Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus Exclusive to Firefox


  • Please log in to reply
38 replies to this topic

#16 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:59 PM

Posted 22 December 2009 - 03:28 PM

Are you still having the firefox issues?

If so, the most simple solution is re-installing firefox. I see you don't have a very customized profile, however it is up to you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


BC AdBot (Login to Remove)

 


#17 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 22 December 2009 - 03:43 PM

Yes the issues are still there. Would a re-install affect bookmarks and the like?

#18 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:59 PM

Posted 22 December 2009 - 04:21 PM

You can export your bookmarks to Internet Explorer (Or import them in internet explorer) and import them back into firefox after the re-install.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#19 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 22 December 2009 - 07:34 PM

Do you know of a way to get around the error in regards to restoring the hosts file? I'd like to dig a little further before going through with a re-install unless you think it's really not worth the hassle. :( What are your thoughts on going that route?

#20 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:59 PM

Posted 23 December 2009 - 07:13 AM

Do you have this problem also when using Internet Explorer? If so, it may be due to the hostsfile, but I really don't think so.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#21 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 23 December 2009 - 12:24 PM

Yeah, no problem with Internet Explorer or even when I use another search engine like yahoo. Google and Firefox together are causing the problem.

#22 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:59 PM

Posted 23 December 2009 - 12:37 PM

Try to uninstall FireFox plugins. Most likely its one of them causing the problem. The hosts file is not the culprit, otherwise IE would have problems as well.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#23 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 26 December 2009 - 07:50 PM

Hi Elise, I believe we've found the culprit.

Although I've seen it for who knows how long, I don't remember installing it. It's either a recently-exploited extension/plugin or maybe included in one of Firefoxes more recent updates. Anyhow, when I disabled the add-on "XUL Cache 1.0" the redirection stopped. After checking to see if others have had the same experience I found this thread too. [post="http://www.bleepingcomputer.com/forums/t/192538/toseeka;-shopica;-findlinks/"]Click Here[/post]

I'll let ya know if something changes, but as far as I can tell it's fixed!

Thanks for your help! -BeefyT-

#24 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:59 PM

Posted 27 December 2009 - 04:21 AM

Well, thats strange. XUL cache is a known firefox infection, but it didn't show in your logs (usually it does).

Lets make sure all bad stuff is gone. This infection likes to hide pretty good in the registry.

Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#25 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 27 December 2009 - 02:43 PM

Ok, here is the Goored.txt log (let me know if I should re-enable XUL cache then run it - this log is with it disabled):

GooredFix by jpshortstuff (06.12.09.1)
Log created at 12:37 on 27/12/2009 (Beefyt)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:52 20/12/2005]
{B13721C7-F507-4982-B2E5-502A71474FED} [17:48 10/11/2009]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [15:27 08/05/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [15:18 29/09/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [17:15 09/12/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [20:39 31/03/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [20:05 27/08/2008]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [03:49 07/12/2009]

C:\Documents and Settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\extensions\
bettergmail2@ginatrapani.org [20:50 02/12/2009]
moveplayer@movenetworks.com [02:54 26/02/2009]
{42fd8380-9631-43a8-8acf-52f38b4fadf9} [20:43 12/11/2009]
{77b819fa-95ad-4f2c-ac7c-486b356188a9} [19:56 10/06/2009]
{d40f5e7b-d2cf-4856-b441-cc613eeffbe3} [23:38 16/11/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [03:47 07/12/2009]

-=E.O.F=-

#26 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:59 PM

Posted 27 December 2009 - 02:49 PM

Yes, please enable it first and then re-run GooredFix.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#27 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 27 December 2009 - 03:08 PM

Ok, here is with it enabled: (I made sure redirections were occuring after I enabled it also - although the log doesn't appear to have found it)

GooredFix by jpshortstuff (06.12.09.1)
Log created at 13:02 on 27/12/2009 (Beefyt)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:52 20/12/2005]
{B13721C7-F507-4982-B2E5-502A71474FED} [17:48 10/11/2009]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [15:27 08/05/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [15:18 29/09/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [17:15 09/12/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [20:39 31/03/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [20:05 27/08/2008]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [03:49 07/12/2009]

C:\Documents and Settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\extensions\
bettergmail2@ginatrapani.org [20:50 02/12/2009]
moveplayer@movenetworks.com [02:54 26/02/2009]
{42fd8380-9631-43a8-8acf-52f38b4fadf9} [20:43 12/11/2009]
{77b819fa-95ad-4f2c-ac7c-486b356188a9} [19:56 10/06/2009]
{d40f5e7b-d2cf-4856-b441-cc613eeffbe3} [23:38 16/11/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [03:47 07/12/2009]

---------- Old Logs ----------
GooredFix[19.57.19_27-12-2009].txt

-=E.O.F=-

#28 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:59 PM

Posted 27 December 2009 - 03:52 PM

Hello again,

Download this program:

submit files packer

Highlight the folder listed below in bold and right-click and selecting copy.

C _linenums:0'><strong class='bbc'>C:\Documents and Settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\extensions\{42fd8380-9631-43a8-8acf-52f38b4fadf9}</strong>

Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to BeefyT

Click Here to upload the files please.

Please let me know once you uploaded the file, thanks :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#29 BeefyT

BeefyT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 AM

Posted 28 December 2009 - 01:24 AM

Ok, file has been uploaded. :(

#30 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,424 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:59 PM

Posted 28 December 2009 - 04:51 AM

Hello :(

Sorry, the filepacker apparently doesn't like folders....

Please click start > type run in the searchbox and press enter. In the runbox type notepad and press enter.
Copy/paste the text in the codebox below into Notepad and save it as uploadthis.bat to your desktop.
PEV -Zip"Uploadthis.zip" -t!pmz -dg7 "C:\Documents and Settings\Beefyt\Application Data\Mozilla\Firefox\Profiles\xkcp48hy.default\extensions\{42fd8380-9631-43a8-8acf-52f38b4fadf9}"\*
Exit Notepad and doubleclick on uploadthis.bat to run it. You will see a black command window and after that a zip file will be created on your desktop, named Uploadthis.zip

Now please go here

In the box next to "Link to topic where this file was requested" paste the link to this topic.
Click Choose file and browse to the uploadthis.zip we created and upload it. Click Send file.

Please let me know once you have uploaded the file.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users