PDA

View Full Version : browser hi-jack help



88jbody
12-14-2008, 11:27 PM
I have some kind of hi-jack that when I try to go to google.ca it redirects to google.ca and redirects back to .com in a never ending loop.

also cannot update my antivirus it has got that page not working, along with the update for adaware is blocked.

and I wasn't downloading porn is the odd thing, I havent downloaded much at all on this laptop, I put a 2nd hardrive in the desktop for that to keep the laptop clean

arian_ma
12-14-2008, 11:28 PM
When there is a virus like that, usually you can't do much but to reformat unless you're willing to put many hours into the current setup to try and clean it all out.

88jbody
12-14-2008, 11:31 PM
I have already put in about 6 hours in my regedit and have fixed all my issues except the browsing one, spybot search and destroy and adaware can't cut it.

I will do a re-install if I need to, just means I have to back up all my kids pictures from halloween and christmas concert video and pics

Grogador
12-14-2008, 11:41 PM
Originally posted by 88jbody
I will do a re-install if I need to, just means I have to back up all my kids pictures from halloween and christmas concert video and pics

You mean you don't have backups of those already? :rolleyes:

arian_ma
12-14-2008, 11:48 PM
Originally posted by 88jbody
I have already put in about 6 hours in my regedit and have fixed all my issues except the browsing one, spybot search and destroy and adaware can't cut it.

I will do a re-install if I need to, just means I have to back up all my kids pictures from halloween and christmas concert video and pics
Ah I see, I would still always reformat my computer if I ever got a virus, but it is a real pain in the ass, you are right. I am not sure how to help you anymore sorry, but just as a reminder, be sure to scan and clean the files you backup. (I'm sure you knew that though.)

adam c
12-14-2008, 11:51 PM
or you can always pick up a U2 drive that has avast on it

run the antivirus from the U2

realazy
12-14-2008, 11:55 PM
Use safemode and try?

Or use safemode with networking and do an online scan? All of the big antivirus websites have those.

canadian_hustla
12-15-2008, 12:02 AM
^

What he said. Safemode is your best bet
f8 during bootup (if you have XP)

good luck

jav_
12-15-2008, 12:22 PM
:werd: safe mode w/ networking
then do online scan with bitdefender.com or trendmicro

jav_
12-15-2008, 04:48 PM
i also forgot to mention to turn off system restore before scanning/removing...hijackers tend to keep coming back even after you "remove" them

gaijin
12-15-2008, 06:16 PM
Sounds like you have TDSS.

http://www.myantispyware.com/2008/11/05/how-to-remove-trojan-tdsserv/
http://www.troublefixers.com/remove-virus-which-redirects-to-gogooglecom-gogooglecom-redirect-virus-removal-tool-for-windows/

To fix it, I did this:


Go to Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.

Then search for “TDSSserv.sys”

Right click on it, and select “Disable”

Note: If you select Uninstall, it will install itself again when you reboot the system, so DON’T select Uninstall.

Restart your pc.

You can now update your Antirus/Malware/Rootkit softwares and the go.google rubbish will stop.

Then I installed MalwareBytes and removed the trojan.

I suspect the instructions at either of the above links would work fine as well (basically say the same thing).

edit: the fun thing about this trojan is that it runs in Safe Mode with Networking, and it prevents any online scanning because it redirects urls.

Toms-SC
12-16-2008, 05:19 PM
Has this been solved yet?

88jbody
12-20-2008, 11:56 AM
no. I have my computer working well enough untill I get a memory stick or something to back up my files.

I have run av and adaware and spy bot in safe mode.
I will try a few more of these tips. I just need to get a xp pro cd my laptop never came with one when I got it used

TDSSserv was not in the device manager

but found a vgasave in there I disabled from the sound of it I suspect it may be the cause of some of my pop-ups

but oh well I'll re-install windows

88jbody
12-20-2008, 01:35 PM
up date. disabling that avgsave got rid of my browser hijack and all my pop-ups!!!!!

I should be able to get by now untill I get a external storage of some kind to copy all my crap onto

my avg still isn't updating but I can now at least google and fix that

hampstor
12-21-2008, 12:15 AM
I just went thru the same thing - I wish I saw gaijin's instructions - would've been easier!

here's what i ended up doing:

I downloaded Malware bytes and installed it from this link:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10984636

Before I ran the install, I renamed the setup file to setup.exe

During the install, I renamed the folder it installed to to MBM
During the install, I renamed the program group name to MBM
Do not start the program when completed

Go to the folder you installed it at, rename the program name (mbam.exe) to mbm.exe (or whatever else you want).

I wasn't able to run the update as the damn Trojan prevented that.

Run the scan (without updates) and remove all. Close Malwarebytes, do not reboot. Go back to the folder, rename the file back to mbam.exe.

Reboot, you should now be able to update. After the update, run the scan again. Reboot, you should be in the clear now.

88jbody
12-21-2008, 06:51 PM
I guess it didn't fix the pop- ups but oh well it needs a fresh install anyway

SpireTECH
12-21-2008, 11:07 PM
The VgaSave device is actually a legitimate device used in Safe Mode or VGA mode. It's recommended you enable it again, in case you need to load Safe Mode.

Unfortunately the Spyware/Adware industry plays a constant game of cat and mouse. If detection definitions for that particular malware hasn't been released, it can be very difficult to manually track it down and remove it.

With difficult to remove adware it's often faster to just backup the data and reformat. If you deal with sensitive information, such as bank records, or business documents it's a necessity. Even if your scanner "removes" the malware there's no way to be sure you've completely eliminated it, even if the popups stop. Once your system has been compromised to allow the malware to run on the machine, there's no telling what code could have been implanted.

If you're not that concerned about the security of your data there are still a few tricks you use to track down the offending adware program. The first step is to run HijackThis (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis). This will take a quick inventory of all known load points for malicious software. If you post this log we might be able to identify how the adware is loading.

If that finds nothing the next step is to run RootkitRevealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx). A lot of malware is able to hide from virus scanners and spyware scanners by patching core system files. This will hopefully detect that.

The final step is to run Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx). Close all browser windows, start the monitor and wait for the adware to load a popup. Once a browser window pops up, stop Process Monitor and go through the log. Right before the popup opened you should see registry requests looking for the default URL handler. The offending process will lookup "HKEY_Current_User\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http". Record the process name and PID. This will at least tell you through which program the adware is operating. Most times the adware is loaded as a DLL in this process, and is not the process itself. Using another tool called Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx), you can view all DLLs and objects loaded by the process. You should then check these files for anything out of the ordinary, such as random names, no file description, product name, or copyright information.

Some malware programs run several copies of itself called "watcher processes," and can change it's names every few minutes or every time it's started. Usually this makes it easy to detect exactly what DLL or process is malware, but it can complicate the removal. In this case it's necessary to locate the load point of the malware and remove it using an offline registry editing tool (such as Offline NT Password & Registry Editor (http://home.eunet.no/pnordahl/ntpasswd/)).

Even after exhausting this list of options, there are many malware programs which remain undetectable. Even if you successfully removed the process, the malware may have added several "back door" like security vulnerabilities allowing itself to reinfect your computer with ease. A common example of this is malware that adds its certificates to your trusted certificate stores.