| Hizzout |
|
70's baby, early 80's child
|
|
|
|
|
Reged: 02/05/04
|
|
Posts: 4841
|
|
|
|
|
|
Send PM
|
|
|
Tricky browser hijacker/redirect
#251503 - 04/11/11 05:32 PM
|
|
|
I'm usually really good at hunting down and squashing spyware/viruses but I've got one that's got me a little stumped.
My google searches keep getting redirected to random pages. Happens in IE or Firefox. I'm running Windows XP Pro SP3.
- Malwarebytes, TDSSkiller, Kaspersky, Symantec AV all show that the PC is clean
- No rogue processes running in task manager
- Host file looks clean
- Nothing out of the ordinary that I can see in HijackThis
- No rogue items are in HKLM/Software/Microsoft/Windows/CurrentVersion/Run or HKCU/Software/Microsoft/Windows/CurrentVersion/Run
Nothing looks fishy in the usual places. The only thing that looks odd is in my add/remove programs there's an application called "aaa" with the Java logo next to it. when I try to uninstall it, I always get an error that the program was not uninstalled correctly. I nuked it from the registry and don't see it in add/remove programs anymore but my searches are still getting redirected.
Anything else I should try? Any tricks/tips you guys have to hunt this down?
|
|
|
|
Re: Tricky browser hijacker/redirect
[Re: Hizzout]
#251535 - 04/11/11 09:31 PM
|
|
|
> I'm usually really good at hunting down and squashing spyware/viruses but I've got
> one that's got me a little stumped.
>
> My google searches keep getting redirected to random pages. Happens in IE or Firefox.
> I'm running Windows XP Pro SP3.
>
> - Malwarebytes, TDSSkiller, Kaspersky, Symantec AV all show that the PC is clean
> - No rogue processes running in task manager
> - Host file looks clean
> - Nothing out of the ordinary that I can see in HijackThis
> - No rogue items are in HKLM/Software/Microsoft/Windows/CurrentVersion/Run or
> HKCU/Software/Microsoft/Windows/CurrentVersion/Run
>
> Nothing looks fishy in the usual places. The only thing that looks odd is in my
> add/remove programs there's an application called "aaa" with the Java logo next to
> it. when I try to uninstall it, I always get an error that the program was not
> uninstalled correctly. I nuked it from the registry and don't see it in add/remove
> programs anymore but my searches are still getting redirected.
>
> Anything else I should try? Any tricks/tips you guys have to hunt this down?
Maybe this could help:
http://www.bleepingcomputer.com/forums/topic376141.html
|
|
|
| Hizzout |
|
70's baby, early 80's child
|
|
|
|
|
|
Reged: 02/05/04
|
|
Posts: 4841
|
|
|
|
|
|
Send PM
|
|
|
Re: Tricky browser hijacker/redirect
[Re: BIOS-D]
#251539 - 04/11/11 09:51 PM
|
|
|
Looks like the same issue for sure, but the proposed fix didn't work for me 
I'll keep digging from that thread. Thanks!
|
|
|
|
Yeah, same here...
[Re: Hizzout]
#251611 - 04/12/11 10:11 AM
|
|
|
Well, it`s my work computer that suffers from redirected Google searches. I'm not sure how much danger I'm in (any hints?), but from a day-to-day standpoint it's just a matter of shutting the bad window and clicking on the link again to reach the correct destination...
I can't figure out why my office machine is getting this crap, but my less-protected home desktop is still clean.
|
|
|
|
Did you try via Safe Mode?.....
[Re: Hizzout]
#251615 - 04/12/11 11:23 AM
|
|
|
Also, in post #6 of that thread linked, there's an expanded Safe Mode strategy.
|
Consider it high comedy....sincere tragedy....whatever...don't take it personally.
The Culture
|
|
|
Re: Did you try via Safe Mode?.....
[Re: mogli]
#251617 - 04/12/11 11:59 AM
|
|
|
Safe mode with networking won't change the proxy settings that the malware may have altered.
When I had to clean up my sister's PC, that was one of the problems. The proxy setting had been changed (somewhere in the internet settings, user can fix) so that searches went through the malware on the system.
That was "Best Malware Protection," an evil thing, but one that makes itself known by name, because they want to sell it to you. The solution was some free Norton thing, can't recall.
|
|
|
|
Re: Tricky browser hijacker/redirect
[Re: Hizzout]
#251623 - 04/12/11 01:44 PM
|
|
|
If you can't find anything with hijackthis, and the hosts file really is clean, then there are only 2 more places I can think of to look. The connection settings in internet explorer and your DNS settings. (if by some freak of nature it really is DNS related, don't forget to ipconfig /flushdns after you take care of it)
Oh, and clear out all of your cookies.
Do tell if you find the culprit.
|
Just broke my personal record for number of consecutive days without dying!
|
|
| Hizzout |
|
70's baby, early 80's child
|
|
|
|
|
|
Reged: 02/05/04
|
|
Posts: 4841
|
|
|
|
|
|
Send PM
|
|
|
I'm defeated
[Re: URherenow]
#251631 - 04/12/11 03:26 PM
|
|
|
I figured the computer was due for a rebuild anyway and since I had run a backup just the day before it would be less of a pain to start from scratch than to hunt it down.
This is probably the first bug I've caught in years. Part of my daily job is squashing these kinds of things.
After the rebuild it's running great, and in record time thanks to backups.
|
|
|
|
Re: I'm defeated
[Re: Hizzout]
#251655 - 04/12/11 10:59 PM
|
|
|
> I figured the computer was due for a rebuild anyway and since I had run a backup just
> the day before it would be less of a pain to start from scratch than to hunt it down.
