Browser has been hijacked

Topic

New Reply

Hello,

My browser has been hijacked and all attempts to remove the malware have proved futile. I am using Windows 7 Home Premium- kept up to date – and I use Spybot, Adaware, Malwarebytes, Hijack This, as well as Avast, AVG, Kaspersky, (All seperately), all with no luck. Google searches are trhe most prone to redirection to a marketing site not related to the link clicked.

Any help is appreciated.

Preston

Reply | Quote

Replies

Hi Preston,

Call up Taskman (Ctrl+Shift+Esc) and keep it onscreen, open Notepad and IE in Safe Mode (Taskman > Run > ‘iexplore -extoff‘). Rename Hijackthis to something random, like ‘helpme’.

Use Spybot in Advanced mode to kill Explorer.exe, > Tools > Process List, this may temporarily stop some of the offending malware. From this point on, use Run from Taskman to navigate and start programs.

Using Notepad, navigate to Windows > System32 > Drivers > Etc and change your hosts file so that it only contains

Code:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

you’ll need to make the file writable first then make it read-only again after you have saved it – it is only called hosts – not hosts.txt or anything else.

Run ‘helpme’ (hijackthis), it may well run successfully (use Taskman to browse to it), if it runs, navigate to http://www.hijackthis.de and paste the results into the page there and hit Analyze, when you get the results, you may be able to use Hjt and Spybot’s Process List to find and kill more of the malware.

You should now be able to browse safely to majorgeeks to get some serious help from the forum there, also, it’s probably the best site to download software from, it’s all tested and they don’t have any crapware on site.

Good luck

Reply | Quote

Thanks Andy. Will try all of those suggestions.

Reply | Quote

I’m not sure from your description what you’ve got, but if I search in Google (!!), I find pages like this:

Oh, that nasty Google Redirecting Virus | Ask MetaFilter

== Edit ==

I meant to ask: what browser are you using, and does it affect other browsers on your system?

Reply | Quote

I’m using FF- but it affects IE and CHROME also.

Reply | Quote

I’ve removed a ton of hijackware in the past from different systems using the free version of SuperAntiSpyware and I think it’s the absolute best at it (in spite of the Cheesy name).

Reply | Quote

Crusty,

Thanks for the suggestion. I’ve tried SuperAntiSpyware and while it did find some trash, I still have the problem! I’ve used Spybot S&D, AdAware, Malwarebytes, and Spyware Doctor, all with no luck. I’ve also used AVG, Kaperasky, Avast, and Combo Fix, and I still have redirections from Google searches. This culprit is well-hidden! Thanks for the tip, though.

Preston

Reply | Quote

Crusty,

Thanks for the suggestion. I’ve tried SuperAntiSpyware and while it did find some trash, I still have the problem! I’ve used Spybot S&D, AdAware, Malwarebytes, and Spyware Doctor, all with no luck. I’ve also used AVG, Kaperasky, Avast, and Combo Fix, and I still have redirections from Google searches. This culprit is well-hidden! Thanks for the tip, though.

Preston

Could we know the site you are being redirected to ?? It might help determine which bug is troubling you, but I believe the best solution is to get a copy of HijackThis[/url] and follow the instructions to create a log and post it on one of the forums. One of the good folks there will eventually pick up your post and work with you to remove the nasty. It may take awhile and require a good deal of back and forth, but they are successfull almost all the time.

Reply | Quote

Doc,

It redirects to many different sites at random. I’ll try HiJack This.

Preston

Reply | Quote

Doc,

It redirects to many different sites at random. I’ll try HiJack This.

Preston

Preston,

If you could, please post back and let us know how you make out and what the bug was (if possible). It may help others to help themselves.

The suggestion by Ralph Finch is a good one if you have another system to slave the drive to or the means to do it externally with a drive enclosure or an IDE/SATA to USB cable to attach the drive to the system. We have to assume that users only have the one PC. But if you do have another system, this method may be faster and easier.

Reply | Quote

Hello all,

This turned out to be a continuing episode of random redirections and I eventually used many antispyware programs which would somtimes result in a clean scan, yet other times would find things, all different. I had to assume I had acquired a root kit of some kind, and I decided to do a full new install on a new hard drive.

Preston

Reply | Quote

You really do need to go to a reputable anti-malware forum to get your PC fixed up, you’ve probably eradicated most of the malware, now you need to double-check then apply the correct fixes to affect a repair.

Reply | Quote

A friend’s machine had a virus like that (plus lots more). From a google list of search hits, it would redirect once to an advert site. When you hit the Back button and hit the link again, it would go to the proper site. Clever, in that it generated hits (and thus a penny or two I guess) for the adverts, but did so only once so you would learn to tolerate it. At least my friend did.

I got rid of a dozen or more viruses on his machine by taking the drive out, putting it in an external drive chassis, and running a few different anti-virus programs on the now “dormant” drive, treating it like a data drive. That way the viruses don’t activate on bootup and complicate things.

You can achieve the same thing by booting from a boot CD (could use your Windows install disk) (might have to change the BIOS settings), then running an anti-virus program from, say, a USB flash drive. Prepare the USB flash drive first. Try ClamWin Portable if you don’t have anything else.

Reply | Quote

Thanks for posting back.

I have yet to come across an infection that cannot be removed, often with a great deal of work, but they can eventually be found and neutralized. That said, it is often the lesser of 2 evils to just scrap things and start over.

You could have a root kit, but I would suspect it to be a very stubborn Trojan virus from the symptoms you describe. The continued reinfection and random site redirects to other possible sources of infection are classic.

Best of luck with your choice of options.

Reply | Quote

Preston, I know you’ve already decided to go ahead with a new install and that it’s already been suggested that you use Safe Mode for some of the recovery methods, but still I have a question.

When you ran through the various tools you used were you booted up in Safe Mode? I recall sometimes getting more thorough results when doing that.

Also, did you try using A-Squared Free as one of the tools? I’ve had good luck with that.

Good luck,

Eric

Reply | Quote

Eric,

I used safe mode quite often, but not always. I did not use F-SQUARED. I had spent too much time trying to find the culprit and decided to reload from scratch. Thanks for the advice, though.

Preston

Reply | Quote