Link to home
Start Free TrialLog in
Avatar of cpatte7372
cpatte7372Flag for United Kingdom of Great Britain and Northern Ireland

asked on

I think I've Been Hacked Into

Hello Experts,

Since visiting a dubious site I think I've been hacked into. An expert has made some suggestion from a similar question https://www.experts-exchange.com/questions/27176943/Pop-Up-Blocker.html

However, I thought I would re-submit the question as it appears a little more serious than I originally suspected.

For example, each time click on site from google I get re-directed to http://www.asktofriends.com/search_uk/ut/searcha.php?

I'm also getting hammered with pop-ups. It as suggested that I use Firefox and install malware. I've installed the malware, however I was wondering if you all would agree that my problems may get resolved by changing to Firefox? (I'm currently using IE9)

Your help will be greatly appreciated.

Cheers

Carlton
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Have you tried running TDSSKiller?
"Google Hijack" - Google Search Gets Redirected:      
https://www.experts-exchange.com/A_3299.html

"Infected Router - Google Search Redirects Even on a Clean System"  
https://www.experts-exchange.com/A_5327.html
Avatar of cpatte7372

ASKER

OK,

Every site I click gets redirected to various other sites.

Driving me crazy
Use another PC to download TDSSKiller and rename it to something else before moving it to the infected PC.
If some nasties had infected the system I don't think changing to Firefox will make a difference, the nasties have to be removed.

You can also download this tools RKill or RogueKiller to kill the processes, download into a USB
RKill:
http://www.bleepingcomputer.com/download/anti-virus/rkill

RogueKiller:
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html
i think you have to decide on two things,

1. is your site got hacked ?? or your browser has been hacked ??

if you decide on this; then the solution will easy reason ::

1. if your site got hacked, then there should be some scripts
2. if its for every kind of sites then your browser is hacked, and just run any respectable AV / Malware cleaner,
Malwarebytes anti malware usually does a good job of mopping up after usung the above tools to stop any mallicious process.
Go to Malwaebytes.org, download, update and run it.  Upon completion use ESET Online scanner to do a full scan:  http://www.eset.com/us/online-scanner/run
Gents,

Thanks for responding.
This is what I've done so far:
I've installed Malwarebytes, Anti-Malware.
The pop-ups seem to have stopped for now, but I'm can't get to any site withoug being redirected.
I have installed Firefox and although I haven't been redirected yet on Firefox, there are a few occasions when I get the message that the site is either down or unavailable - which I know isn't correct as the site is cisco.com.

I'm first going to try TDSSKiller.

I sincerely hope this helps, as this is ludicrous.

Thanks guys. I will let you know how I get on.

Cheers
Experts,

I now can't even use Experts-Exchange in IE9 without getting the message that IE9 popup blocker wants me to let a popup to appear, and it won't give me the option to say no.

From past experience the pop-up is going to be a porn site.

Please help me. I was going to the site that rpggamergirl suggested to to get the TDSKiller but the pop-up won't let me.

P.S.
My apologies rpggamergirl, for assuming that you were a gentleman.

Cheers
OK,

Now I can't even login Experts-Exchange from FireFox. When I do a search in firefox for Experts-Exchange from Google I get sent to http://www.goingonearth.com/search.php?q=experts-exchange

And then it hangs....

I've really been hacked into.

Please help.
OK,
tdskiller found nothing.
rpggamergirl

Now going to try

RKill
Experts,

It would appear from the results of Malware and TDSKiller I don't have any malicious files. The problem is with the redirection of sites from Google.

Please help.

Cheers
Hi younghv

I tried her first suggestion and using RKill and I got the following output:

Rkill was run on 03/07/2011 at 17:35:41.
Operating System: Windows 7 Enterprise


Processes terminated by Rkill or while it was running:



Rkill completed on 03/07/2011 at 17:35:47.

What should I do now?

This is a nightmare....
Hi Younghv,

I followed you're other suggestion with rogue killer and hit option 1 (scan) and got the following output:
RogueKiller V5.2.7 [06/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Scan -- Date : 07/03/2011 19:42:12

Bad processes: 0

Registry Entries: 4
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:


Finished : << RKreport[1].txt >>
RKreport[1].txt



Younghv, just so you know the main problem I'm having at the moment is the inability to get to any sites via google, even Experts-Exchange - I keep on getting redirected.

