cpatte7372
asked on
I think I've Been Hacked Into
Hello Experts,
Since visiting a dubious site I think I've been hacked into. An expert has made some suggestion from a similar question https://www.experts-exchange.com/questions/27176943/Pop-Up-Blocker.html
However, I thought I would re-submit the question as it appears a little more serious than I originally suspected.
For example, each time click on site from google I get re-directed to http://www.asktofriends.com/search_uk/ut/searcha.php?
I'm also getting hammered with pop-ups. It as suggested that I use Firefox and install malware. I've installed the malware, however I was wondering if you all would agree that my problems may get resolved by changing to Firefox? (I'm currently using IE9)
Your help will be greatly appreciated.
Cheers
Carlton
Since visiting a dubious site I think I've been hacked into. An expert has made some suggestion from a similar question https://www.experts-exchange.com/questions/27176943/Pop-Up-Blocker.html
However, I thought I would re-submit the question as it appears a little more serious than I originally suspected.
For example, each time click on site from google I get re-directed to http://www.asktofriends.com/search_uk/ut/searcha.php?
I'm also getting hammered with pop-ups. It as suggested that I use Firefox and install malware. I've installed the malware, however I was wondering if you all would agree that my problems may get resolved by changing to Firefox? (I'm currently using IE9)
Your help will be greatly appreciated.
Cheers
Carlton
ASKER
OK,
Every site I click gets redirected to various other sites.
Driving me crazy
Every site I click gets redirected to various other sites.
Driving me crazy
Use another PC to download TDSSKiller and rename it to something else before moving it to the infected PC.
If some nasties had infected the system I don't think changing to Firefox will make a difference, the nasties have to be removed.
You can also download this tools RKill or RogueKiller to kill the processes, download into a USB
RKill:
http://www.bleepingcomputer.com/download/anti-virus/rkill
RogueKiller:
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html
If some nasties had infected the system I don't think changing to Firefox will make a difference, the nasties have to be removed.
You can also download this tools RKill or RogueKiller to kill the processes, download into a USB
RKill:
http://www.bleepingcomputer.com/download/anti-virus/rkill
RogueKiller:
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html
i think you have to decide on two things,
1. is your site got hacked ?? or your browser has been hacked ??
if you decide on this; then the solution will easy reason ::
1. if your site got hacked, then there should be some scripts
2. if its for every kind of sites then your browser is hacked, and just run any respectable AV / Malware cleaner,
1. is your site got hacked ?? or your browser has been hacked ??
if you decide on this; then the solution will easy reason ::
1. if your site got hacked, then there should be some scripts
2. if its for every kind of sites then your browser is hacked, and just run any respectable AV / Malware cleaner,
Malwarebytes anti malware usually does a good job of mopping up after usung the above tools to stop any mallicious process.
Go to Malwaebytes.org, download, update and run it. Upon completion use ESET Online scanner to do a full scan: http://www.eset.com/us/online-scanner/run
ASKER
Gents,
Thanks for responding.
This is what I've done so far:
I've installed Malwarebytes, Anti-Malware.
The pop-ups seem to have stopped for now, but I'm can't get to any site withoug being redirected.
I have installed Firefox and although I haven't been redirected yet on Firefox, there are a few occasions when I get the message that the site is either down or unavailable - which I know isn't correct as the site is cisco.com.
I'm first going to try TDSSKiller.
I sincerely hope this helps, as this is ludicrous.
Thanks guys. I will let you know how I get on.
Cheers
Thanks for responding.
This is what I've done so far:
I've installed Malwarebytes, Anti-Malware.
The pop-ups seem to have stopped for now, but I'm can't get to any site withoug being redirected.
I have installed Firefox and although I haven't been redirected yet on Firefox, there are a few occasions when I get the message that the site is either down or unavailable - which I know isn't correct as the site is cisco.com.
I'm first going to try TDSSKiller.
I sincerely hope this helps, as this is ludicrous.
Thanks guys. I will let you know how I get on.
Cheers
ASKER
Experts,
I now can't even use Experts-Exchange in IE9 without getting the message that IE9 popup blocker wants me to let a popup to appear, and it won't give me the option to say no.
