Uninstall Virus - how do I remove browser click jack hijack

Asked By Peter Stuczynski on 06-Nov-08 08:50 AM

I have MSIE and FireFox install. Both have the same problem, when I do a search in yahoo.com and get search results, if I click on the search results it goes off on some other site. I get pop-ups for "adv.net", I also get banner ads for penis enlargement replacing regular banner ads on some sites I visit.


I also have a problem if I put "nbc.com" in the address bar on MSIE it stays on the current page, then opens a new window with "nbc.com" in the address bar and says "page can not be displayed", then it opens 2 more MSIE tabs with the same on each page. If I go to "nbc.com" from FireFox it works fine.


I have been told I have a "Click Jack". If this it true, how do I get rid of it.?


Thanks,

Peter

remove browser click hijack - Binny ch replied to Peter Stuczynski on 06-Nov-08 10:56 AM

Try following steps;
1.  Start Internet Explorer.
2.  On the Tools menu, click Internet Options.On General tab, click
Delete, and then click Delete All. At the bottom of the page, select Also
delete files and settings stored by add-ons, and then click Yes. Click Close.

Click the Security tab, and then click Reset all Zones to Default Level.
Click the Advanced tab, and then click Restore Advanced settings.

and then:

1.  Close all the programs that are running and close all the windows that
are open.
2.  Click the Tools menu, and then click Internet Options.
3.  Click the Advanced tab.
4.  Click Reset.


And then :

1. Click tools
2. click on Phishing filter.
3. turn on.

Close IE and start again.

still have problems - Peter Stuczynski replied to Binny ch on 06-Nov-08 11:57 AM

Thanks... That seems to have worked for MS Internet Explorer. My yahoo.com searches seem to work as they should. I still have the problem where using MSIE to access "nbc.com" come up with "Internet Explorer cannot display the webpage". At least it doesn't pop open a new window and 3 tabs on that window like it did before. I can access "nbc.com" from FireFox but FireFox still had the hijack problem with the yahoo.com searches and bogus banner ads.

Thanks again...

OK... I was wrong... It's back again... - Peter Stuczynski replied to Peter Stuczynski on 06-Nov-08 12:56 PM

It's back again. Everything is as it was again for some reason.
try this - C_A P replied to Peter Stuczynski on 07-Nov-08 12:08 AM

BEFORE YOU START -
Download

and install Hijack This from www.downloads.com

-STEP 1- SAFETY STUFF
Backup

your documents and create a system restore point.

-STEP 2- CHECK FOR SUSPICIOUS STARTUP ITEMS You can use Hijack This to clean out hijacked items from Microsoft's Internet Explorer (redirections due to spyware), however they will return if the executable program causing it is not removed.

a. Click on Start> Run and type "msconfig" and click OK.
b. Select the "Startup" tab.
c. Uncheck any items you don't recognize. Note that many legitimate programs will appear here too.

Most spyware will load from this area. If unsure if a particular item is legitimate or not, do a Google search on the .exe file name that loads. The only caveat here is that some spyware .exe files get a randomly generated name, so a search will not identify them.

You can look in the Command column to see the name of the .exe file itself and you can stretch this column if you cannot see the entire line of text.

By the way, it IS safe to uncheck everything here as a test anyway - nothing critical to Windows loads here. So, if in doubt, it is OK to uncheck something.

d. Apply the changes, and restart Windows.

-STEP 3 - Run Hijack This
1. Run the tool, and select "Scan".
2. Look mostly at the R0, R1 and 02 entries. This relates to the hijack, and represent changes to your default browser settings (homepage, search page).
3. Have a look at the addresses for these entries. If they are different from your preferences, check the box next to it.
4. Click on "Fix Checked" and confirm.

This process cleans out the modified (hijacked) entries. You can also define what Hijack This uses by clicking the Config button (lower right), however this is not required.

-STEP 4 - DOUBLE-CHECK HOME PAGE AND TEST One problem is that if the IE Home Page isn't cleared, you'll get "rehijacked" when you launch IE. This is because that particular page is the source of the problem. (It may try to load an ActiveX control.)

Hijack This may have already reset your Home Page in STEP 3, but double check before starting IE:

a. Head to Control Panel, Internet Options.
b. Change your Home Page on the General tab.
c. Browse the Internet, reboot your machine, and test over the next little while.

