topic Re: Plusnet Technologies drive by browser hijack in Plusnet Feedback

Plusnet Technologies drive by browser hijack

mickthefitter — Mon, 03 Apr 2017 22:57:22 GMT

Hi.

I think people have been reporting this phenomenon for months now, but I've been experiencing it for about a week. I'm browsing my chosen website, then suddenly the web page changes and I'm presented with the option to take part in a survey claiming to be from Plusnet Techologies Ltd. at this web address

http://retailboy.com/?911973147b292c42b899e716fe6903e6

Checking my browser history it also goes through a performance of connecting to

https://retirednsa.org/in/c760lhjg804aceuxdq1vl256/?ads=7lp2m6ekxc&p=c760lhjg804aceuxdq1vl256&size=300x250&domain=https%3A%2F%2Fcholamotors.com%2Fart%2Flocal%2Fprx%2Fotr.aspx&referer=http%3A%2F%2Ftpc.googlesyndication.com%2Fsafeframe%2F1-0-7%2Fhtml%2Fcontainer.html&location=https%3A%2F%2Fbrain.rvty.net%2FRTB%2FShowAd%3FadHeight%3D250%26adWidth%3D300%26adslotId%3D%26siteId%3D0%26bannerId%3D36933%26e%3D1%26p%3DAAABWzWL-kDSGIFVXzGqm3CxpEMHYC7nSS2Bmg%26penc%3D%26a%3D60165a09-b055-4839-8d1e-f3eda15f5687%26n%3D1%26geo%3D56506%26bp%3D160000%26rawURL%3Dhttp%253A%252F%252Febayadvertising.co.uk%26rawReferrerURL%3D%26uid%3Da562a9cc-2bb3-4add-810d-4e37bf081712%26euid%3De08fbceb-d091-7477-9f30-e74bbe2d9d2a%26encn%3DN4IgNg9gxghgLgSwgOwJIBMQC4CsA2HABjwBpwVsBaARgDoAmPPAdjLHmx3toE4yoIAV2RwATgE9sIAOIAhEGQDOceAFMpCkFARxJWEABkUAcwAEAUXgUyALwQAHDWVGrjSNIogBhCOnX6QAF8gA&dObject%5B0%5D=0&dObject%5B2%5D=0&dt5=0&dt7=0&dt3=1&dt4=2&dt8=11&dt9=NA

then

http://aldie.detb.gdn/?sov=93073471&hid=fttnhjxhphfjx&&redid=38265&gsid=68&campaign_id=20&p_id=11895&id=XNSX.deu-r38265-t68&impid=d4914e12-18b0-11e7-b739-fa245441bcee

before arriving at Plusnet Technologies. It's not like I've never experienced a drive-by browser download before, but every past experience has been a rare one-off that hasn't re-occurred if I steer clear of the web page I was trying to get to when it happened. This Plusnet Technologies thing is hijacking eBay, Yahoo mail....I've run a McAfee virus scan and I've also got Spybot on my laptop and that comes up all clear. Might this have something to with using an old laptop on XP? I'm unsure if I've got something on or in my laptop that is getting past the anti virus, or if its just one of those annoying things. I usually use Chrome as a browser but that's not supported on XP any more. I think Opera is, which I've also got, but occasionally Opera caused my laptop to go blue screen when closed, so I stopped using it.

Mick.

Moderator's note by Dick (Strat) Post released from spam filter.

Re: Plusnet Technologies drive by browser hijack

BrightonRock — Tue, 04 Apr 2017 07:15:50 GMT

I've never seen this so I too am unsure what may be causing it. But it might be worth doing a one-off scan with a couple of other security programs to make sure that your machine is clean. That way you will eliminate one possible cause.

I think these both still work on XP. Try superantispyware (free) from http://superantispyware.com/ and AdwCleaner from https://www.malwarebytes.com/adwcleaner/

Re: Plusnet Technologies drive by browser hijack

Mustrum — Tue, 04 Apr 2017 07:58:16 GMT

If you can, download malwarebytes on another machine, save it to a USB stick, then run it on your infected machine, preferably without being connected to the internet. Then run it again, connected to the internet so it can get the latest updates.

Re: Plusnet Technologies drive by browser hijack

BrightonRock — Tue, 04 Apr 2017 08:07:45 GMT

@Mustrum I replied to @mickthefitter earlier but the post seems to have gone missing so you won't have seen it. My suggestion was use superantispyware and adwCleaner rather than MBAM. I am a unsure about running MBAM 3 (which is what would be downloaded) on XP and old hardware. But I agree with you that he needs to do a further malware scan.

Re: Plusnet Technologies drive by browser hijack

Mustrum — Tue, 04 Apr 2017 08:11:36 GMT

@BrightonRock Your post maybe stuck in the spam filter until a mod releases it.

Guess we all have our favourite anti malware software, and it may well take a few goes to get rid of it.