Really appreciate your help mate
Younghv,

In answer to your previous question,

I downloaded TDSKiller onto a USB and renamed it. However, when you actually double click it, the real name TDSKiller appears and can't be changed.
Younghv,

I just have to pop out for a bit. I look forward to your suggestions
cpatte7372,

When you doubleclick the renamed TDSSKiller the window that opens before you actually click on the "Start scan" button will be called TDSSKiller. The renaming bit is only so the program will not be blocked by the malware when it launch, you are not actually renaming the program TDSSKiller. If TDSSKiller runs without it being renamed then that's good.

"tdskiller found nothing."

Did the log shows any suspicious entries?
If it isn't a router infection then it could be an mbr infection/infected volsnap.sys also.

Try running Rootkit Unhooker to check if it is an infected volsnap.sys
http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE

• Please download Rootkit Unhooker and save it to your desktop.
• Doubleclick on RKUnhookerLE.exe to run it.
• Click the "Report" tab, then click Scan.
• Checkmark Drivers, Stealth. Uncheck the rest and then click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Post the report here.
Hi rpggamergirl,

Thanks for getting back to me. I will try your new suggestion.

In the meantime, I got the following report for rogue kill

RogueKiller V5.2.7 [06/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Scan -- Date : 07/03/2011 19:42:12

Bad processes: 0

Registry Entries: 4
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:


Finished : << RKreport[1].txt >>
RKreport[1].txt
Hi rpggamergirl,

The main problem I'm having at the moment is that everytime click on a site from google I get a blank page with a suspicious url.

Look at the url that appears below when I click on Experts-Exchange from google.

http://www.goingonearth.com/search.php?q=experts%2Bexchange.

Also, since running the malware, tdskiller, rogue kill, every single action generates a sound. Even if I right click generates a sound. Does this have anything to do with TDSKill?

Cheers
Hi rpggamergirl,

Attached is a snaphot of the error message I get when I run Rootkit.

Are you able to help me with the constant sounds that keep on being generated? As I said even when I paste I get a sound.

I hear sounds occuring for no apparent reason. Although, I know something must have generated it. If you don't think the sounds have anything to do with running the malware etc. please let me know so that I can ask another question. However, I must say, I didn't the sounds before I run the TDSKill and the rest of the malware....
error.docx
I don't know about the sounds....there are nasties that plays music but not like what you mentioned.
I've run TDSSKiller but I didn't noticed any sound.

What program is having that error you just posted?
Did TDSSKiller managed to run? I think you mentioned it run and didn't find anything.
Let's see what Unhooker finds.
run msconfig and set it to a diagnostic startup.
delete the contents of your %temp% directory
you should be able to delete everything there if you get an error message about a file in use
go into taskmanager  click on show processes from all users and show file location of the tasks that are running
any that point to %temp% c:\users\username\appdata\temp kill that process and delete that file
you should now be able to run tdskiller or malwarebytes

now you can go back into msconfig and then renenable all services and investigate all the entries in the
startup if you can't confirm by looking at the file properties that it is a valid file then leave it unchecked
you might want to run sysinternals autoruns and save the output to a .arn file and upload it here.
rpggamergirl

Just prior to your last message, I sent you a message letting you know Rootkit failed with an attachment of the error message.
Hi ve3ofa

Before I go ahead with your suggestion. Can you let me know what is the objective. I know asking what the objective is sounds like a dumb question, but is one of the objective to locate what may be causing the redirection of sites from IE9?

Cheers
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Younghv
rpggamergirl

I'm going to try your suggestion. I will let you know how I get on.

Cheers
Hi rpggamergirl

I don't want to get too excited but I think combofix fixed the problem. I sometimes get excited when I think an Expert has found a solution only to find there problem still exists. So going to run a couple of tests overnight and let you know in the morning.

In the meantime I have attached the log of the scan and in anticipation that everything is fine, I would like to say thank you.


Cheers
combofix-log.txt
Younghv,

I wasn't going to bother with OTL until reading your post. I will run OTL and upload the logs

In the meantime, rpggamergirl. you're a star...

Cheers

Carlton
"rpggamergirl. you're a star..."

Concur 100%!
Comments like that make me blush! :)
Thanks, :)

Has the redirect stopped for good?
If the issue is still not resolved then you could also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

I hope that would help

Sudeep
rpggamergirl

Yes the redirects have stopped. Thanks again.
Brilliant
That's great!
You can then uninstall ComboFix:

Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall

Thanks!