SEARCH

The How-To Geek Forums Have Migrated to Discourse

How-To Geek Forums / Windows 7

Browser possibly getting hijacked

(48 posts)
  • Started 1 year ago by joefuf
  • Latest reply from StringJunky
  • Topic Viewed 2553 times

StringJunky
StringJunky
Posts: 2454

Quite a busy log! How is it all now?

Tony

Posted 1 year ago
Top
 
joefuf
Posts: 121

Yeah, I was surprised to read all of those results. I never noticed any problems until the redirects started happening. No redirects as of yet. I will update the thread if that changes.

I have my computer protected by Malwarebytes Pro. Should I have something in addition to that? I used to use AVG Free, but their 2013 version disabled a keylogger that I have installed on my laptop (I like to be able to recover typed things when I lose the original copy etc.). Any recommendations or is Malwarebytes Pro enough?

Posted 1 year ago
Top
 
Lighthouse
Lighthouse
Posts: 13598

I would install MSE as well,
http://windows.microsoft.com/e.....s-download

Posted 1 year ago
Top
 
joefuf
Posts: 121

I was fine all of yesterday after I posted, but I just tried to go to two links off of Google News, and I was redirected to this link...

http://64.15.72.104/click_seco.....country=US

Posted 1 year ago
Top
 
joefuf
Posts: 121

I would try MSE, but when I tried it in place of AVG Free, I had a weird issue where the process of the program shot up to 90%+ of my CPU Usage. I couldn't figure out what was causing that to happen. It wasn't running a scan and yet the memory that it was taking up would grow exponentially.

Posted 1 year ago
Top
 
vistamike
vistamike
Posts: 10945

You are still infected with that nasty.

Have you run, as Tony suggested; http://www.bleepingcomputer.co.....dwcleaner/

Edit, you need to uninstall AVG for sure.

Posted 1 year ago
Top
 
GuiltySpark
GuiltySpark
Posts: 4024

Download and run this : http://support.kaspersky.com/search TDSSKiller

Posted 1 year ago
Top
 
joefuf
Posts: 121

No luck on TDSSKiller. I downloaded the copy of System Center Endpoint Protection that my university provides, and I am running a full scan on that. I will update if that finds anything.

Posted 1 year ago
Top
 
GuiltySpark
GuiltySpark
Posts: 4024

SCEP is virtually MSE but for Organizations.

In fact I think they discontinued it or are going to discontinue it, I'll have to do some digging.

Edit : They did but not that version http://technet.microsoft.com/e.....t/Bb852242 (I knew I wasn't dreaming it) :D

Posted 1 year ago
Top
 
joefuf
Posts: 121

SCEP is still running the full scan. About an hour an a half in and it's only scanned about 100,000 files :-\ Just got rediredted a few minutes ago, so I know it hasn't detected whatever the problem is (yet).

I think we just made a decision that we wanted to get off of Symantec for students and faculty. I work in the IT department here and it was just awful. Kids got viruses and malware like they had no protection to begin with.

Posted 1 year ago
Top
 
GuiltySpark
GuiltySpark
Posts: 4024

Can't you just re-image the machine(s), most unis and colleges tend to re-image every quarterly anyway just to keep the machines fresh.

Posted 1 year ago
Top
 
joefuf
Posts: 121

Yeah, I can and probably will reimage at the end of the semester, but since I'm in the middle of producing my senior thesis film, I wanted to hold off for a while. Aside from this issue, I still can't edit or view tags of MP3 files which really bugs me.

Posted 1 year ago
Top
 
StringJunky
StringJunky
Posts: 2454

Did you run adwcleaner again to check it was clean?

It's probably worth running SAS...it's geared to this sort of problem:

http://www.softpedia.com/get/I.....ware.shtml

Posted 1 year ago
Top
 
warlock
warlock
Posts: 4100

@StringJunky, If joefuf decides to try SAS would you recommend the full scan or the rescue scan? I have never used the rescue scan myself.

Posted 1 year ago
Top
 
StringJunky
StringJunky
Posts: 2454

Warlock

From SAS site:

What does "Enable rescue scan" do?

Rescue scan should only be enabled when malware is consuming so many system resources that you are unable to run a scan. Rescue scan attempts to steal back some of those resources. If you are able to run a scan normally, do not enable this option.

Posted 1 year ago
Top
 
warlock
warlock
Posts: 4100

@SJ, Never thought to look it up. Thanks, good to know for future use. Surprised it never came up before when it gets recommended here so often.

Edit: Or maybe I missed it.

Posted 1 year ago
Top
 
StringJunky
StringJunky
Posts: 2454

Yes, that slipped under the radar this time. :) The hard core app for this if SAS doesn't work is probably Combofix but it needs someone VERY familiar with it to instruct in its use because it can easily cause as many problems as it solves. Joe's probably better off going to Bleeping Computer if the problem persists after using SAS and getting carefully guided assistance by people with specific knowledge in this area.

Joe

It doesn't really solve the problem but I have a hunch if you use Comodo Dragon for now you won't get redirected because in my tests no toolbar or errant search engine has ever been able to high jack it. It's a Chrome variant.

http://www.comodo.com/home/bro.....rowser.php

Posted 1 year ago
Top
 
joefuf
Posts: 121

Just ran SCEP and found a few things. A couple Java exploits which might have been the cause. I posted pictures below of the descriptions of what I found that may have been the cause. Everything else is basically keygens and my Keylogger which I will have to reinstall...

I will try SAS after I reboot. I have Combofix, and I didn't even think to use that. I'm pretty familiar with it since we use it here in IT. If SAS doesn't work, I can try that.

Posted 1 year ago
Top
 
joefuf
Posts: 121

Ran ADW again and this was the log. I will try and run SAS now


# AdwCleaner v2.113 - Logfile created 03/04/2013 at 21:00:19
# Updated 23/02/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Jeff - JEFF
# Boot Mode : Normal
# Running from : C:\Users\Jeff\Downloads\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\jetpack

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\etp80ct6.New Profile\prefs.js

[OK] File is clean.

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\h9klukkn.default\prefs.js

Deleted : user_pref("extensions.enabledAddons", "DivXWebPlayer%40divx.com:2.0.2.039,%7B2d3fbcf7-be69-4433-8858[...]

File : C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\mw8bzlfh.AVGAdobeTest\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.97

File : C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.1960] : homepage = "hxxps://isearch.avg.com/?cid={4D61A652-C560-487C-93F9-87E59E692CD2}&mid=bf1b429bf3d4[...]

*************************

AdwCleaner[R1].txt - [7919 octets] - [03/03/2013 15:26:22]
AdwCleaner[R2].txt - [1757 octets] - [04/03/2013 20:59:53]
AdwCleaner[S1].txt - [7583 octets] - [03/03/2013 15:26:53]
AdwCleaner[S2].txt - [1574 octets] - [04/03/2013 21:00:19]

########## EOF - C:\AdwCleaner[S2].txt - [1634 octets] ##########

Posted 1 year ago
Top
 
joefuf
Posts: 121

So I ran SAS and got these as my results. Nothing harmful showed up, just 199 cookies. Although the click.livesearchnow.com cookie might have something to do with one of the redirects. Not sure though. I'm going to sleep now, and I'll update if I get an redirects tomorrow.

Posted 1 year ago
Top
 



Topic Closed

This topic has been closed to new replies.