ol muser
asked on
Browser hijacked (Chrome)
Despite the fact that I have McAfee Antivirus recently I seem to have been infected with a browser hijacker.
Symptoms: I use Chrome browser. Once in a while when I enter a search term in google and click on a link in the results page, the browser redirects to some irrelevant site with some marketing messages. Pls note, as of now, if I right click on the results link and open in a new tab, it works fine. I can be more descriptive about the addresses, etc is it helps to detect the hijacker. Just that I have to wait until it happens the next time. Also, since this started happening, the browser crashes, which never used to happen before, while typing search terms in google search page.
While I see many discussion topics with this I would like some help in picking up some CURRENT tools for identifying this hijacker and walk me through the removal of it. Hence this new thread.
Symptoms: I use Chrome browser. Once in a while when I enter a search term in google and click on a link in the results page, the browser redirects to some irrelevant site with some marketing messages. Pls note, as of now, if I right click on the results link and open in a new tab, it works fine. I can be more descriptive about the addresses, etc is it helps to detect the hijacker. Just that I have to wait until it happens the next time. Also, since this started happening, the browser crashes, which never used to happen before, while typing search terms in google search page.
While I see many discussion topics with this I would like some help in picking up some CURRENT tools for identifying this hijacker and walk me through the removal of it. Hence this new thread.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could have had some of your other files/functions hijacked.
Run "RogueKiller" and use all of the menu options.
Post the logs that are generated.
https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great -name)
Run "RogueKiller" and use all of the menu options.
Post the logs that are generated.
https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great
Once you have those problems fixed, review the instructions in this EE Article for 'Browser Redirects'"
https://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
https://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, ran TDSS killer, no infection found!!
ASKER
RogueKiller report below, I beleive items found are benign - I have McAfee AV installed and running...
------------------
RogueKiller V5.1.2 [05/13/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: XXXX [Admin rights]
Mode: Scan -- Date : 05/16/2011 06:12:24
Bad processes: 0
Registry Entries: 2
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
HOSTS File:
127.0.0.1 localhost
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
------------------
RogueKiller V5.1.2 [05/13/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: XXXX [Admin rights]
Mode: Scan -- Date : 05/16/2011 06:12:24
Bad processes: 0
Registry Entries: 2
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
HOSTS File:
127.0.0.1 localhost
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
ASKER
Not sure how to proceed when TDSSKiller and RogueKiller have not found anything...just in case log from TDSSKiller attached. TDSSKiller.2.5.1.0-16.05.2011-05.txt
On your system click on Start -> Run type cmd and click ok. It would open a black window. In that window type ipconfig /all and hit Enter key on the keyboard. Paste the output of the command here.
It is interesting that you are unable to open the admin page of your router and as you said you are physically connected to it.
Sudeep
It is interesting that you are unable to open the admin page of your router and as you said you are physically connected to it.
Sudeep
>>Not sure how to proceed when TDSSKiller and RogueKiller have not found anything<<
Yes, your best move now is to run ComboFix, as first suggested by rpggamergirl. There is a good chance that CF will remove the browser re-direct.
If you attach the generated ComboFix log file we can then decide whether to run CF a second time, using a small script, to complete the disinfection.
Yes, your best move now is to run ComboFix, as first suggested by rpggamergirl. There is a good chance that CF will remove the browser re-direct.
If you attach the generated ComboFix log file we can then decide whether to run CF a second time, using a small script, to complete the disinfection.
Note that running CF a second time will only be necessary if the computer is not completely 'disinfected' on the first CF scan.
Your browser crashes may well be related to the same infection.
Your browser crashes may well be related to the same infection.
ASKER
Please review the details in this Expert Comment (http:#a35766484) with a link to the Article titled:
"Infected Router - Google Search Redirects Even on a Clean System"
"Infected Router - Google Search Redirects Even on a Clean System"
@olmuser
Resetting the router would bring it to its default settings, so technically it is disinfected after the reset.
Further make sure you do change the Admin password of the router so that this new rouge would not infect it again.
Sudeep
Resetting the router would bring it to its default settings, so technically it is disinfected after the reset.
Further make sure you do change the Admin password of the router so that this new rouge would not infect it again.
Sudeep
ASKER