Google Chrome Browser Hijacker

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by genius34, Apr 21, 2012.

  1. genius34

    genius34 Private E-2

    64 Bit Windows 7 system. Basically running fine, just some annoying redirects in my Chrome browser.

    Been through the basic steps for browser redirects and the Read & Run Me First, still have problems.

    All of the scans came back clean as far as I could see, no real indication any problems.

    Will appreciate any help.
     

    Attached Files:

  2. genius34

    genius34 Private E-2

    MB log.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do the redirects only occur? Or do they also occur with Internet Explorer? To test, reboot your PC and DO NOT OPEN Chrome. Only run IE and see if the redirects still occur.
     
  4. genius34

    genius34 Private E-2

    They don't seem as bad or as regular in IE, but still some hiccups every now and then. This is the first time I've used IE on this system. Also, most of the time in both browsers it goes to a failure to load screen, which if you refresh it three or four times it will load.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is not looking like malware but there is a possibility one of your hard disk MBRs is infected but we will dig a little deeper. Your MBRcheck log showed:
    Code:
        232 GB  [URL="file://\\.\PhysicalDrive2"]\\.\PhysicalDrive2[/URL]   RE: Unknown MBR code
    Do you have your Windows 7 boot DVD?

    Uninstall Chrome and reboot. After reboot delete all Chrome related folders like:

    C:\Program Files (x86)\Google\Chrome
    C:\Users\Joe\AppData\Google

    Do not reinstall it yet. Just use Internet Explorer for now. But when you run IE, right click on the icon and select Start Without Add-Ons.




    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      dhcpcsvc.dll
      explorer.exe
      lsass.exe
      nsiproxy.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      tdx.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemdrive%\*.*
      %systemdrive%\MGtools\*.*
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.sys /90
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      hklm\system\currentcontrolset\services\dhcp
      hklm\system\currentcontrolset\services\afd
      hklm\system\currentcontrolset\services\tdx
      hklm\system\currentcontrolset\services\tcpip
      hklm\system\currentcontrolset\services\nsiproxy
      hklm\software\microsoft\windows\currentversion\run
      hklm\software\microsoft\windows\currentversion\runonce
      
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
  6. genius34

    genius34 Private E-2

    Attached.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The sign of possible malware is still the MBR. Did uninstalling Chrome resolve your problem? That is does IE also get redirected? If IE also has redirections, disconnect this 232 GB external drive from your computer and reboot your PC. See if you have redirections when this drive remains disconnected.
     
  8. genius34

    genius34 Private E-2

    Uninstalled Chrome, still had issues with IE. Rebooted with the external ejected and disconnected, still the same thing. Ran a quick scan of the external and didn't come up with anything. I also tried rebooting and resetting my router a couple of times, still getting failure to load pages.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Keep the USB drive disconnected for now.

    So your problems are not that you are being hijacked but rather that some pages don't load?

    Have you tried totally bypassing your router and directly connecting to your cable or dsl...etc modem? You will have to reboot the modem and or your PC to reaquire an IP address.
     
  10. genius34

    genius34 Private E-2

    This issue was in my router, just FYI. Never even knew that was a possibility until now. I disconnected the router and have zero redirects over the last week. I'm restarting my network from scratch and taking the router all the way back to the factory reset.

    Thanks for the help, always appreciated.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Glad to hear you have found the problem.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds