Google hijack?

This just started happening: Running Firefox 10 (started in 9 before updating), doing a search in Google (either from the Google.com website or the search engine box in the upper right corner of Firefox). With me so far? I do a search (used Bleepingcomputer). The Google search results look fine, but the search link is messed up. Bleeping computer should be "http://www.bleepingcomputer.com". Instead it is "http://www.bleepingcomputer.com/&sa=U&ei=IMI6T7ruFeXs2QXv5oCyCg&ved=0CBEQFjAA&usg=AFQjCNFnCpAywSTLxpxpGDkZuCprOY5nxg".

This is on every search result. The characters are different, but the result is the same when you click on it... a lot of 404's, can't find file, url, etc.

Tried wife's PC and my notebook, search is normal.

Running new HP i5 Quadcore, 8GB RAM, 1TB drive, 2GB Video card, 64 bit, Windows 7. Plenty of space, cache, cookies, temp files, etc. is cleared (using ccleaner from Piriform). Have run Malwarebytes, Avast, TDSSkiller. System appears to be clean. Hosts file has not been altered. Nothing ordinary that just jumps out and slaps you in a hijackthis report.

I'm hesitant to remove and reinstall Firefox because of all the plugins I've got. Besides, the same thing happens in IE. This seemed to start happening after upgrading a Silverlight request. (Which I've removed, but hasn't made a difference.)

Ideas? Questions? FIXES?

dA Fish

Hello, there's a good cahnce it is one of those plugins. Let;s try these 2 first as they are faster.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

>>>>

Please download TDSSKiller.zip and and extract it.

• Run TDSSKiller.exe.
• Click Start scan.
• When it is finished the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
• Let reboot if needed and tell me if the tool needed a reboot.
• Click on Report and post the contents of the text file that will open.
  
  Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.

>>>>

Last try disabling them one at a time and see which one was at fault.

How to disable extensions and plugins

Keeping your third-party plugins up to date

As mentioned, already ran TDSkiller and it found nothing. I will run the other program. I did find out that combofix reset a lot of the customizations I had for Windows 7 (UAC off, updates off, action center icon off, etc.). Now I have to set everything back up. And it killed my CS5. Apparently it thought my LEGAL app was a hacked version. Now I have to uninstall it and do it over. Yay! What a fun... FUN... day!

Ok, I actually wanted to run Killer like this.

Please download TDSSKiller.zip and and extract it.

• Run TDSSKiller.exe.
• Click on Change Parameters
• Put a check in the box of Detect TDLFS file system
• Click Start scan.
• When it is finished the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
• Let reboot if needed and tell me if the tool needed a reboot.
• Click on Report and post the contents of the text file that will open.
  
  Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.

Okay. But nevermind. I found the offending culprit. Seems that for some reason my "GoogleEnhancer" became "incompatible" with Firefox. It worked fine even before I updated to 10, but go figure. And it wasn't the whole add-on, it was the "Use Google Classic" radio button turned on. I got this add-on after Google started making their search engine so... oh, what's the word I'm looking for... umm... oh, yeah... crappy!

Anyway. thanks for the help. Now I have to find out how to close this issue.

da Fish

Da Fish,even though it wasn't an infection now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to > Run... and type: Cleanmgr
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links:

• Create a New Restore Point in Vista or Windows 7
• Disk Cleanup in Vista
• Disk Cleanup in Windows 7