Long time browser, first time visit to the Intensive Care ward. I may have stupidly taken some steps to heal myself but I think theres still residue...
Symptom: Since yesterday I see sporadic (3/4s of the time) redirects with Firefox to unintended links from Google search results. Yep, I've been nicked.
Being a bit curious I first read through a lot of similar posts here and downloaded and installed Malwarebytes AntiMalware and ran a full scan. The log came back with one hit: (Files Infected:
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000026f.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.)
I then rebooted and re-ran several more times and MWAM then runs clean.
But the Google redirect symptoms continued. I read more and more. I installed and ran RootRepeal which flagged:
Object: Hidden Module [Name: z00clicker.dll]
Process: firefox.exe (PID: 804) Address: 0x10000000 Size: 176128
Now I'm thinking Rootkit based on what I've seen in the other posts. I was a bit curious what sites where handling the redirects and a search on http://40448.123bounce.com
etc. reveals a stack of URLs that are pointed at the same I.P. I set up the add-on BlockSite in Firefox to block those addys while I work on this and lo and behold then I cannot search at all. Pretty convincing proof of the redirects, which all point to the http://18.104.22.168
I installed and ran GMER and it points to copies of MBR and rootkit like activity but no hard rootkits. Based on other issues I've fixed I attempted the FIXMBR command thru the recovery console and now I'm browsing and such OK with no redirects. However, I rebooted and re-rain GMER again and it still flags issues with the boot record copies and seems nothing has changed there. AVG, MWAM, etc. all run clean with no issues noted.
So, now I'm falling on my sword as I dont think its truly fixed- if some patient soul could help with this I will try to be as responsive as my schedule permits.