From past experience the pop-up is going to be a porn site.
Please help me. I was going to the site that rpggamergirl suggested to to get the TDSKiller but the pop-up won't let me.
P.S.
My apologies rpggamergirl, for assuming that you were a gentleman.
Cheers
I now can't even use Experts-Exchange in IE9 without getting the message that IE9 popup blocker wants me to let a popup to appear, and it won't give me the option to say no.
From past experience the pop-up is going to be a porn site.
Please help me. I was going to the site that rpggamergirl suggested to to get the TDSKiller but the pop-up won't let me.
P.S.
My apologies rpggamergirl, for assuming that you were a gentleman.
Cheers
ASKER
OK,
Now I can't even login Experts-Exchange from FireFox. When I do a search in firefox for Experts-Exchange from Google I get sent to http://www.goingonearth.com/search.php?q=experts-exchange
And then it hangs....
I've really been hacked into.
Please help.
Now I can't even login Experts-Exchange from FireFox. When I do a search in firefox for Experts-Exchange from Google I get sent to http://www.goingonearth.com/search.php?q=experts-exchange
And then it hangs....
I've really been hacked into.
Please help.
ASKER
OK,
tdskiller found nothing.
tdskiller found nothing.
ASKER
rpggamergirl
Now going to try
RKill
Now going to try
RKill
ASKER
Experts,
It would appear from the results of Malware and TDSKiller I don't have any malicious files. The problem is with the redirection of sites from Google.
Please help.
Cheers
It would appear from the results of Malware and TDSKiller I don't have any malicious files. The problem is with the redirection of sites from Google.
Please help.
Cheers
ASKER
Hi younghv
I tried her first suggestion and using RKill and I got the following output:
Rkill was run on 03/07/2011 at 17:35:41.
Operating System: Windows 7 Enterprise
Processes terminated by Rkill or while it was running:
Rkill completed on 03/07/2011 at 17:35:47.
What should I do now?
This is a nightmare....
I tried her first suggestion and using RKill and I got the following output:
Rkill was run on 03/07/2011 at 17:35:41.
Operating System: Windows 7 Enterprise
Processes terminated by Rkill or while it was running:
Rkill completed on 03/07/2011 at 17:35:47.
What should I do now?
This is a nightmare....
ASKER
Hi Younghv,
I followed you're other suggestion with rogue killer and hit option 1 (scan) and got the following output:
RogueKiller V5.2.7 [06/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Scan -- Date : 07/03/2011 19:42:12
Bad processes: 0
Registry Entries: 4
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5 595fe6b30e e} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-0 8002B30309 D} (1) -> FOUND
HOSTS File:
Finished : << RKreport[1].txt >>
RKreport[1].txt
Younghv, just so you know the main problem I'm having at the moment is the inability to get to any sites via google, even Experts-Exchange - I keep on getting redirected.
Really appreciate your help mate
I followed you're other suggestion with rogue killer and hit option 1 (scan) and got the following output:
RogueKiller V5.2.7 [06/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Scan -- Date : 07/03/2011 19:42:12
Bad processes: 0
Registry Entries: 4
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-0
HOSTS File:
Finished : << RKreport[1].txt >>
RKreport[1].txt
Younghv, just so you know the main problem I'm having at the moment is the inability to get to any sites via google, even Experts-Exchange - I keep on getting redirected.
Really appreciate your help mate
ASKER
Younghv,
In answer to your previous question,
I downloaded TDSKiller onto a USB and renamed it. However, when you actually double click it, the real name TDSKiller appears and can't be changed.
In answer to your previous question,
I downloaded TDSKiller onto a USB and renamed it. However, when you actually double click it, the real name TDSKiller appears and can't be changed.
ASKER
Younghv,
I just have to pop out for a bit. I look forward to your suggestions
I just have to pop out for a bit. I look forward to your suggestions
cpatte7372,
When you doubleclick the renamed TDSSKiller the window that opens before you actually click on the "Start scan" button will be called TDSSKiller. The renaming bit is only so the program will not be blocked by the malware when it launch, you are not actually renaming the program TDSSKiller. If TDSSKiller runs without it being renamed then that's good.
