I'll be brief, i'm being a little interrupted right now so I have to skim over the problem as quick as I can! Sorry!
(Also, since this is my first post; I'm David. Nice to meet you all. (: )
Firstly, a little about me and my computer. I'm very, very OCD about keeping my computer organized, clean and error free. That said, I usually format every 2-3 months and can get my computer back to how I like it in about 3-4 hours. I work as a technician at a small computer repair shop, and viruses are easily our number 1 problem there.
I'm very experienced with removing them through a myriad of programs that are the standard from what i've seen on the site. My usual toolbox would be Combofix > Smitfraudfix > MalwareBytes > Avast > Hijack This > CCleaner. Of course that won't clean everything and more work would be required for harder to remove ones, etc.
tl;dr and extension; I'm more than capable when it comes to computers, viruses, and the like. I don't require a 'simple-version' of instructions. :D
Now, my problem. I've tried searching on the forum for similar problems but Firefox, Google, viruses, tabs and other words ive used are just way too general! I promise I tried. .__.;
Basically here's what's happened. After formatting my computer a matter of days ago, I installed Firefox, my usual addons, my usual about:config edits, everything. Like I said before, I have an obsession with organization so if you'd like to see a .txt of what I install, links to them and edits to config, just ask.
I installed what I needed to, and carried on with my business installing the other programs after the re-installation. Then I noticed a few tabs open in Firefox. I opened it, and some where about news websites. Something like 'Mother of 1 earns $3000 a month' - i've seen it all before, I knew that this was a problem. The site name escapes me but it's something like 'News1' or ..similar.
I can get it when it happens again.
So I closed it, carried on with my business.
Now, it's happened frequently throughout the week - It's generally when I open a new tab via middle click, or search in the awesome-bar. It will open a new tab, directed at an IP of "http://220.127.116.11/go.php" (it obviously changes but i've seen this one most) and then redirects maybe another 3-4 times quickly. All the pages it redirects to have that ominous ? in a black triangle until it finally lands at the news page I described above, or some other general advert site. Then one link before the end result, it usually has a word i've searched for in it. If I search for.. Chicken Recipes, for example, then I might see Chicken or Recipes or some variant in the URL.
Now, what i've done to 'fix' this.
I've done my general sweep of virus removal programs. Combofix, followed by SmitFraudFix, followed by MalwareBytes, followed by Avast (boot-time scan). I've then checked running processes, Hijack This, done a very thorough clean both with CCleaner and Glary Utilities, and my own knowledge of where viruses hang out. This is all behind PeerBlock running P2P, Spyware, Advertising, Education, Infringement and Primary Threats lists (Allowed HTTP, because it usually spits and cries about everything). I've then checked the registry for anything that stands out (which would especially stand out after a new reinstall!). I've finished cleaning -again- today and reinstalled Firefox COMPLETELY. I've removed 'not-so-confident-about' addons from Firefox (I don't run alot, but usually ones like Add To Searchbar which have such a small fan base that malicious code could go rather unnoticed?). It's still doing it!
I've read around that Java had an exploit that allowed random programs to be installed without permission - now I distinctly remember not installing Java until very late into my Firefox installation sweep. I don't know if this is useful or not, but it was mentioned in another thread i've been reading.
The virus, or whatever it is, is not affecting anything else to the best of my knowledge. I'm having some random driver issues but I think it's just coincidental that they've happened around the same time - and i'm too lazy to fix them right now.
I've also thoroughly checked through a dds.scr scan. Nothing is where it shouldn't be, but i'm happy to show, I guess.
I appreciate any and all help - I understand i've wrote alot so I don't expect immediate help.
I'll try update what I do, but right now i'm just going to wait a while.
[EDIT 1]: I wrote about PeerBlock just as I was finishing up, and realized I mights'well block HTTP and monitor what goes in and out for a while. I'm aware of the 'normal' connections that try to sneak up so anything that stands out, should.
[EDIT 2]: Emphasized key points.
[EDIT 3]: JUST as I finished the second edit, and clicked Submit Modified Post, it opened a new tab, and opened:
http://dbcummings.com/search.php then tried to connect to a very long link
EDIT: Moved from Web Browsing/Email to Am I Infected forum ~ Hamluis.
[EDIT 4]: Thank you, Hamluis. I was unsure and just looked for the most relevant.
Edited by vSanjo, 24 June 2010 - 11:51 AM.