Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacking/Google Search Redirecting/Etc


  • Please log in to reply
9 replies to this topic

#1 PatrickCollins

PatrickCollins

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 22 April 2011 - 07:28 PM

Hello, for about a week now all my Google search results redirect me to advertisement sites and fake antivirus sites. Ex. I'll search the name of something, click a results link, and I'll get redirected to sites like find-quick-results.com and etc. Some of these sites also open up Java too, which makes me think it might of also infected Java. This happens with all browsers. I have also been experiencing random blue screens too, that provide an error saying something about power. I have tried scanning with AVG, but I get a blue screen half way through that. I then tried scanning with Malwarebytes, but the program would not open so I renamed the .exe's and it worked. Maybe a trojan? Anyways, it picked up several things from my registry and 2 .exe's from my temp folder. Earlier AVG also picked up svchost as an infected file, but I left it. Sometimes the file spikes up to 300,000 in task manager, but I haven't seen it do that in 2 days. Oh, and before running Malwarebytes, I was unable to load the malwarebytes.org website, but then after scanning and deleting the infected files, it loaded fine. Sorry if this is not clear, English is not my first language. Thanks!

BC AdBot (Login to Remove)

 


#2 PatrickCollins

PatrickCollins
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 22 April 2011 - 11:02 PM

Bump

#3 zoomzoom

zoomzoom

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 23 April 2011 - 07:02 AM

Hello Patrick,

I have often seen this problem. Most of the time (assuming the main infection has been removed), the "hosts" file has been modified by the malware. I recommend downloading a free program called "hostsman" and installing it. You can find it on many freeware/shareware software sites such as softpedia, or download.com. This will make clearing the hosts file much easier. You can do it without such a program, but windows will make it more difficult to save the corrected file without renaming the old one first. Hostsman makes this process much easier. Otherwise, the hosts file is located in C:\windows\system32\drivers\etc\. Unless you use hostsman, you will have to open it in a text editor, and clear out the redirect entries. Likely any line that does not begin with a "#" may be suspect, unless you had another program that put valid entries in there, which is unlikely. When you try to save the corrected hosts file, you may have trouble, as it may be "in use" or system permissions will not allow saving the file. This is why I reommend using the hostsman program.

Other things to check are proxy server settings installed in your browser (in internet explorer go to "tools/internet options/connections/lan settings/ and try clearing the "use proxy server" checkbox, if it is checked). Malware will frequently install a proxy server address to control your browser traffic, and redirect you via a proxy server. Also, in rare cases, some malware can alter network router settings and put improper DNS server addresses into your router, which will allow all browser requests to resolve to non-legitemate servers, which may redirect your web browsing. But the most likely culprit is probably your hosts file, so get the hostsman program, and check it.

#4 PatrickCollins

PatrickCollins
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 23 April 2011 - 10:01 AM

Thank you, zoomzoom. Is this what my hosts file is supposed to look like? I haven't edited it at all yet.

## Copyright © 1993-2001 Microsoft Corp.
#
# This file has been automatically generated for use by Microsoft Internet
# Connection Sharing. It contains the mappings of IP addresses to host names
# for the home network. Please do not make changes to the HOSTS.ICS file.
# Any changes may result in a loss of connectivity between machines on the
# local network.
#


There is nothing else past the #. I'm about to try hostsman right now, then I'll check my proxy settings. I use Firefox by the way.

Edited by PatrickCollins, 23 April 2011 - 10:01 AM.


#5 PatrickCollins

PatrickCollins
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 23 April 2011 - 10:04 AM

My hosts file is empty?

I also noticed that when my browser gets redirected, the link turns in to something like this right before redirecting me.

/search?q=rise+of+the+triad&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&AA7kU1mY=oC7sK1yWSK

Edited by PatrickCollins, 23 April 2011 - 10:07 AM.


#6 PatrickCollins

PatrickCollins
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 24 April 2011 - 12:15 PM

Bump

#7 JacobHall

JacobHall

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 24 April 2011 - 12:23 PM

An empty host file is a good sign, it hasn't been tampered with by malware( so we beleive? )

This could be a few things, malware has changed the DNS in your router or you have proxy settings in place(set by the malware)

I would suggest you run MalwareBytes Anti-Malware, and see what that sniffs.

In order to see if you have proxy settings in place, we will need to know what browser you are running.

Thanks!

#8 PatrickCollins

PatrickCollins
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 24 April 2011 - 04:02 PM

Just finished a MalwareBytes scan, nothing came up. Also I am using Firefox.

#9 zoomzoom

zoomzoom

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 24 April 2011 - 07:47 PM

In firefox, go to "tools" then "options" then click the "advanced" heading, then click the "network" tab, then the "settings" button. There you will find the proxy server settings section.

#10 PatrickCollins

PatrickCollins
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 25 April 2011 - 05:25 AM

Well I formatted my HDD and reinstalled Windows, everything seems to be good now. Thanks for the help anyways




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users