Browser Hijacker (pdf, go game go)



  • I'm getting occasional random pop-up tabs for Go Game Go and some PDF program.
    Unfortunately, I can't find a removal guide on a reputable site - the removal advice is all from transparently fraudulent rogue removal tool sellers.
    Sigh.
    Any advice on how to remove such redirection in Vivaldi?
    Thanks


  • Moderator

    @WombatPete Well, if it's in Vivaldi (which we don't know for sure), then rename your profile folder per the refresh your profile instructions but do not, at this time, do any of the rest of the steps of the "Refresh" protocol. Then move the renamed profile folder to a safe location and uninstall Vivaldi. Then delete the Vivaldi folder on your hard drive, and everything in it. Re-install Vivaldi. Then complete the remaining steps of the "Refresh" procedure and see if that fixed it. If it didn't, then you have an infection in the registry, and may need to employ something like Ccleaner or Malwarebytes to remove it.



  • @Ayespy, thanks.
    I presume that means I lose all my settings... but what to do?
    Malwarebytes, btw, isn't finding anything.


  • Moderator

    @WombatPete No, all you lose is your extensions, theme and toolbar prefs.

    For safety's sake, I would recommend NOT putting your history and cookies back. You can live without them on a re-start

    You keep all of your bookmarks, passwords, favicons, speed dial images if you want them. You can, in theory, move the files for ALL of your settings back in, but it's not advisable if you're infected.



  • @Ayespy
    OK, that's more than good enough.



  • @Ayespy
    Actually, how about putting the stuff back from the old Default folder (that's the profile folder, right?), one at a time, until the thing starts to happen again - and then I'll know where it is. Any reason that wouldn't work? I could make a copy of the new fresh default (profile) folder, leave it somewhere, and copy the relevant subfolder back in when I know which one is the problem.


  • Moderator

    @WombatPete: It's one thing you could do.



  • i there I want to say before we go blaming the browser lets try a adware and malware scan

    https://downloads.malwarebytes.com/file/mb3/
    download and run a full scan of C: drive
    follow up with
    https://www.malwarebytes.com/junkwareremovaltool/
    https://www.malwarebytes.com/adwcleaner/

    (advanced tool dont remove anything if your not sure )

    Lastly
    https://www.bleepingcomputer.com/download/hitmanpro/



  • @asianmusicguy
    Thanks but one question: I have malwarebytes premium already installed and running. Are any of these scans that I don't already have running?



  • @asianmusicguy
    I presume the first one is more or less covered by the resident Malwarebytes.
    Ran the other two tools, looks promising. Hitman Pro didn't find any threats after those. Will report back in the next day or so!
    Thanks



  • @asianmusicguy
    No, damn. Still happening.



  • @WombatPete
    Okay so I'll try to also give it a shot - when adware killer programs don't get rid of the stuff you'll need do stuff manually.
    (No guarantee that this will remove the adware completely but with a bit of luck you can cripple it so much that it stops working)

    1.) Go to the control panel --> click on "uninstall a program" and take a look if there is something shady installed

    • A google search showed that those entries might be related to the go game go hijacker:
      Go Game Go; HD-Total-Plus; RemoveThaeAdAopp; UTUobEAdaBlock; SafeSaver; SupTab;
      ValueApps; Lollipop; Software aktualisiert Version; DP1815; Video-Player; Konvertieren Sie Dateien kostenlos;
      Plus-HD 1.3; BetterSurf; Trusted Web; PassShow; LyricsBuddy-1; Yupdate4.flashplayes[dot]info 1.2;
      MediaPlayer 1.1; Einsparungen Bull; Feven Pro 1.1;Websteroids; Einsparungen Bull; HD-Plus-3.5;Re-Markit.

    • Also try to remember since when the ggg (I am too lazy to write it every time- sry ^^) is harassing you and take a look in the uninstall a program window if there are other unknown programs that installed around that date.

    2.) Press "Windowskey + R" this will open up a small popup. type msconfigand press "Enter" Take a look at the section "Startup" especially when the manufacturer is unknown and you don't know what the program does untick the box. When you done there and deselected everything shady press "Apply" and "OK" but skip a restart in the following window.

