Browser hijacked

z1ggy · Jul 22, 2016

Not sure if this is the right subforum, but I figured it's close enough.

Long story short, somehow my chromebrowser is hijacked. My home page and new tabs are all supposed to go to google.com, but instead they go to random advertising websites, or random tabs pop up saying my computer is infected, etc.

I have AVG, malwarebytes and hijackthis. AVG finds nothing, malware found a few things, but when I fixed the problems and restarted the problem still continues. I'm not totally sure what to actually remove using hijackthis, but it hasn't really helped yet. I can post the log file here later tonight once I'm home if it helps.

What else can I do to get my browser to function properly again?

corkyg · Jul 22, 2016

Sounds like you have been taken over by PUPs. Malwarebytes can be set to get rid of them.

http://www.howtogeek.com/232791/pups-explained-what-is-a-potentially-unwanted-program/

Elixer · Jul 22, 2016

It is possible that a extension also causes this, check that in chrome's preferences.

WilliamM2 · Jul 22, 2016

z1ggy said:
What else can I do to get my browser to function properly again?

Just reload the computer from your weekly backup image. Takes 5 minutes.

z1ggy · Jul 22, 2016

corkyg said:
Sounds like you have been taken over by PUPs. Malwarebytes can be set to get rid of them.

http://www.howtogeek.com/232791/pups-explained-what-is-a-potentially-unwanted-program/

Problem is, I selected the "fix it" button, and they said all problems were removed. Restarted the PC and go back onto chrome, and the problem still occurs.

I've used hijack this a long time ago, but I usually just sent the log file to my friends uncle who was an IT guru. He told me which of the log file lines to delete, and problem was always solved.

Scarpozzi · Jul 22, 2016

I always hit control/alt/delete and look for services running that I don't recognize. I go down the list and see if I can pinpoint something out of the ordinary.

In windows, you can also check your programs & features list and see what date the last program was installed...then see if it may correlate with the time your browser was hijacked. If you think that date is when it happened, consider checking your system for a restore point prior to that date and go through the windows restore process to go back in time.

KeithP · Jul 22, 2016

You can try resetting Chrome:
https://support.google.com/chrome/answer/3296214?hl=en

-KeithP

Raduque · Jul 23, 2016

Check your task scheduler. I had a piece of malware setup a daily task to open some random website once.

sn8ke · Jul 26, 2016

Post your hijackthis log onto a pastebin or something. 9 times out of 10 it's some hidden BHO installed. It depends on what kind of addons/toolbars you've purposely installed into your browser. I'd remove them all tbh, they can change their terms or settings at any time without asking you.

Did you install any software recently? Maybe you forgot to untick their "free offers" which install adware.

xgsound · Jul 26, 2016

Still having the problem?
Try other browsers to see if they have the same problem. Is it one browser or all?

Get these from http://www.bleepingcomputer.com/
tdsskiller this checks for rootkits and corrects - 3 minutes
ADWcleaner- very fast and effective malware cleaner. scan/ select clean - 5 or 10 minutes and a reboot. **ID and passwords will need to be reentered.**
Both give a text file of what malware files they find. See if any more specific removal guides exist for those files removed.
Let us know what fixes it.

Jim

BobS1988 · Jul 31, 2016

Try Reason Core Security out, always forks for me for various PUPs and Browser Hijackers. Moreover the Unchecky (if you ever heard of it) is now included in the software, making it even better.
The free trial is a full version for you to try it all.
https://www.reasoncoresecurity.com/download-thank-you.aspx?dl=1

BobS1988 · Jul 31, 2016

by the way no need to "untick". Unchecky is now included in the reason core security anti malware. quite handy
www.reasoncoresecurity.com

xgsound said:
Still having the problem?
Try other browsers to see if they have the same problem. Is it one browser or all?

Get these from http://www.bleepingcomputer.com/
tdsskiller this checks for rootkits and corrects - 3 minutes
ADWcleaner- very fast and effective malware cleaner. scan/ select clean - 5 or 10 minutes and a reboot. **ID and passwords will need to be reentered.**
Both give a text file of what malware files they find. See if any more specific removal guides exist for those files removed.
Let us know what fixes it.

Jim

Erang0808 · Sep 29, 2016

Reset browser settings: Settings -> Show advanced settings -> Reset Reset settings (Here is a blog you can refer to) -> clean associated registry entries. Or get a perfect antivirus program for our computer like Malwarebytes or SpyHunter.

