Browser hijacked

tyr_shadowblade

tyr_shadowblade

Gold Member
Joined
Jan 3, 2006
Messages
12,687
Hi.

I don't know much about computers, but I've been somewhat lucky for the past 5 years with minimal problems.

Somehow, probably during the past few days, Google browser has been hijacked. Redirecting to webpages such as: scour.com, infomash.com, thebig.us, ebajo.info. Sometimes it looks like it tries to run something on Windows Media Player. Started out throwing bogus Windows error messages at me, like "Hard drive missing" then it would eventually crash. Last night I couldn't even start it up properly and needed to run a system restore from safe mode.

Over the past 24 hours I've run about 5 types of anti-virus/anti-malware scan. Quarantined and removed 8 infected files and over a hundred cookies. Still doing it. Am considering wiping the hard drive at this point. Any other things I should try first?

This is a Dell Inspiron B120 running Windows XP.

Thanks.
 
Somehow, probably during the past few days...
Click to expand...

Past few days?!? :eek:

First off, disconnect the computer from the internet immediately, as soon as you first notice a problem, until it's cleaned and secured with a firewall. You may be getting reinfected faster than you can clean things.
 
Your best bet is probably to generate a HijackThis log and get a M$ MVP or someone that does this for kicks to go through it with you. One can find automated interpreters of HijackThis logs out there but given the log is neutral and just tells you 'what is' getting someone to walk you through is going to be safer. After reading through your log someone will advise you as to what you need to do / run to fix it – then you generate another log file, post your log, rinse and repeat 'till you're told there is nothing left.

HijackThis-the tool

one of many places to get the log examined

two of many places to get the log examined

three of many places to get the log examined


.
952w.jpg
 
Something to keep in mind, it's extremely unlikely that you're the very first person to pick up a particular virus or malware. And it's impossible for any one person to know the exact steps necessary to remove and clean up after every single virus (there are probably millions of different viruses and variations). So Google is your friend. Search and see what other people have done to to fix the same symptoms that you have. Search by the name of the file that's trying to access the internet; search by the website names that your browser is being redirected to; search by any unfamiliar activity or new computer behaviors, etc.

But the first thing is to keep the problem from becoming worse. Removing one small malware is usually easy. Cleaning up a computer that's been collecting multiple viruses until the machine no longer functions... that's a completely different thing, and often results in either days of work, or reformatting the hard drive and reinstalling the operating system from scratch.

Good luck.
 
Definitely try Malwarebytes, they have a great free quickscan and removal tool that I and the tech support at my university use. Highly recommended
 
Bob W said:
Something to keep in mind, it's extremely unlikely that you're the very first person to pick up a particular virus or malware. And it's impossible for any one person to know the exact steps necessary to remove and clean up after every single virus (there are probably millions of different viruses and variations). So Google is your friend. Search and see what other people have done to to fix the same symptoms that you have. Search by the name of the file that's trying to access the internet; search by the website names that your browser is being redirected to; search by any unfamiliar activity or new computer behaviors, etc.

But the first thing is to keep the problem from becoming worse. Removing one small malware is usually easy. Cleaning up a computer that's been collecting multiple viruses until the machine no longer functions... that's a completely different thing, and often results in either days of work, or reformatting the hard drive and reinstalling the operating system from scratch.

Good luck.
Click to expand...

Tyr:

Not very techie myself but the above advise seems to be what I understand from knowledgable guys I've met as well. Like biological viruses, they have cummulative effects and they do require at times precise mapping on how best to deal with them.

Besides the sites already given, I got Avast some time ago for my old PC.
 
baldtaco-II said:
Your best bet is probably to generate a HijackThis log and get a M$ MVP or someone that does this for kicks to go through it with you. One can find automated interpreters of HijackThis logs out there but given the log is neutral and just tells you 'what is' getting someone to walk you through is going to be safer. After reading through your log someone will advise you as to what you need to do / run to fix it – then you generate another log file, post your log, rinse and repeat 'till you're told there is nothing left.

HijackThis-the tool

one of many places to get the log examined

two of many places to get the log examined

three of many places to get the log examined


.
952w.jpg
Click to expand...
Thanks for those links :). My dad usually finds a way to get malware on his PC so I try to keep some help forums saved for him.

Another one which works with HijackThis logs is Geeks to Go:
http://www.geekstogo.com/forum/forum/37-virus-spyware-malware-removal/

Good luck tyr_shadowblade.
 
Sorry, found the thread late.

