Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect hijack using Firefox [solved]


  • Please log in to reply
No replies to this topic

#1 ericms

ericms

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 29 May 2011 - 11:01 AM

Google search links are occasionally redirected to other websites such as livingsocial.com, greatsearchonline.com, possibly others.

From my browser logs, it looks like redirects come via:
dc2w.3vg58t1.com
64.111.211.155
64.111.211.161
west.05tz2e9.com
bizzclick.com

Running Windows 7 Enterprise, Firefox 4.0.1 (latest), Avira Antivir (latest update). Computer doesn't appear slow, no weird behaviour, could access various antivirus websites fine, just the very occasional browser redirect. A search for 5vg58t1.com revealed very few links, and followed one here. I followed some advice given to others with similar browser hijack problems:

TDSSkiller had no results.
MBAM had no results.
ESET online scan found opencandy (related to CDburnerXP, not the issue)
Hosts file is normal
Searched registry for irregular google references (none)
Complete scan with with Avira showed no detections.

FINALLY solved -- ran gooredfix.exe, found an invisible Firefox add-on! See below for log, in case it helps anyone else. No redirects so far, I will post if it comes back. I suspect I got infected after doing a Google image search and clicked on an image, but I'm not sure.

Hope this helps others!






GooredFix by jpshortstuff (04.04.11.1)
Log created at 08:23 on 29/05/2011 (eric)
Firefox version 4.0.1 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{0DE2447C-4D6F-491F-AAF5-09227D23BD28} -> Success!
Deleting C:\Users\eric\AppData\Local\{0DE2447C-4D6F-491F-AAF5-09227D23BD28} -> Success!

========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [21:07 06/05/2011]
{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [00:51 28/03/2011]

C:\Users\eric\Application Data\Mozilla\Firefox\Profiles\q33qoy29.default\extensions\
{3d7eb24f-2740-49df-8937-200b1cc08f8a} [01:53 07/05/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"offerboxffx@offerbox.com"="C:\Program Files (x86)\OfferBox\offerboxffx@offerbox.com" [02:30 01/03/2011]

-=E.O.F=-

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users