Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google redirect/ z00clicker.dll problem

  • Please log in to reply
2 replies to this topic

#1 grumpster


  • Members
  • 10 posts
  • Local time:01:11 PM

Posted 22 January 2010 - 04:53 PM

Long time browser, first time visit to the Intensive Care ward. I may have stupidly taken some steps to heal myself but I think theres still residue...

Symptom: Since yesterday I see sporadic (3/4s of the time) redirects with Firefox to unintended links from Google search results. Yep, I've been nicked.

Being a bit curious I first read through a lot of similar posts here and downloaded and installed Malwarebytes AntiMalware and ran a full scan. The log came back with one hit: (Files Infected:
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000026f.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.)
I then rebooted and re-ran several more times and MWAM then runs clean.

But the Google redirect symptoms continued. I read more and more. I installed and ran RootRepeal which flagged:

Stealth Objects
Object: Hidden Module [Name: z00clicker.dll]
Process: firefox.exe (PID: 804) Address: 0x10000000 Size: 176128

Now I'm thinking Rootkit based on what I've seen in the other posts. I was a bit curious what sites where handling the redirects and a search on http://40448.123bounce.com etc. reveals a stack of URLs that are pointed at the same I.P. I set up the add-on BlockSite in Firefox to block those addys while I work on this and lo and behold then I cannot search at all. Pretty convincing proof of the redirects, which all point to the domain.

I installed and ran GMER and it points to copies of MBR and rootkit like activity but no hard rootkits. Based on other issues I've fixed I attempted the FIXMBR command thru the recovery console and now I'm browsing and such OK with no redirects. However, I rebooted and re-rain GMER again and it still flags issues with the boot record copies and seems nothing has changed there. AVG, MWAM, etc. all run clean with no issues noted.

So, now I'm falling on my sword as I dont think its truly fixed- if some patient soul could help with this I will try to be as responsive as my schedule permits.

BC AdBot (Login to Remove)


#2 Old_compguy


  • Members
  • 2 posts
  • Local time:01:11 PM

Posted 22 January 2010 - 05:47 PM

Go to C:\Program Files\Mozilla Firefox\components

Look for a strange looking dll file - something like aaeecfedgee.dll (the letters will not be the same, but will be similar) and delete that file. Firefox must be closed prior to trying to delete it. File size is around 116k and there should only be two other dll files (browserdirprovider.dll & brwsrcmp.dll)in that folder and they are legitimate.

I had a problem similar to what you described where when using Google in Firefox I would be redirected to various other sites. None of the usual methods seemed isolate the problem, and believe me I tried most. I can't recall where I found the info on that strange dll, but it worked for me.

#3 grumpster

  • Topic Starter

  • Members
  • 10 posts
  • Local time:01:11 PM

Posted 22 January 2010 - 05:58 PM


I checked that earlier and all is normal there. Thanks for the thought, tho.

I'm still at sea here.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users