Good advice so far and I'll +1 the Avast and getting behind a firewall. SpyBot S&D is also pretty good if you keep it updated but Avast might think it's actually malicious and vice-versa. Quarantine all recordable media you might be using including USB memory sticks, CDRWs, SD cards, etc. and reintroduce them slowly while running scans on their respective drives.
Once your computer is clean and secure again, change all your passwords to alphanumeric, especially random, with special characters. If you don't know whether or not a bit of spyware has stolen your yahoo login or not, you are safer just changing it rather than finding out the hard way. For example, I get at least three emails a day from an ex-girlfriend who really wants me to visit a Canadian drugstore that will sell me Percocet without a prescription.
Lastly, if you are using a wireless router, I strongly suggest you update it's firmware if a new version is available. You can usually check for the latest version by typing 192.168.0.1 into your browser and looking under administrative options. Believe it or not, someone has figured out how to infect routers with malicious code and it's a real PITA. I pulled my hair out for weeks trying to figure out why my MacBook was redirecting me all over the internet! As you all know, Mac are impervious to malware. ;)
After a bit of research, I discovered that it was actually my router and the firmware update fixed the issue. Good luck!
 
Bob W said:
First off, disconnect the computer from the internet immediately, as soon as you first notice a problem, until it's cleaned and secured with a firewall.
Click to expand...

Just a bit about why this is important.

Best case: You pick up a virus or spam malware from some porn site (for example, or your kid downloaded a phony mp3 file). You notice an advertising popup even when you're not using the internet. You immediately Engage Internet Lock on your firewall, and soon after physically disconnect the internet cable. The malware is isolated and easily removed using information found online.

Worst case: You get the same malware, only ignore it for a few days. The popups get worse and worse. Your firewall and anti-virus software are compromised and no longer functioning correctly. Additional, but worse, viruses and trojans are downloaded and installed to your computer. Computer becomes sluggish and takes ten minutes or longer to boot. The entire contents of your hard drive end up in the hands of Russian mafia hackers, including bank account numbers and passwords. The viruses e-mail themselves to every person in your address book. Your computer becomes part of a "botnet" and is used to attack American banks' websites and government computer networks... Eventually the computer becomes completely unusable, and could even be permanently damaged.

Farfetched?
http://www.armybase.us/2009/07/white-house-pentagon-websites-targeted-by-cyberattack/
Around a dozen US government websites, including those of the White House and the Pentagon, were targeted in a coordinated cyberattack...
A denial of service attack attempts to paralyze a website by flooding it with traffic from an army of malware-infected computers known as a “botnet.”
Click to expand...
 
Last edited:
jahv220 said:
Definitely try Malwarebytes, they have a great free quickscan and removal tool that I and the tech support at my university use. Highly recommended
Click to expand...

Yep, it took care of my issue when my browser was hijacked and found dozens of trojans Panda hadn't. Can't recommend enough, plus it's free.
 
Well, I was able to clean up most of it.

No more bogus error messages, mo more crashes, system running a lot quicker.

Problem seems to be a real nasty bug along the lines of a new generation TDSS rootkit.

I've been doing research, and it seems to be so difficult to fix most people end up wiping their hard drive and reinstalling Windows. No anitvirus or antimalware can detect it and it does not appear in a HijackThis Log.

As long as I click on the Google cache link, nothing is triggered and everything works fine. If I try clicking on the main link it redirects to scour.com or a random malware site.

Anyone know what can be done about this?
 
Kaspersky has a TDSS rootkit remover here. I don’t know if you’ve tried it already or if it would help find anything. It’s free though and easy to use.
 
Blais said:
Good advice so far and I'll +1 the Avast and getting behind a firewall. SpyBot S&D is also pretty good if you keep it updated but Avast might think it's actually malicious and vice-versa.
Click to expand...

I think this needs to be highlighted. In getting multiple anti-virus/malware scan, removal and quarantine software, sometimes they might and do get conflicted. Check carefully the compatibilities of the software you're uploading.
 
tyr_shadowblade said:
Well, I was able to clean up most of it.

No more bogus error messages, mo more crashes, system running a lot quicker.

Problem seems to be a real nasty bug along the lines of a new generation TDSS rootkit.

I've been doing research, and it seems to be so difficult to fix most people end up wiping their hard drive and reinstalling Windows. No anitvirus or antimalware can detect it and it does not appear in a HijackThis Log.

As long as I click on the Google cache link, nothing is triggered and everything works fine. If I try clicking on the main link it redirects to scour.com or a random malware site.

Anyone know what can be done about this?
Click to expand...

I got that one last year, I had to wipe my computer. It got to the point where it would crash as soon as I turned it on.
 
GWashington1732 said:
I got that one last year, I had to wipe my computer. It got to the point where it would crash as soon as I turned it on.
Click to expand...

I can't find the backup disk that came with the computer. I've got a couple discs for Windows and a few programs and backups of my documents.

It looks like GeekSquad and other fixit places want nearly the price of a new laptop to work on this. :(

How do you wipe the hard drive and reinstall Windows? Google is not my friend.
 
baldtaco-II said:
Try renaming it blah.com or something first.
Click to expand...

Yeah... definitely. There may be some malware that’s blocking it and preventing it from running. A tricky thing you can try is just renaming it. Right-click on the TDSSKiller.exe icon, rename it to some random name, then launch it and see if that works.

There’s some more info on using TDSSKiller here. I’ve heard about that happening with MalwareBytes too; some viruses can prevent MalwareBytes from running, so you have to rename it.
 
You must log in or register to reply here.
Back
Top