John Connor · Sep 29, 2016

LOL! Old post but I'm just gonna give me two cents in case someone needs the Info.

1) Go here with the hijackthis log: https://www.hijackthis.de/en

2) Use Freefixer and make DAMN! sure you research each component you may think is rouge. There is an option to do that.

3) Speaking of "rouge." Give rougekiller a try. But first run Rkill.

4) Run SuperAntiSpyware

5) ADwcleaner

6) Junkware removal Tool can find crap ADwcleaner can't.

7) Autoruns can tell you what might be starting up that shouldn't.

8) CMD | ipconfig flushdns

9) Clear temp files, etc with Ccleaner and System Ninja

10) Process explorer, process hacker and regscanner can be tools needed to help with figuring out what's going on.

11) OTS.exe by OldTimer can help too.

12) Reset the browser, check addons and plugins.

13) All else fails try Kaspersky Rescue CD or Bitdefender Rescue CD.

14) If the crap has really hit the fan. Nuke it from orbit. Hope you do back up clones.

Most of the software listed can be obtained from Bleeping Computer.

Next time run your browser in Sandboxie. Read about it first and know you can't update your browser with Sandboxie on. I would allow access to the browser profile at reduced security, but eases the cumbersomeness.

Bardock · Sep 30, 2016

Or don't click on or download anything sketchy. Come on man you don't need that laundry list of software. Just browse more carefully. Think before downloading and check CRC or signature before installing and should be fine. I haven't had a malware in something like ten years, just click with skepticism. I would rather keep my running processes light and use common sense to avoid malware.

Raduque · Sep 30, 2016

Hey John Connor, none of those tools or processes you listed will catch something in Task Scheduler.

John Connor · Sep 30, 2016

Raduque said:
Hey John Connor, none of those tools or processes you listed will catch something in Task Scheduler.

You've tried those tools and they couldn't remove anything?

Raduque · Oct 1, 2016

John Connor said:
You've tried those tools and they couldn't remove anything?

I tried many of those tools, and they didn't remove the entries in Task Scheduler. There were two. Once that loads a webpage on boot and like every 3 hours, and one that changed the webpage the first one loaded every 3 days.

Only option was to delete them manually.

John Connor · Oct 3, 2016

I haven't gotten malware in years. Actually, since 2004, but I think Freefixer might be able to see the item in the task manager. Besides though, I think once a malware module is removed it shouldn't run again via task manage to call it up.

Raduque · Oct 3, 2016

You aren't understanding. TASK SCHEDULER (NOT TASK MANAGER) is an internal Windows tool to allow tasks and scripts to run on schedules. Whatever malware I ended up with put an entry inside task scheduler to open a webpage on a set time frame and at boot, and a task to change the URL on the first task on a set time frame as well.

These are generally not detected by malware removal tools and scripts because they are not considered malicious.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa383614(v=vs.85).aspx

John Connor · Oct 4, 2016

I meant task scheduler.

I can see how that can be a problem. I think autoruns might see the entries though.

John Connor · Oct 4, 2016

John Connor said:
Besides though, I think once a malware module is removed it shouldn't run again via task manage to call it up.

Where applicable
The Task Scheduler can be used to execute tasks such as starting an application

This is what I meant. The task scheduler will call that module. Obliviously that module could be found and removed so task scheduler can't call on it.

VirtualLarry · Oct 4, 2016

I've used FreeFixer to remove Task Scheduler-based malware before. It does list Task Scheduler entries.

John Connor · Oct 5, 2016

VirtualLarry said:
I've used FreeFixer to remove Task Scheduler-based malware before. It does list Task Scheduler entries.

Thanks for confirming this. I've used Frefixer only a hand full of times just to make sure nothing rouge was there, but it's been a while since I ran it. Takes a while to go through everything, but it can be quite effective. It's kinda like Hijackthis on steroids. Wouldn't you agree?

Raduque · Oct 5, 2016

John Connor said:
This is what I meant. The task scheduler will call that module. Obliviously that module could be found and removed so task scheduler can't call on it.

Task scheduler isn't calling a module, it's simply executing a URL using the system handlers. The handler then passes that URL to the default web browser.

Browser hijacked

Lifer

Elite Member | Peripherals

Lifer

Platinum Member

Lifer

Lifer

Diamond Member

Lifer

Member

Golden Member

Junior Member

Junior Member

Junior Member

Lifer

Senior member

Lifer

Lifer

Lifer

Lifer

Lifer

Lifer

Lifer

No Lifer

Lifer

Lifer