Firefox Hijacker

Hello.

First off:
-Using Windows 7
-Mozilla Firefox issue
-Running AVG
-Running Spybot S&D
-All standard Windows firewalls are OFF (gaming issues)
-No other firewalls running

The last couple weeks I've started having problems with Mozilla Firefox. After a seemingly random amount of time, some type of hijacker takes over the browser and directs every page to random nonsense advertisements/ pop-ups/ business scams/ etc. Sometimes AVG says it has caught a threat when one of the hijacks happens, usually it doesn't. I generally kill the whole process as quick as I can whenever it happens, but I'm freaking out, hoping none of this will cause permanent damage.

I've had problems before, but none exactly like this. The only pattern is that it seems to happen after clicking between 3-10 links. After the hijacker kicks in, any link click, search, bookmark, any action that would normally take me to a page I want, will be redirected to a spam site. For the most part I've been able to solve nonsense like this in the past, but not this time.

So far I've tried:
-Multiple AVG / Spybot S&D scans, which did yield several results, but none remedied the problem after being removed.
-Uninstalling/Reinstalling Firefox (but leaving user info)
-Uninstalling/Reinstalling Firefox (deleting all files, shredding remaining folders)
-Manually looking through processes/ startup info (only a limited knowledge here, didn't see anything that I didn't recognize)
-Running HijackThis (yielding nothing I recognize as a threat, but then again I'm no expert)

Nothing I've done has cleared the problem as it usually would have. Any help would be greatly appreciated.

Edit: Forgot to mention that Firefox doesn't remember passwords anymore, no idea if this is related to the highjacker or not.

Edited by Perturabo, 07 June 2010 - 07:28 PM.
Move from Web-browsing to AII. ~ OB

2 days bump for help.

It's at the point now where 2 out of 3 times, Windows will not shut down when shutting down/ rebooting. I have to physically de-power the computer. Still getting hijacked.

Please download GooredFix and save it to your Desktop.
Double-click GooredFix.exe to run it.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).



Please download Malwarebytes from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the log please

Thanks for a reply. Ran both scans.

GooredFix

GooredFix by jpshortstuff (08.01.10.1)
Log created at 20:57 on 09/06/2010 (Joe)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [20:04 04/06/2010]

C:\Users\Joe\Application Data\Mozilla\Firefox\Profiles\7169v4ir.default\extensions\
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [20:08 04/06/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [15:25 10/01/2010]

-=E.O.F=-

No idea if that means something was found or not.

MBAM scan, nothing found.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4183

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/9/2010 9:01:55 PM
mbam-log-2010-06-09 (21-01-55).txt

Scan type: Quick scan
Objects scanned: 115752
Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Still being hijacked.

Edited by Perturabo, 09 June 2010 - 08:06 PM.

Follow these instructions and run TDSSKiller
http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller

Thanks, that seems to have done the trick! Spent about 20 minutes clicking on random links and no redirects. Now I just have to figure out why passwords aren't being remembered.