If the hijack stays away, you've successfully cleared it, and one of the Startup items you disabled in STEP 2 might still be the cause.

-STEP 5- PERMANENETLY DELETE THE CAUSE
We need to find the Startup item that is causing this, if any. Recall that in STEP 2 we disabled some suspicious startup items. One, or several of them may be triggering the hijack.

Also note that we've been testing the machine with the Startup Items disabled. We want to ensure the computer runs fine (no errors) with all these items unchecked.

If you are unsure about deleting an item or using the registry editor, seek help with your local tech expert.

a. Launch MSCONFIG once more.
b. For the first suspicious item, expand the "Location" column to see where it is loading from in the registry.
c. Click on Start, Run, type "regedit" and click OK.
d. Browse to the key listed in the "Location" column for MSCONFIG.
e. Delete the key on the right hand side only, that specifically matches that startup item. **See example below.**
f. Note the "Command" folder in MSCONFIG. Browse to this folder, and delete the .exe file itself. **See example below.**

-----EXAMPLE-----
In this example, the Startup Tab of MSCONFIG indicates that:

pxzyc.exe loads from Command "C:\WINDOWS\PXZYC.EXE" and Location

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run"

In this case, we go to the registry editor and find that Run key on the left window. On the right hand Window pane you'll see each item in that Run key, specifically "pxzyc.exe" in this case. Delete the entry for "pxzyc.exe" in the registry only.

In addition, we'll browse to the C:\WINDOWS folder, and manually delete the pxzyc.exe file that resides there.
-----------------

g. Repeat these steps for each suspicious item.

-ADDENDUM 1-
Some spyware also adds itself as Web content on your desktop background.
To remove this:

a. Right-click the desktop, selecting Properties.
b. Select the Desktop tab, then the Customize button.
c. Select the Web tab, and delete any content indicated.

-ADDENDUM 2-
In STEP 3, you may note that the RO, R1 etc. entries point to an .htm or .html file on your local computer. Although Hijack This will clean out your IE settings, it will not delete the local copy of the html file on your computer. Be sure to browse to the location of the file indicated, and delete the file manually.

read this link for more info - C_A P replied to Peter Stuczynski on 07-Nov-08 12:10 AM
http://www.bleepingcomputer.com/tutorials/tutorial42.html
http://pcaddons.blogspot.com/2008/10/prevent-browser-hijacking.html
Vista desktop properties. - Peter Stuczynski replied to C_A P on 07-Nov-08 12:19 AM

I'm using Windows Vista Business. Right click on the desktop doesn't have a "Properties" option. Any idea how to get to desktop properties in Vista.?

Thanks...

Found partial solution - Peter Stuczynski replied to Peter Stuczynski on 08-Nov-08 04:52 PM

Here is what my original problem was:

The hijacking goes to http://b1.adv.net/go.php?q=729x90_7/728x90_1.gif and other "b1.adv.net" pages. Ping for "b1.adv.net" has an IP address of 67.210.13.126. If you go to 67.210.13.126 you can see all the banner ads that were coming up on my pages.

I just happened to ping "b1.adv.net" on another PC and got "Ping request could not find host b1.adv.net". I went in to "network connections", "internet protocol" and my computer was set to "Obtain DNS server address automatically", I switched it to my ISPs DNS server and solved the problem. They must have hijacked my DNS.

Why would "Obtain DNS server address automatically" be hijacked like that.? Is there a fix for that other than using "Use the following DNS server addresses".?

I still have a problem where if I try to go to "NBC.COM" I get "Internet Explorer cannot display the web page". It works fine if I use FireFox on this same computer.

RE Found partial solution - Maggie Potter replied to Peter Stuczynski on 23-Jul-09 11:48 AM
Can you please post the HijackThis log?
click/ jack.exe virus - NGUYEN HUU CONG replied to Peter Stuczynski on 28-Sep-09 10:03 PM

Dear all,

I just downloaded NFS shift and got the virus click/jack.exe.

If you plug your USB into the computer, you will be get others 1 file autorun.inf and folder Click. I show you how to delete that virus.

come to C:/Recycler/S-1-5-21xxxx

you will find the files

desktop.ini and

schl.exe

those are virus

Use your antivirus program to block them

after restart your computer, you delete them easyly.

thanks for reading