>
> This is probably the first bug I've caught in years. Part of my daily job is
> squashing these kinds of things.
>
> After the rebuild it's running great, and in record time thanks to backups.
I would have loved to own that annoying infection only for research purposes. Anyway, I'm sure sooner or later any of my clients (or me) will find it.
|
|
|
Stiletto |
|
They're always after me Lucky ROMS!
|
|
|
|
|
|
Reged: 03/07/04
|
|
Posts: 6472
|
|
|
|
|
|
Send PM
|
|
|
Re: I'm defeated
[Re: BIOS-D]
#251657 - 04/12/11 11:48 PM
|
|
|
> > I figured the computer was due for a rebuild anyway and since I had run a backup
> just
> > the day before it would be less of a pain to start from scratch than to hunt it
> down.
> >
> > This is probably the first bug I've caught in years. Part of my daily job is
> > squashing these kinds of things.
> >
> > After the rebuild it's running great, and in record time thanks to backups.
>
> I would have loved to own that annoying infection only for research purposes. Anyway,
> I'm sure sooner or later any of my clients (or me) will find it.
I was gonna say, I'm pretty sure I ran into this with a client a year or two ago, but damned if I can remember what the solution was...
- Stiletto
|
|
|
| Moose |
|
Don't make me assume my ultimate form!
|
|
|
|
|
Reged: 05/03/04
|
|
Posts: 1483
|
|
Loc: Outback, Australia
|
|
|
|
Send PM
|
|
|
Re: I'm defeated
[Re: BIOS-D]
#251673 - 04/13/11 04:42 AM
|
|
|
> I would have loved to own that annoying infection only for research purposes.
Exactly. A shame an image of the HDD couldn't be made available .... perfectly understandable of course, but a shame  Sure would have been fun to track down the culprit(s).
In the link mentioned above, the "horrylick" sure sounds suspicious. 
Sounds like Matty_ .... Oh, hang on, he is "hairy lick".  Joking, joking. 
|
Moose
|
|
| PokeMAME |
|
Gotta catch 'em all!
|
|
|
|
|
Reged: 09/20/03
|
|
Posts: 1405
|
|
Loc: San Antonio, TX
|
|
|
|
Send PM
|
|
|
Re: Tricky browser hijacker/redirect
[Re: Hizzout]
#251676 - 04/13/11 05:24 AM
|
|
|
Did you try GMER in Safe Mode?
http://www.gmer.net/
Today I scanned two PCs clean with Malwarebytes (first scans found 27 and 15 items respectively) but they still had problems (booted to a black screen with just the mouse pointer).
GMER found a rootkit in the MBR on one and an infected CDROM.SYS on the other.
Then both PCs booted into normal desktops.
|
|
|
| Stiletto |
|
They're always after me Lucky ROMS!
|
|
|
|
|
|
Reged: 03/07/04
|
|
Posts: 6472
|
|
|
|
|
|
Send PM
|
|
|
Re: Tricky browser hijacker/redirect
[Re: PokeMAME]
#251690 - 04/13/11 07:42 AM
|
|
|
> Did you try GMER in Safe Mode?
>
> http://www.gmer.net/
>
> Today I scanned two PCs clean with Malwarebytes (first scans found 27 and 15 items
> respectively) but they still had problems (booted to a black screen with just the
> mouse pointer).
>
> GMER found a rootkit in the MBR on one and an infected CDROM.SYS on the other.
>
> Then both PCs booted into normal desktops.
I've again had good luck with a cloud-based AV like Hitman Pro.
http://www.hitmanpro.nl
Even for stuff like rootkits.
- Stiletto
|
|
|
| Hizzout |
|
70's baby, early 80's child
|
|
|
|
|
|
Reged: 02/05/04
|
|
Posts: 4841
|
|
|
|
|
|
Send PM
|
|
|
Re: I'm defeated
[Re: BIOS-D]
#251714 - 04/13/11 03:32 PM
|
|
|
Quote:
I would have loved to own that annoying infection only for research purposes.
Just start searching for Doujin games and you're bound to come across it. I'm pretty sure that's how I got it. I was looking for an English patch for one of the games and downloaded what I thought was it.
When I opened the zip file, the installer looked a bit suspicious but I gave it a go against my better judgment. I thought I had it cleaned off and the computer was behaving for another week or so and then my Google searches started getting redirected.
|
|
|
| Hizzout |
|
70's baby, early 80's child
|
|
|
|
|
|
Reged: 02/05/04
|
|
Posts: 4841
|
|
|
|
|
|
Send PM
|
|
|
Re: Tricky browser hijacker/redirect
[Re: PokeMAME]
#251715 - 04/13/11 03:34 PM
|
|
|
Too late to try it now, as I rebuilt the PC, but I've added this tool to my anti-malware arsenal.
|
|
|
|
Re: Did you try via Safe Mode?.....
[Re: TriggerFin]
#251848 - 04/15/11 06:22 AM
|
|
|
> Safe mode with networking won't change the proxy settings that the malware may have
> altered.
I thought being in safe mode might allow finding the malware more easily. But if it's gone, but then a matter of re-adjusting the proxy settings, then that knowledge is the key, no?
|
Consider it high comedy....sincere tragedy....whatever...don't take it personally.
The Culture
|
|
Previous 
Index 
Next 
Threaded 
Tricky browser hijacker/redirect
Reply
[Re: 
Sure would have been fun to track down the culprit(s).
Joking, joking. 
