Hijacked by Yahoo!

  • Thread starter Thread starter Liz and Ian
  • Start date Start date
L

Liz and Ian

Hi

If I make a spelling mistake when entering a web address, instead of getting
a simple 'address not found' message, a page from Yahoo pops up with all
sorts of 'helpful' suggestions.

Example of problem > If I type www.bobthbuilder.co.nz which is a non
existant NZ site, yahoo pops up with this
http://au.search.yahoo.com/search/aunz?fr=ieas&p=www.bobthbuilder.co.nz The
correct url is www.bobthebuilder.co.nz

The problem is that the yahoo url replaces the incorrect one that I typed in
the ie window, and I am not able to simply edit the spelling mistake and add
the missing 'e'

How do I get rid of this hijack? I have emailed yahoo and they seem to play
dumb on this one, and I have not had any sort of useful reply.

Thanks

Ian F


..
 
Did you install Yahoo! messenger or the Yahoo! toolbar? That might be the problem. Did you try uninstalling anything with the word "Yahoo" in it? Another thing you could try is to download and install "Spybot: Seach and Destroy" from www.safer-networking.org. After that, switch to "Advanced Mode" from the pull down menu and select Browser Helper Objects from the side menu. (It's there somewhere.) Then, you can see all the BHOs and delete ones that look suspicious. Hope that helps.
 
Parasite Alert!

It's probably a CoolWebSearch variant. You will need the CWShredder tool
below.

Try this: Tools > Internet Options > Advanced > Browsing
Uncheck the Enable 3rd party browser extensions

If this clears your problem then find out who the culprit(s) is/are with
these tools.

Let AD-Aware Scan your system for advertising Spyware
http://www.lavasoftusa.com

If you use a HOSTS file, beware of this new issue.
Ad-Aware has decided to include a new detection when scanning the HOSTS
file. This now creates a "Bad hosts file entry" in the log file generated at
the end of a scan. The best thing to do is to place a check in each entry,
right-click and select: "Add selection to ignorelist". Otherwise if you let
AWW "fix" these items it will trash the HOSTS file! Even if you have it
"locked" by [example] SpywareBlaster or Winpatrol. It does not return the
attributes and renames the HOSTS file incorrectly to hosts.

and:

SpyBot-S&D
http://security.kolla.de/

p.s Reset the 3rd party browser setting.

More: This may be caused by a third-party program (adware, spyware,
parasite).
Get AdAware and SpyBot and run them both. Keep them up to date.
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

Additional link:
http://aumha.org/a/quickfix.htm

You may need this removal tool.
More: Complete list by variant with up-to-date information.
http://www.spywareinfo.com/~merijn/cwschronicles.html
More: Removal tool: http://www.spywareinfo.com/~merijn/files/CWShredder.exe

CWShredder - Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

IMPORTANT:
Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware may kill your internet connection when it is
removed, this program will enable you to regain your connection.
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP)


Important: "So how did I get infected in the first place?"
http://forums.net-integration.net/index.php?showtopic=3051
 
Hi Sir Nad, STReNT and Henri

Thanks for replies.

I dont have a Yahoo toolbar or Yahoo messenger, although I did sign up for a
yahoo group a while back.

Spybot, Adaware, CWShredder dont find anything, and nothing untoward on my
Hijackthis.log when checked by T-Zero at net-integration.net.

Having a more careful look at what happens, it seems that a redirection
by/from msn happens.

When the non existant url is not found, this line comes up at the window on
the bottom of the ie screen

'Opening page
http//autosearch.msn.com/response.asp?MT=www.bobthbuilder.co.nz&search=5%
..... ' (Cant see any more cos the window is not big enough.)

Then this opens:

http://au.search.yahoo.com/search/aunz?fr=ieas&p=www.bobthbuilder.co.nz



With reference to the HOSTS file, I have the following files on my system

C:\windows\hosts > seems to contain a list of a large number of not too
nice looking url's.

C:\windows\HOSTS.bak > empty

C:\Program Files\Spybot - Search & Destroy\Includes\Hosts.sbs >an
execuitable file that starts spybot.

All OK?

Thanks
Ian F




Sir Nad said:
Did you install Yahoo! messenger or the Yahoo! toolbar? That might be the
Click to expand...
problem. Did you try uninstalling anything with the word "Yahoo" in it?
Another thing you could try is to download and install "Spybot: Seach and
Destroy" from www.safer-networking.org. After that, switch to "Advanced
Mode" from the pull down menu and select Browser Helper Objects from the
side menu. (It's there somewhere.) Then, you can see all the BHOs and
delete ones that look suspicious. Hope that helps.
 
How do I get rid of this hijack?

It's not a Hijack. It's an IE feature called AutoSearch.
If you don't want it turn it off.
Search from the Address bar
When searching
Do not search from the Address bar
(Options, Advanced tab)

If you do want it and you are prone to making typos in your domain names
try remembering to type a protocol prefix with your URLs. ;)
Otherwise, invalid domain names without a protocol prefix are simply data
strings which should be searched for after (perhaps) an initial lookup with
them fails.


HTH

Robert Aldwinckle
 
Back
Top