Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Redirects


  • This topic is locked This topic is locked
20 replies to this topic

#1 conley-d

conley-d

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 15 December 2010 - 02:02 PM

Greetings. I'm new to the site but I have seen your work and have high hopes! Trend Micro, Spynomore, and Malware Bytes do not find the virus that's causing my concerns.

For a while now I've been getting random redirects to feed.bizzclick... when I click on a link from a Google search. I am running WIndows 7 on a Dell Inspiron 1525 with a wireless connection. An example of the redirect URL is:
hxxp://feed.bizzclick.com/click.php?id=8SHwF618s3IAYAS0nIp6euMgAfkj2I4r4LxsmXbhHcuemR8qeBDn_EFeriF69xegOwbud4r7UbDTT5lr-fnRG5xSeh9ZPgBxpMXr

I can't confirm that it is always this though I would guess the feed.bizzclick.com is constant and the rest is some sort of ID. I'm not sure that it is related, but I very occasionally get redirected to Happili.com when I select a link from a Google search. This is not as common as the problem I'm posting.

Best Regards,
Dylan

Edited by Orange Blossom, 09 January 2011 - 12:16 AM.
Moved from Win 7 to Am I Infected ~ Hamluis. Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 15 December 2010 - 10:13 PM

Hello and welcome. Is this a 64 bit Win7 system?

Please read and follow all these instructions.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).


Now do an Online scan.
Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 conley-d

conley-d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 03 January 2011 - 09:15 AM

Hello Boopme,

Thank you very much for your help. I ran the suggested scans and got the following results:

GooredFix:
GooredFix by jpshortstuff (03.07.10.1)
Log created at 10:28 on 02/01/2011 (Dylan_2)
Firefox version 3.6.13 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:53 23/12/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [03:26 09/01/2010]
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [20:14 16/02/2010]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [15:51 11/12/2010]
{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [16:56 16/12/2010]

C:\Users\Dylan_2\Application Data\Mozilla\Firefox\Profiles\l2dsbay3.default\extensions\
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [16:14 23/09/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3" [17:35 15/01/2010]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext" [13:22 01/04/2010]
"{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}"="C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}" [19:49 27/11/2010]

---------- Old Logs ----------
GooredFix[16.27.56_02-01-2011].txt

-=E.O.F=-

ESET Scan Results:
C:\Program Files\MATLAB\R2008a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6420.mexw32 probably a variant of Win32/Agent.KRDRJQX trojan cleaned by deleting - quarantined
C:\Program Files\MATLAB\R2008a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6430.mexw32 probably a variant of Win32/Agent.FXHULZN trojan cleaned by deleting - quarantined
F:\Backup10_10\Dylan_2\AppData\Local\Temp\0.28554353924270237.exe a variant of Win32/Kryptik.GPR trojan cleaned by deleting - quarantined
F:\Backup10_10\Dylan_2\AppData\Local\Temp\tmpc72dabf1\us.exe a variant of Win32/Kryptik.GOF trojan cleaned by deleting - quarantined
F:\Backup10_10\Dylan_2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\62de25ee-3da74923 a variant of Win32/Kryptik.GPR trojan cleaned by deleting - quarantined
F:\Backup10_10\Dylan_2\Downloads\OnlineBackupSetup.exe probably unknown NewHeur_PE virus deleted - quarantined

ESET Log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK


I just finished the scan and haven't had any redirects in the short time since. I will post again if I get another redirect.

Best Regards,
Dylan

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 03 January 2011 - 02:32 PM

Looks good ...update and do a quick scan.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 conley-d

conley-d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 03 January 2011 - 07:17 PM

Boopme,

It looks good. Here's the log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5450

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

1/3/2011 5:47:40 PM
mbam-log-2011-01-03 (17-47-40).txt

Scan type: Quick scan
Objects scanned: 184878
Time elapsed: 17 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

__________________________________
I haven't had a redirect since running ESET. Thanks a lot for the help! I'll keep you posted if it comes back.

All the best,
Dylan

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 03 January 2011 - 08:11 PM

You're welcome Dylan. Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Posted Image > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 conley-d

conley-d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 03 January 2011 - 08:30 PM

Boopme,

I disabled this feature in Windows 7 after installing it. I keep a backup of files that I update every few months. Should I be okay? I believe there should be no restore points saved on my computer as I have no space allocated.

Best Regards,
Dylan

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 03 January 2011 - 08:37 PM

OK that's your Prerogative. You are OK from any backed up malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 conley-d

conley-d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 03 January 2011 - 09:35 PM

Great, Boopme. I really appreciate the quick and excellent work. You really have a great service here. Let me know how I can contribute.

Best Regards,
Dylan

#10 conley-d

conley-d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 03 January 2011 - 09:49 PM

Just when I thought I was out of the woods, it happened again. I was redirected to:
hxxp://feed.bizzclick.com/click.php?id=8kNJsIGO2vxCmdCClKMcrn0olLLx105GzOKSmXYRWX2jhYK_xIcgZbHejQwE3YLSbfKd8yKNKhB6c-E1Bgjg
after trying to open the result of a Google search.

Regards,
Dylan

Edited by Orange Blossom, 09 January 2011 - 12:17 AM.
Deactivate links. ~ OB


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 03 January 2011 - 09:51 PM

Our pleasure,
Thanks for the offer... I do not accept donations nor does BC.. But I will recommend 2 routes if you'd like to contribute to something..
Either make a donation to some people here that would appreciate it. They help or developed some of the tools we use here to clean computers.

Look them up in the MEMBERS tab at the top right.
fireman4it
jpshortstuff
random/random
Old Timer
teacup61
JSntgRvr
a_d_13
m0le
Blender
Thunder
myrti

OR
If you would like to donate,I'd appreciate if you donated here. Goodwill Rescue Mission, Complete meal $1.98

I donate here often and serve Thanksgiving dinner every other year. They are non profit, honest and very dedicated. Thousands of people pass thru here in need of food ,clothing, furniture etc...
They run one in Newark,NJ and lower Manhattan,NYC.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 03 January 2011 - 09:58 PM

Ok its one of 2 things

First
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 conley-d

conley-d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 03 January 2011 - 10:14 PM

Hello Boopme,

The scan finished (rather quickly) with no threats found.

Regards,
Dylan

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 03 January 2011 - 10:24 PM

OK than it must be in the DNS or the router.

If still redirecting>>>
Change your DNS Servers:
  • Go to Posted Image > Run... and in the open box, type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.
If the above commands did not resolve the problem, the next thing to try is to reset your network settings and Configure TCP/IP to use DNS.
  • Go to Posted Image > Control Panel, and choose Network Connections.
  • Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
  • Double-click on Internet Protocol (TCP/IP) or highlight it and select Properties.
  • Under the General tab, write down any settings in case you should need to change them back.
  • Select the button that says "Obtain an IP address automatically" or make sure the DNS server IP address is the same as provided by your ISP.
  • Select the button that says "Obtain DNS servers automatically".
  • If unknown Preferred or Alternate DNS servers are listed, uncheck the box that says "Use the following DNS server address".
  • Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually.
-- Vista users can refer to How to Change TCP/IP settings

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address,
then you may proceed.



OR.
Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you donít know the router's default password, you can look it up HERE.

However, if there are other infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site HERE for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 conley-d

conley-d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 03 January 2011 - 10:31 PM

Beepme,

I ran the flushdns utility and got confirmation. if this doesn't work, I'll move on to the next steps you suggested. Thanks again for all the help. I'm just curious, one of my computers on the wireless network does not get the redirects while one does. Do I need to follow these same steps on the other computer?

Thank you,
Dylan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users