Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer redirects to a random site once a week


  • Please log in to reply
20 replies to this topic

#1 MadDemon64

MadDemon64

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 19 May 2016 - 11:07 AM

I have this strange problem going on with my computer: once a week my browser, google chrome, redirects to a random page.  Sometimes it's a "your computer has a virus on it" page, and sometimes it's a "install the latest updates to flash that we are downloading for you right now without your permission" page.  It only seems to happen on certain pages (deviantart, tumblr, etc.) and only if I leave that page up on my tab and leave it idle for an amount of time.  I keep using various scans and they all come up empty (except for RogueKiller, but that's apparently a false positive).  Is there something going on with my computer or do I just have some bad luck when it comes to browsing the web?

Edit: Moved topic from Anti-Virus, Anti-Malware, and Privacy Software to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Humannpower

Humannpower

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 19 May 2016 - 11:14 AM

What programs have you used to run a scan on your computer?



#3 MadDemon64

MadDemon64
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 19 May 2016 - 11:22 AM

What programs have you used to run a scan on your computer?

Norton, HitmanPro, TDSSKiller, RogueKiller, ADWCleaner, Malwarebytes, Malwarebytes Anti-Rootkit, JRT, Stinger32, and RKill.

 

Nothing is ever found.



#4 Humannpower

Humannpower

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 19 May 2016 - 01:59 PM

When you say nothing is ever found do you mean absolutely nothing or is it picking up some potentially unwanted programs (PUPs)?



#5 MadDemon64

MadDemon64
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 19 May 2016 - 02:02 PM

When you say nothing is ever found do you mean absolutely nothing or is it picking up some potentially unwanted programs (PUPs)?

RogueKiller only found PUM.Homepage on Internet Explorer settings (which shouldn't affect Google Chrome) and a Hidden.ADS that I double checked with the people at Adlice and they assured me it was a false positive.



#6 Humannpower

Humannpower

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 19 May 2016 - 03:09 PM

Do you run Google Chrome with an Ad blocker?



#7 MadDemon64

MadDemon64
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 19 May 2016 - 03:10 PM

Do you run Google Chrome with an Ad blocker?

I use google chrome's ad blocker.



#8 Humannpower

Humannpower

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 19 May 2016 - 03:37 PM

Could be bad ad's on the websites.



#9 MadDemon64

MadDemon64
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 19 May 2016 - 04:52 PM

Could be bad ad's on the websites.

One of them was on tumblr.  Tumblr has no adds.



#10 Humannpower

Humannpower

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 19 May 2016 - 04:57 PM

Try running Malwarebytes or Emsisoft Emergency Kit while the computer is in safe mode.



#11 MadDemon64

MadDemon64
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 19 May 2016 - 06:03 PM

Try running Malwarebytes or Emsisoft Emergency Kit while the computer is in safe mode.

I just ran Malwarebytes in safe mode (could have sworn I selected safe mode with networking but that's neither here nor there) and it found nothing.



#12 Humannpower

Humannpower

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 19 May 2016 - 08:12 PM

I dunno then man. Think you'll need some assistance from someone on here with more experience than me. Only think I can think of is somethings hiding in there somewhere.



#13 MadDemon64

MadDemon64
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 19 May 2016 - 08:50 PM

I dunno then man. Think you'll need some assistance from someone on here with more experience than me. Only think I can think of is somethings hiding in there somewhere.

Great, now you got me all paranoid.



#14 Itguy2016

Itguy2016

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 20 May 2016 - 09:52 AM

I have this strange problem going on with my computer: once a week my browser, google chrome, redirects to a random page.  Sometimes it's a "your computer has a virus on it" page, and sometimes it's a "install the latest updates to flash that we are downloading for you right now without your permission" page.  It only seems to happen on certain pages (deviantart, tumblr, etc.) and only if I leave that page up on my tab and leave it idle for an amount of time.  I keep using various scans and they all come up empty (except for RogueKiller, but that's apparently a false positive).  Is there something going on with my computer or do I just have some bad luck when it comes to browsing the web?

Edit: Moved topic from Anti-Virus, Anti-Malware, and Privacy Software to the more appropriate forum. ~ Animal

 

After nearly 6,500 malware removals over the last few years I have seen something similar to this in a few cases. In one case it was a fraudulent MITM firmware on the NIC. In that case I dumped the NIC rather than re-flash it and the guy was likely a fairly high SIGINT target or corporate espionage. In another case I found a secondary browser directory with LNK redirects and some malicious DLL's. No scanner in the world found it and it required manual removal.  In the third case it was a combination of DNS Hijack, Proxy Redirects. In the final case if I recall it was a plugin in Chrome redirecting to another chrome window loaded via a fraudulently compiled version of Chromium. All of these required manual removal.

 

Here's what I would do;

 

First Step;

Open CMD escalated to administrator. (CTRL-SHIFT-ENTER as you click CMD, or right click and select Administrative).

