48 replies to this topic

[Maurice Naggar]

Allright, then, I'd recommend you remove Firefox, and get a new setup of Firefox.

De-install Firefox.
Logoff and reboot system.

Using Internet Explorer, go to www.mozilla.org
Download and SAVE firefox

Close Internet Explorer. and then apply the setup of Firefox.
When completed, logoff and restart the system fresh.

[kosmic94]

Done. First time I installed with the "Run" button and ran Firefox before restarting the second time, so I went back, uninstalled again, and saved the downloader to the desktop, ran as admin, restarted afterward before running Firefox. Tested a couple searches; no redirects yet, but that doesn't mean anything. Also, I didn't uninstall the personal settings and customizations, so I wouldn't lose everything, if that matters.

I mostly get redirected to "GimmieAnswers," and if you search that on Google, it's apparently a well-known virus, but I was directed to some other site, like "hapili," or something, once (it started with an H but I don't think that was the exact name).

My ma, who uses Internet Explorer, says it's possible she has also been redirected in this manner, but she doesn't remember for sure. As I don't use IE, I don't know.

-kosmic94

[Maurice Naggar]

What you call a virus may not be a "virus". By that I mean, if you guys are initially getting to Google site ok (or even another search engine like Bing), you cannot & must not think that any one "result" or link is "safe" !!!!!
Do not be quick to click. Don't click on any link before "studying" what site it is on. Ask yourself, can I reasonably be safe on that site?
Seeing a search result on a search engine does NOT mean that the link is safe.
I am convinced that there's nothing left here that is a hijacker.

I am going to suggest 2 scans. And after that, it is high time to end this chase.

Step 1
Temporarily disable your antivirus.

Next, get/save to the Desktop / and then run the MS Safety scanner
http://www.microsoft...us/default.aspx

Step 2
Next, do another scan.

Perform this online scan: F-Secure Online Scanner

The online scanner is on the bottom right of the page.
Follow the directions in the F-Secure page for proper Installation.
You may receive an alert on the address bar at this point to install the ActiveX control.
Click on that alert and then click "Install ActiveX component".
Read the license agreement and click "Accept".
Click "Custom Scan" and be sure the following are checked:

• Scan whole System
  
• Scan all files
  
• Scan whole system for rootkits
  
• Scan whole system for spyware
  
• Use advanced heuristics

When the scan completes, click the "I want to decide item by item" button.
For each item found, Select "Disinfect" and click "Next".
When done, click the "Show Report" button, then copy and paste the entire report into your next reply.

Step 3
Save and close any work documents, close any apps that you started.
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.
Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.
Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 4
Post the results.

Re-enable your antivirus.

[kosmic94]

First scan removed several oddities, but the most interesting were a Javascript exploit and a Win32/backdoor.

Second scan found nothing; I don't see the report; I thought it saved a text file, but, I don't see it.

Third scan also found nothing it didn't find before. Not worth posting the same report all over again.

I am still getting redirected Google searches to GimmieAnswers and Happili and some other dumb site. It happens at random and if I go back to Google I can click the same link and it will go through.

-kosmic94

[Maurice Naggar]

I need the MBAM scan log from the last run. Post a copy so that I can review.

Be very, very specific as to which browser you used when Googling?
What the search term is? and what the site should be that you were after?
Why the need to use Google?

Step 1
Visit this page and apply more security to Firefox http://ubuntuforums....ad.php?t=671604

Step 2
Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  
• IF prompted to Reboot, reply "Yes".

Step 3
download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Step 4
Get and run the Windows Defender Offline tool. It is a tool that runs off a boot-USB-drive or a boot-CD that you prepare from it.
The tool will scan for malware on the system.
The frequently asked questions section is at
http://windows.micro...efender-offline
http://windows.micro...der-offline-faq

Edited by Maurice Naggar, 02 April 2012 - 11:37 PM.

[Maurice Naggar]

Please advise on the current status of this system. It has been several days since my last reply.

[kosmic94]

I did the second and third things. Can't do the last anyway as I have no boot equipment.

GooredFix by jpshortstuff (03.07.10.1)
Log created at 14:58 on 15/04/2012 (Flood)
Firefox version 11.0 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [21:29 27/09/2011]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:47 31/03/2012]

C:\Users\Flood\Application Data\Mozilla\Firefox\Profiles\360vmvb8.default\extensions\
battlefieldheroespatcher@ea.com [21:22 30/08/2011]
battlefieldplay4free@ea.com [01:23 24/08/2011]
foxyproxy@eric.h.jung [02:49 17/03/2012]
gcyvknqexv@gcyvknqexv.org [22:01 22/03/2012]
{20a82645-c095-46ed-80e3-08825760534b} [03:56 10/05/2010]
{455D905A-D37C-4643-A9E2-F6FEFAA0424A} [06:46 29/12/2011]
{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} [16:20 15/05/2011]
{9051303c-7e41-4311-a783-d6fe5ef2832d} [04:44 02/04/2012]
{9c51bd27-6ed8-4000-a2bf-36cb95c0c947} [18:19 12/02/2010]
{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [02:27 25/06/2011]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [20:10 29/03/2012]
{bb6bc1bb-f824-4702-90cd-35e2fb24f25d} [00:04 27/04/2011]
{c45c406e-ab73-11d8-be73-000a95be3b12} [00:39 07/01/2011]
{e968fc70-8f95-4ab9-9e79-304de2a71ee1} [00:39 07/01/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:42 18/06/2009]
"{23fcfd51-4958-4f00-80a3-ae97e717ed8b}"="C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\html5video" [22:41 30/12/2010]
"{6904342A-8307-11DF-A508-4AE2DFD72085}"="C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\wpa" [22:41 30/12/2010]
"wrc@avast.com"="C:\Program Files\Alwil Software\Avast5\WebRep\FF" [00:13 06/03/2011]

-=E.O.F=-

I'm using Google because I have to. Nothing's been compromised yet, just the redirects, and I doubt this is going to go anywhere.

-kosmic94

[Maurice Naggar]

If your pc can boot from a USB-drive, you only need a small USB-flash drive (one that can hold 250 MB is sufficient) for the Windows Defender Offline Beta
See http://windows.micro...efender-offline
If your pc cannot boot from a USB drive, then get a CD and build the Windows Defender onto it; set your pc to boot from CD and scan it.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!