0

I am using Chrome and experiencing serious hijackers problems.

After finish loading a website, the hijackers adds a full-screen transparent trap.
When I clicked on it, it pops a new tab containing one of the following URLs:
https://secure-finder.com/landing/landing-3.php
http://cpmofferconvert.com/out?zoneId=779130&htatb=1
http://exeguard.com/
http://www.tradeadexchange.com/a/display.php?r=1097336
http://92.241.171.68/r?key=1bd32a5dda458f94ce1929b6adc36365586166ce&q=error&id=3680445500
http://go.oclasrv.com/afu.php?zoneid=471151
http://www.smartnewtab.com/watch?key=0cdb16b7667982280fbb05007a35eb39

Sometimes, the hijackers add hyperlinks to words like this:

<a href="http://play-bar.net/search/?q=stackexchange">stackexchange</a> 

And the most annoying thing is that the hijackers hijack Google Search result page' s search bar.
The code is here: http://pastebin.com/Pcwe1Uts.
wth

What I did are just surfing Net and testing softwares with Shadow Defender.
How hijackers can possibly infect my computer which is in shadow mode.
What can I do to avoid being hijacked after I restore my computer which has a clean state?

ll55
  • 103
  • 2
  • As a quick start, try editing your `HOSTS` file. Add those domains highlighted and point them to localhost. That at least gives you a bit of space to do additional investigation. – Julian Knight Sep 14 '16 at 19:50
  • Free Panda sometimes finds some difficult to remove malware. – Aria Sep 14 '16 at 20:11
  • 2
    Possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – André Borie Sep 14 '16 at 21:12
  • 2
    unfortunately, we are not tech support or a malware removal forum – schroeder Sep 15 '16 at 07:06
  • I edited my question and am planning to do a system restore. But I still need help with preventing those kind of hijackers. Thanks. – ll55 Sep 15 '16 at 12:55

1 Answers1

1

I assume that you have checked in Task Manager for any unexpected applications and terminated them? Assuming Windows 10, also check the Start-up tab of task manager and remove any suspicious entries.

You also need to remove the unwanted addons/extensions that the malware has added to Chrome and you need to reset Chrome's search engine back to a more sensible default.

It is possible that this is enough. However, it is hard to then trust the PC after an infection so a wipe/rebuild may still be wanted.

Alternatively, you could try to restore back to a previous restore point in Windows. Less to reinstall then.


UPDATE: You might need to check whether your BIOS/UEFI has been compromised too. If you clean the machine and the problems come back, this might be the problem. This is rather harder. You can download a dump of your BIOS and upload to VirusTotal or you could try a tool like Milano.

An anti-virus boot disk/usb-drive can also be very helpful when dealing with more persistent malware. It lets you boot from a known clean OS. Just make sure you get a device that can be physically set to read-only before booting from it.

Julian Knight
  • 7,102
  • 18
  • 23
  • I checked that there is no unexpected process in task manager. The startup entries are just `hkcmd.exe`,`igfxtray.exe`,`igfxpers.exe`,`defenderdaemon.exe` and `ASCTray.exe`. For Chrome extensions, I have `IDM Integration Module` only. Restoring to previous restore point is good but I do not know which point is safe because I do not know when the computer is infected. – ll55 Sep 14 '16 at 20:19
  • Just walk back through the restore points. Doesn't usually take too long. The infection is probably hiding in another exe name so I'd recommend doing that or a rebuild anyway. You might also need to check UEFI/BIOS in case you caught something really nasty. I've updated the answer. – Julian Knight Sep 14 '16 at 22:19
  • I decide to do a system restore. And I dumped some bios files and did some virus scans. `virustotal.com/en/file/43493ba33b21cedca7a46bd6a321f24052d0329836be809b8310b62a73531f55/analysis/`,`virustotal.com/en/file/cb8e36a93bc0e824164e23b20e36193a689f2d01659522e3dae1b473c1822577/analysis`,`virustotal.com/en/file/fbc6f9802767cd63c861ef813f95b959973eadeae60fb47d9aee7057b61d0191/analysis`. They seem to be safe. – ll55 Sep 15 '16 at 13:54