    3.) Open up again the "Windowskey + R" box and copy paste there notepad %windir%/system32/Drivers/etc/hosts take a look if there are entries below the "local host" part. If yes copy them to another notpad or word document (in case they are vital for some other programs so you have a backup in case this breaks something) and delete them in the first window --> save and close this window.
    It should look like this:

    0_1495176592673_ip host.png

    4.) Next go into the network properties

    • Right-click on the Network Adapter you are using —> Properties —> Internet Protocol Version 4 (ICP/IP), click Properties.
    • The DNS line should be set to Obtain DNS server automatically. If it is not, set it yourself.
    • Click on Advanced —> the DNS tab. Remove everything here (if there is something) —> OK.
    • Do the same for IPV 6
      I stole a pretty good pic and parts of the instruction from here

      0_1495176865355_network connection.png
      \

    5.) Open Vivaldi go to the extension site "Ctrl + Shift +E" and take a look if there are any shady extensions if yes remove them

    6.) Open the Vivaldi settings "Alt + P" -->search --> delete every searchengine you don't know by clicking the x on the right side of the entry .
    Note when a searchengine you want to delete is labeled as default searchengine you'll need to assign a new default first (the blue checkmark) than you can delete it

    7.) Stay in the settings --> startup --> make sure that vivaldi starts up with startpage (you can change this later if you need this for extensions when everything is fixed) next go to settings --> tabs --> in the section "New Tab Page" do the same --> close vivaldi.

    6.) Rightclick the vivaldi icon on your desktop (and if you use any other browser you want to do this for them too) --> Properties --> Shortcut. In Target, remove everything after .exe (!!! When you typed there flags yourself you can of course skip their delete)

    7.) Restart

    Please note: This doesn't cover any kind of registry cleanup - sole reason for this is that I am not good at this stuff and don't want to brick your pc - so even if this works and you get rid of ggg there still might be parts of this crap left on your pc - just saying.

    Never the less I hope this helps



  • since its actually quite clear niw that uoi have a infection
    follow these steps and open a topic on malwarebytes forum they do free hands on expert help
    https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/
    along with any of the logs produced by the tools i had you run



  • Apparently, Malwarebytes online scanning is not working as it should.

    I use the free version and only scan my local drives.



  • the malwarebytes team will help you remove the adware/infection however in the future it should be noted to add Vivaldi tte list applications covered by exploit protection list for exploit protection
    i also highly recommend https://github.com/gorhill/uBlock#chromium
    when used along side https://github.com/gorhill/uBO-Extra
    with the right lists are chosen it ads a extract browser level block to help reduce such cases
    I also want to say that although Malwarebytes 3 is great it should still not be considered as a full AV replacement
    please consider https://www.avast.com/en-us/index to work along side Malwarebytes for free

    or use https://usa.kaspersky.com/home-security#pc as a paid solution
    since this is a PDF issue i recommended replacing adobe reader with another PDF rerader
    in fact here is a safe application downloader link to a installer ive generated for you with many great altertive free programs to avoid future exploits
    use it if you like
    https://ninite.com/cccp-filezilla-foobar-gimp-glary-imgburn-libreoffice-peazip-revo-sumatrapdf-xnview/



  • @Pesala that is a issue yes but its for the most part not a issue in this this case



  • Thanks all! A few responses:

    1.) It's an adware issue, NOT a pdf issue. The fact that the page to which I'm being hijacked has to do with pdfs is beside the point. In fact, I use PDF-xchange, not acrobat.

    2.) I found what looks like a (possibly bad) solution. I searched the contents of files on the computer for a recognizable part of the page to which I was redirected. It found references to the site in the Vivaldi preferences file. I took the risk of deleting them, comma to comma. There was an odd message when Vivaldi rebooted, but it seems to be working fine now - with no signs of the redirect.

    I'll definitely look at the recommended add-ons...



  • @zaibon Thanks! I actually know this guide and pretty much did all that, but I appreciate it!



  • I would still recommend that you let a expert over at malwarebytes help you.
    It's free and you can be sure you're clean

    As a last resort (depending upon your windows version) I also would try
    https://www.bleepingcomputer.com/download/combofix/
    I say last resort because its a pretty advanced scanning tool which works very well but may have a risk of removing something you may want to use.



  • @asianmusicguy

    If Malwarebytes does that for free, I will ABSOLUTELY do it - sounds fantastic!

    In the meanwhile, UPDATE: my operation in the "preferences" file seems to have had the reverse effect - I started getting more redirects that hadn't cropped up yet. I copied out the profile directory reinstalled Vivaldi (which is easy, as I use a standalone installation. Copied back everything but the preferences file and cookies. Seems perfect now.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.