"tdskiller found nothing."
Did the log shows any suspicious entries?
If it isn't a router infection then it could be an mbr infection/infected volsnap.sys also.
Try running Rootkit Unhooker to check if it is an infected volsnap.sys
http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE
• Please download Rootkit Unhooker and save it to your desktop.
• Doubleclick on RKUnhookerLE.exe to run it.
• Click the "Report" tab, then click Scan.
• Checkmark Drivers, Stealth. Uncheck the rest and then click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Post the report here.
When you doubleclick the renamed TDSSKiller the window that opens before you actually click on the "Start scan" button will be called TDSSKiller. The renaming bit is only so the program will not be blocked by the malware when it launch, you are not actually renaming the program TDSSKiller. If TDSSKiller runs without it being renamed then that's good.
"tdskiller found nothing."
Did the log shows any suspicious entries?
If it isn't a router infection then it could be an mbr infection/infected volsnap.sys also.
Try running Rootkit Unhooker to check if it is an infected volsnap.sys
http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE
• Please download Rootkit Unhooker and save it to your desktop.
• Doubleclick on RKUnhookerLE.exe to run it.
• Click the "Report" tab, then click Scan.
• Checkmark Drivers, Stealth. Uncheck the rest and then click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Post the report here.
ASKER
Hi rpggamergirl,
Thanks for getting back to me. I will try your new suggestion.
In the meantime, I got the following report for rogue kill
RogueKiller V5.2.7 [06/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Scan -- Date : 07/03/2011 19:42:12
Bad processes: 0
Registry Entries: 4
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5 595fe6b30e e} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-0 8002B30309 D} (1) -> FOUND
HOSTS File:
Finished : << RKreport[1].txt >>
RKreport[1].txt
Thanks for getting back to me. I will try your new suggestion.
In the meantime, I got the following report for rogue kill
RogueKiller V5.2.7 [06/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Scan -- Date : 07/03/2011 19:42:12
Bad processes: 0
Registry Entries: 4
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-0
HOSTS File:
Finished : << RKreport[1].txt >>
RKreport[1].txt
ASKER
Hi rpggamergirl,
The main problem I'm having at the moment is that everytime click on a site from google I get a blank page with a suspicious url.
Look at the url that appears below when I click on Experts-Exchange from google.
http://www.goingonearth.com/search.php?q=experts%2Bexchange.
Also, since running the malware, tdskiller, rogue kill, every single action generates a sound. Even if I right click generates a sound. Does this have anything to do with TDSKill?
Cheers
The main problem I'm having at the moment is that everytime click on a site from google I get a blank page with a suspicious url.
Look at the url that appears below when I click on Experts-Exchange from google.
http://www.goingonearth.com/search.php?q=experts%2Bexchange.
Also, since running the malware, tdskiller, rogue kill, every single action generates a sound. Even if I right click generates a sound. Does this have anything to do with TDSKill?
Cheers
ASKER
Hi rpggamergirl,
Attached is a snaphot of the error message I get when I run Rootkit.
Are you able to help me with the constant sounds that keep on being generated? As I said even when I paste I get a sound.
I hear sounds occuring for no apparent reason. Although, I know something must have generated it. If you don't think the sounds have anything to do with running the malware etc. please let me know so that I can ask another question. However, I must say, I didn't the sounds before I run the TDSKill and the rest of the malware....
error.docx
Attached is a snaphot of the error message I get when I run Rootkit.
Are you able to help me with the constant sounds that keep on being generated? As I said even when I paste I get a sound.
I hear sounds occuring for no apparent reason. Although, I know something must have generated it. If you don't think the sounds have anything to do with running the malware etc. please let me know so that I can ask another question. However, I must say, I didn't the sounds before I run the TDSKill and the rest of the malware....
error.docx
I don't know about the sounds....there are nasties that plays music but not like what you mentioned.
I've run TDSSKiller but I didn't noticed any sound.
What program is having that error you just posted?
