Link to home
Create AccountLog in
Avatar of ol muser
ol muserFlag for United States of America

asked on

Browser hijacked (Chrome)

Despite the fact that I have McAfee Antivirus recently I seem to have been infected with a browser hijacker.

Symptoms: I use Chrome browser. Once in a while when I enter a search term in google and click on a link in the results page, the browser redirects to some irrelevant site with some marketing messages. Pls note, as of now, if I right click on the results link and open in a new tab, it works fine. I can be more descriptive about the addresses, etc is it helps to detect the hijacker. Just that I have to wait until it happens the next time. Also, since this started happening, the browser crashes, which never used to happen before, while typing search terms in google search page.

While I see many discussion topics with this I would like some help in picking up some CURRENT tools for identifying this hijacker and walk me through the removal of it. Hence this new thread.
Avatar of Sudeep Sharma
Sudeep Sharma
Flag of India image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of ol muser


Wow! I am trying to reach my linksys router's admin page for some other reason for the past few days and I am not able to reach, though I am physically wired to the device. Could this be a reason?
You could have had some of your other files/functions hijacked.
Run "RogueKiller" and use all of the menu options.
Post the logs that are generated. (Rogue-Killer-What-a-great-name)
Once you have those problems fixed, review the instructions in this EE Article for 'Browser Redirects'"
Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Well, ran TDSS killer, no infection found!!
RogueKiller report below, I beleive items found are benign - I have McAfee AV installed and running...


RogueKiller V5.1.2 [05/13/2011] by Tigzy
contact at
mail: tigzyRK<at>gmail<dot>com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: XXXX [Admin rights]
Mode: Scan -- Date : 05/16/2011 06:12:24

Bad processes: 0

Registry Entries: 2
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND

HOSTS File:       localhost

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

Not sure how to proceed when TDSSKiller and RogueKiller have not found anything...just in case log from TDSSKiller attached. TDSSKiller.
On your system click on Start -> Run type cmd and click ok. It would open a black window. In that window type ipconfig /all and hit Enter key on the keyboard. Paste the output of the command here.

It is interesting that you are unable to open the admin page of your router and as you said you are physically connected to it.

Avatar of Jonvee

>>Not sure how to proceed when TDSSKiller and RogueKiller have not found anything<<

Yes, your best move now is to run ComboFix, as first suggested by rpggamergirl.  There is a good chance that CF will remove the browser re-direct.

If you attach the generated ComboFix log file we can then decide whether to run CF a second time, using a small script, to complete the disinfection.
Note that running CF a second time will only be necessary if the computer is not completely 'disinfected' on the first CF scan.  
Your browser crashes may well be related to the same infection.
Ok - I had to reset my router to be able to access the admin page. May be it is infected. How can it be disinfected?

Attached are (1) results of ipconfig (2) Log from ComboFix

ip.txt cflog.txt
Please review the details in this Expert Comment (http:#a35766484) with a link to the Article titled:
"Infected Router - Google Search Redirects Even on a Clean System"

Resetting the router would bring it to its default settings, so technically it is disinfected after the reset.

Further make sure you do change the Admin password of the router so that this new rouge would not infect it again.