Re: Plusnet Technologies drive by browser hijack

Strat — Tue, 04 Apr 2017 10:19:06 GMT

Moderator Note by Dick (Strat)

Post released from spam filter.

Re: Plusnet Technologies drive by browser hijack

MattyC — Tue, 04 Apr 2017 14:10:15 GMT

Looks like this might be doing it's rounds again.

For me, it'd be Malwarebytes.

Matty

Re: Plusnet Technologies drive by browser hijack

mickthefitter — Tue, 04 Apr 2017 18:37:39 GMT

Thanks for the posts here. In reply to MattyC, yes, THAT is doing the rounds again. In reply to Mustrum, unfortunately I do not have access to another machine. I'll have to download anything I download onto the old one I'm using. I've always been wary of any free downloads (I assume they're free?) in case they've got malware piggy-backing their way onto my PC. I suppose I'll have to try them though. The alternative is to do what I've done many times in the past (but for different reasons usually) that is save my important photos and files to a stick and get the CDs out, and do a HDD wipe. But then I don't know how I picked up this particular bit of malware so I might get it again after all that.

Mick.

Re: Plusnet Technologies drive by browser hijack

BrightonRock — Tue, 04 Apr 2017 19:17:50 GMT

I understand your concern about downloading unknown software. But the 3 items that have been recommended are safe, clean (and free) if downloaded from their home pages. However don't try and download them from anywhere else without advice on whether that site is safe.

It is worth running the downloads before wiping the disk; they may find the problem and avoid that work.Looking at it another way, you don't lose anything much if they were bad (they are not!) as your next step is a wipe anyhow.

It would be prudent to back up your important files first.

Re: Plusnet Technologies drive by browser hijack

mickthefitter — Tue, 04 Apr 2017 20:57:21 GMT

There were THREE download suggestions? Was the third MBAM? I got a little confused then as I thought the ones being discussed were superantispyware and adwcleaner. I tried the last two, adwcleaner found nothing at all, while superantispyware found a total of 567 tracking cookies, all associated with Google Chrome. I've quarantined the files and have now decided to revert to using the Opera browser for a time again and see how I get on. At one time I used Firefox, even before Windows stopped their support for the XP o/s, but after a while it used to 'break' my computer with defective icon handlers and other problems.

While adding my Bookmarks to Opera though, I had a thought - Photobucket, which I've used as a photo host to upload photos to a car forum I go on, is a swine for slowing my laptop down while ads load up and pop up that I have to clear in order to continue. I wonder if that's how Plusnet Technologies Ltd. got to me?

Re: Plusnet Technologies drive by browser hijack

BrightonRock — Wed, 05 Apr 2017 06:22:03 GMT

The third cleaning option - recommended by @Mustrum & @MattyC - was indeed MBAM.

Please let us know how you get on with Opera.

Re: Plusnet Technologies drive by browser hijack

SpendLessTime — Wed, 05 Apr 2017 07:54:13 GMT

@mickthefitter

If you are using Opera then make sure that the built in ad blocker is turned on. You can always turn it off for specific sites.

Re: Plusnet Technologies drive by browser hijack

mickthefitter — Sun, 09 Apr 2017 11:20:40 GMT

I just thought I'd update you on this one. About one week on, I ran another SUPERantispyware scan this morning (and adwcleaner, though that didn't find anything first time round) and it has come up completely clear, no tracking cookies at all, after a week of using the Opera browser instead of Google Chrome. No reappearance so far either of the Plusnet Technologies Ltd. hijack. Although Opera does appear to use some sort of Google Chrome framework, as when it opens, a tab appears on the top left of the screen with the words 'chrome://startpage', and the default (and unalterable) search box in the middle of the start page is Google. However in 'settings' I can select different search engines to use if I type into the address bar instead, so I've selected Bing and keep trying to remember to do internet searches from that. So whether or not this Plusnet Technologies thing was exploiting a weakness in Chrome for XP, or it's just plain Google that can't be trusted not to share out your personal info, I don't know. In the past, Spybot used to pick up a few tracking cookies left on my computer by Google Chrome, yet it never found anything when I used to use the Firefox browser, but even Spybot has been giving me the 'all-clear' for some time now - yet SUPERantispyware found over 500 tracking cookies last week. Interesting, to say the least.

Mick.

Re: Plusnet Technologies drive by browser hijack

BrightonRock — Mon, 10 Apr 2017 08:11:37 GMT

That is good news.Thank you for letting us know how you are getting on.

If you are worried about tracking cookies - and I do worry about them - some browsers have an option to delete (all) cookies on exit. There are also some add-ons that block them; Ghostery comes to mind (I don't know whether it is available for Opera). Alternatively, you could run ccleaner (from Piriform) every now and then. If you do use ccleaner, be aware that it can be quite aggressive; on my systems, I don't let it clean everything that it wants to as default but changing the settings is very easy.

Re: Plusnet Technologies drive by browser hijack

mickthefitter — Thu, 18 May 2017 17:32:45 GMT

Okay thanks. Over a month late viewing this, but thanks!