Run these commands.
C:
cd "\WINDOWS\system32\drivers\etc"
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
netsh winsock reset all
netsh int ip reset all
Restart system.
 
Step 2:
Load up chrome, go to settings, advanced, reset chrome.
type about://plugins in the browser, make sure nothing malicious is there.
Go to Control Panel, Internet Settings, Advanced Tab, Check the "Reset" button.
Restart computer.
 
Step 3:
Right click the network icon and select "Open Network"
Click 'Change Adapter Settings"
Select your adapter, right click it, select properties.
Uncheck everything BUT 'internet protocol version 4'
Select Internet protocol version 4 then properties
Make sure each one is on 'Obtain' option, no numbers are entered.
Restart computer.
 
Step 4: (this removes any potential malware using IPv6 tunnel backdoors)
Open Administrative CMD again and type:
netsh int ipv6 isatap set state disabled
netsh int ipv6 6to4 set state disabled
netsh interface teredo set state disabled
Restart computer
 
Step 5: 
Browse ROOT drive for any mirrored/forged browser directories.
Include C:\, C:\programdata directories, etc. Ensure folder options to see hidden folders/directories/extensions is turned on)
Delete any browser related directories you find, assuming they are forged.
 
Step 6:
Type Manage Computer Certificates
Go into the Trusted Root Certificates
Look for any fishy certificates.
Download Root Certificate Scanner.
Scan for any bad certificates. Manually delete the flagged ones in Trusted Root Certificate category.
Restart machine.
 
Now use the system and see if the issue presents again, and let me know.

Edited by Itguy2016, 20 May 2016 - 09:59 AM.


#15 MadDemon64

MadDemon64
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 20 May 2016 - 10:55 AM

 

I have this strange problem going on with my computer: once a week my browser, google chrome, redirects to a random page.  Sometimes it's a "your computer has a virus on it" page, and sometimes it's a "install the latest updates to flash that we are downloading for you right now without your permission" page.  It only seems to happen on certain pages (deviantart, tumblr, etc.) and only if I leave that page up on my tab and leave it idle for an amount of time.  I keep using various scans and they all come up empty (except for RogueKiller, but that's apparently a false positive).  Is there something going on with my computer or do I just have some bad luck when it comes to browsing the web?

Edit: Moved topic from Anti-Virus, Anti-Malware, and Privacy Software to the more appropriate forum. ~ Animal

 

After nearly 6,500 malware removals over the last few years I have seen something similar to this in a few cases. In one case it was a fraudulent MITM firmware on the NIC. In that case I dumped the NIC rather than re-flash it and the guy was likely a fairly high SIGINT target or corporate espionage. In another case I found a secondary browser directory with LNK redirects and some malicious DLL's. No scanner in the world found it and it required manual removal.  In the third case it was a combination of DNS Hijack, Proxy Redirects. In the final case if I recall it was a plugin in Chrome redirecting to another chrome window loaded via a fraudulently compiled version of Chromium. All of these required manual removal.

 

Here's what I would do;

 

First Step;

Open CMD escalated to administrator. (CTRL-SHIFT-ENTER as you click CMD, or right click and select Administrative).

Run these commands.
C:
cd "\WINDOWS\system32\drivers\etc"
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
netsh winsock reset all
netsh int ip reset all
Restart system.
 
Step 2:
Load up chrome, go to settings, advanced, reset chrome.
type about://plugins in the browser, make sure nothing malicious is there.
Go to Control Panel, Internet Settings, Advanced Tab, Check the "Reset" button.
Restart computer.
 
Step 3:
Right click the network icon and select "Open Network"
Click 'Change Adapter Settings"
Select your adapter, right click it, select properties.
Uncheck everything BUT 'internet protocol version 4'
Select Internet protocol version 4 then properties
Make sure each one is on 'Obtain' option, no numbers are entered.
Restart computer.
 
Step 4: (this removes any potential malware using IPv6 tunnel backdoors)
Open Administrative CMD again and type:
netsh int ipv6 isatap set state disabled
netsh int ipv6 6to4 set state disabled
netsh interface teredo set state disabled
Restart computer
 
Step 5: 
Browse ROOT drive for any mirrored/forged browser directories.
Include C:\, C:\programdata directories, etc. Ensure folder options to see hidden folders/directories/extensions is turned on)
Delete any browser related directories you find, assuming they are forged.
 
Step 6:
Type Manage Computer Certificates
Go into the Trusted Root Certificates
Look for any fishy certificates.
Download Root Certificate Scanner.
Scan for any bad certificates. Manually delete the flagged ones in Trusted Root Certificate category.
Restart machine.
 
Now use the system and see if the issue presents again, and let me know.

 

Wow, ok I will definitely try that.  However, I have several questions:

1.  How do I get to the ROOT drive and how do I tell if anything is mirrored/forged?

2.  How do I tell if a certificate is fishy?

3.  Will resetting my browser delete my bookmarks?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users