Browser hijacked (Chrome)

ol muser
ol muser used Ask the Experts™
on
Despite the fact that I have McAfee Antivirus recently I seem to have been infected with a browser hijacker.

Symptoms: I use Chrome browser. Once in a while when I enter a search term in google and click on a link in the results page, the browser redirects to some irrelevant site with some marketing messages. Pls note, as of now, if I right click on the results link and open in a new tab, it works fine. I can be more descriptive about the addresses, etc is it helps to detect the hijacker. Just that I have to wait until it happens the next time. Also, since this started happening, the browser crashes, which never used to happen before, while typing search terms in google search page.

While I see many discussion topics with this I would like some help in picking up some CURRENT tools for identifying this hijacker and walk me through the removal of it. Hence this new thread.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sudeep SharmaTechnical Designer
Commented:
Seems like variant of TDSS often called google redirector.

run TdssKiller
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

or you could also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

In few cases it was found that the router is also infected, so if you have router in place and if its default admin password has not be hanged it would be advised to change it, if it is infected resetting it and then changes the password is recommended.

I hope that would help.

Sudeep
ol muserTechnology Generalist

Author

Commented:
Wow! I am trying to reach my linksys router's admin page for some other reason for the past few days and I am not able to reach 192.168.1.1, though I am physically wired to the device. Could this be a reason?
Author of the Year 2011
Top Expert 2006

Commented:
You could have had some of your other files/functions hijacked.
Run "RogueKiller" and use all of the menu options.
Post the logs that are generated.

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author of the Year 2011
Top Expert 2006

Commented:
Once you have those problems fixed, review the instructions in this EE Article for 'Browser Redirects'"
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
Top Expert 2007
Commented:
Are there any other PCs connected to the same router? If it is a router infection every PC sharing the router would also experience same symptom.

"Infected Router - Google Search Redirects Even on a Clean System"
http://www.experts-exchange.com/A_5327.html


Is this issue "Chrome' specific?.... or is that the only browser you use?


If TDSSKiller won't help(show us the log)... try ComboFix also show us the log.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
ol muserTechnology Generalist

Author

Commented:
Well, ran TDSS killer, no infection found!!
ol muserTechnology Generalist

Author

Commented:
RogueKiller report below, I beleive items found are benign - I have McAfee AV installed and running...

------------------

RogueKiller V5.1.2 [05/13/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: XXXX [Admin rights]
Mode: Scan -- Date : 05/16/2011 06:12:24

Bad processes: 0

Registry Entries: 2
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND

HOSTS File:
127.0.0.1       localhost


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


ol muserTechnology Generalist

Author

Commented:
Not sure how to proceed when TDSSKiller and RogueKiller have not found anything...just in case log from TDSSKiller attached. TDSSKiller.2.5.1.0-16.05.2011-05.txt
Sudeep SharmaTechnical Designer

Commented:
On your system click on Start -> Run type cmd and click ok. It would open a black window. In that window type ipconfig /all and hit Enter key on the keyboard. Paste the output of the command here.

It is interesting that you are unable to open the admin page of your router and as you said you are physically connected to it.

Sudeep

Commented:
>>Not sure how to proceed when TDSSKiller and RogueKiller have not found anything<<

Yes, your best move now is to run ComboFix, as first suggested by rpggamergirl.  There is a good chance that CF will remove the browser re-direct.

If you attach the generated ComboFix log file we can then decide whether to run CF a second time, using a small script, to complete the disinfection.

Commented:
Note that running CF a second time will only be necessary if the computer is not completely 'disinfected' on the first CF scan.  
Your browser crashes may well be related to the same infection.
ol muserTechnology Generalist

Author

Commented:
Ok - I had to reset my router to be able to access the admin page. May be it is infected. How can it be disinfected?

Attached are (1) results of ipconfig (2) Log from ComboFix

ip.txt cflog.txt
Author of the Year 2011
Top Expert 2006

Commented:
Please review the details in this Expert Comment (http:#a35766484) with a link to the Article titled:
"Infected Router - Google Search Redirects Even on a Clean System"
Sudeep SharmaTechnical Designer

Commented:
@olmuser

Resetting the router would bring it to its default settings, so technically it is disinfected after the reset.

Further make sure you do change the Admin password of the router so that this new rouge would not infect it again.

Sudeep

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial