying now a full clear of all browser history, cookies, cache, media licences etc.

digging a bit more into it but thanks for the suggestions sofar

Here is a list of the sites the hijacks shows during today when it takes over a page. Visually its always the same, pretending to be my ISP and being a contest to win iphone, galaxy etc:

EDIT - cleared all browser of everything still happening.
also can't log onto reddit for some strange reason on any browser. in private mode I can see reddit not logged in it but once I've attempted to log on it goes to the CDN error thing and then won't load.
Mods removed the list of sites that pop up so not sure on how to show them

Sorry - risky links have been removed by a Moderator.

EDGE:
 
Last edited:

Daedalus_mbj

Distinguished
Jun 25, 2008
3
0
18,510
0
direct network cable to modem
wifi only for other devices.
google dns
reddit fixed itself after roughly 2 hours. was nice

since I cleared everything and unistalled that iso thing the frequency has gone way down for me so something worked. Might try removing all browsers and doing clean installs of them

the last two days I think my daily issues start after I load www.gogomics.com - maybe a clue I can use to figure this crap out
 
Last edited:

ASK THE COMMUNITY

TRENDING THREADS