Did TDSSKiller managed to run? I think you mentioned it run and didn't find anything.
Let's see what Unhooker finds.
I've run TDSSKiller but I didn't noticed any sound.
What program is having that error you just posted?
Did TDSSKiller managed to run? I think you mentioned it run and didn't find anything.
Let's see what Unhooker finds.
run msconfig and set it to a diagnostic startup.
delete the contents of your %temp% directory
you should be able to delete everything there if you get an error message about a file in use
go into taskmanager click on show processes from all users and show file location of the tasks that are running
any that point to %temp% c:\users\username\appdata\ temp kill that process and delete that file
you should now be able to run tdskiller or malwarebytes
now you can go back into msconfig and then renenable all services and investigate all the entries in the
startup if you can't confirm by looking at the file properties that it is a valid file then leave it unchecked
you might want to run sysinternals autoruns and save the output to a .arn file and upload it here.
delete the contents of your %temp% directory
you should be able to delete everything there if you get an error message about a file in use
go into taskmanager click on show processes from all users and show file location of the tasks that are running
any that point to %temp% c:\users\username\appdata\
you should now be able to run tdskiller or malwarebytes
now you can go back into msconfig and then renenable all services and investigate all the entries in the
startup if you can't confirm by looking at the file properties that it is a valid file then leave it unchecked
you might want to run sysinternals autoruns and save the output to a .arn file and upload it here.
ASKER
rpggamergirl
Just prior to your last message, I sent you a message letting you know Rootkit failed with an attachment of the error message.
Just prior to your last message, I sent you a message letting you know Rootkit failed with an attachment of the error message.
ASKER
Hi ve3ofa
Before I go ahead with your suggestion. Can you let me know what is the objective. I know asking what the objective is sounds like a dumb question, but is one of the objective to locate what may be causing the redirection of sites from IE9?
Cheers
Before I go ahead with your suggestion. Can you let me know what is the objective. I know asking what the objective is sounds like a dumb question, but is one of the objective to locate what may be causing the redirection of sites from IE9?
Cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Younghv
ASKER
rpggamergirl
I'm going to try your suggestion. I will let you know how I get on.
Cheers
I'm going to try your suggestion. I will let you know how I get on.
Cheers
ASKER
Hi rpggamergirl
I don't want to get too excited but I think combofix fixed the problem. I sometimes get excited when I think an Expert has found a solution only to find there problem still exists. So going to run a couple of tests overnight and let you know in the morning.
In the meantime I have attached the log of the scan and in anticipation that everything is fine, I would like to say thank you.
Cheers
combofix-log.txt
I don't want to get too excited but I think combofix fixed the problem. I sometimes get excited when I think an Expert has found a solution only to find there problem still exists. So going to run a couple of tests overnight and let you know in the morning.
In the meantime I have attached the log of the scan and in anticipation that everything is fine, I would like to say thank you.
Cheers
combofix-log.txt
ASKER
Younghv,
I wasn't going to bother with OTL until reading your post. I will run OTL and upload the logs
In the meantime, rpggamergirl. you're a star...
Cheers
Carlton
I wasn't going to bother with OTL until reading your post. I will run OTL and upload the logs
In the meantime, rpggamergirl. you're a star...
Cheers
Carlton
"rpggamergirl. you're a star..."
Concur 100%!
Concur 100%!
Comments like that make me blush! :)
Thanks, :)
Has the redirect stopped for good?
Thanks, :)
Has the redirect stopped for good?
If the issue is still not resolved then you could also try FixTDSS.exe from Symantec
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe
I hope that would help
Sudeep
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe
I hope that would help
Sudeep
ASKER
rpggamergirl
Yes the redirects have stopped. Thanks again.
Yes the redirects have stopped. Thanks again.
ASKER
Brilliant
That's great!
You can then uninstall ComboFix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /Uninstall
Thanks!
You can then uninstall ComboFix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /Uninstall
Thanks!
"Google Hijack" - Google Search Gets Redirected:
https://www.experts-exchange.com/A_3299.html
"Infected Router - Google Search Redirects Even on a Clean System"
https://www.experts-exchange.com/A_5327.html