I think I might be a victim of a browser hijack or possibly a rootkit. I'm using Firefox 21.0 & Windows 7 Service Pack 1 x64
I've been a little paranoid lately because my Discover ID Theft Alert service notified me Friday that a new loan was opened in my name and reported on my credit history. I'm still working on that problem, but on to my computer issue:
I had to enroll in a new 401K plan last Saturday which required registering in their website. I typed the address into the Firefox address bar and pressed enter. Instead of going to the 401K's website, I ended up at onlinefwd.com with a blank webpage. I got REALLY suspicious. Google search showed multiple hits regarding a browser redirect virus called onlinefwd.com. OK, now I'm worried.
I typed in the 401k address again and it worked - it was the legitimate site - but I didn't register of course. I wanted to see if I could reproduce onlinefwd.com showing up. No luck.
I deleted the firefox history to clear the address cache and retyped the 401K URL. No issues - went to the real website.
Still suspicious, I did a full scan of my hard drive with MSE and Malwarebytes (fully updated). No issues detected.
Now it gets interesting:
Before finding this website, my research found the usual suggestions for finding possible malware. One of which was checking firefox add-ons. Apparently, I installed a plugin-called optimizegoogle a long time ago, but I can't remember. I did notice that the colors of the google search results page looked slightly different. Also, the optimizegoogle project was killed last April. http://sourceforge.net/projects/optimizegoogle/
In the add-on manager you can view the details of the plugin, which includes a hyperlink to the the website of the creators. For the heck of it, I clicked on it. Instead of going to www.optimizegoogle.com, I was redirected to www.dntx.com then immediately to searchtermresults.com, also with blank webpage just like onlinefwd.com..
[Edit: deleted the links because I don't want readers to click them]
And guess what? searchtermresults.com is another browser hijacker... Now I'm REALLY worried.
I went ahead and removed the plugin. The google search results look normal.
I checked my hosts file which had one entry: a redirect to a romanian server if I used www.bing.com. The file was modified in 2012. I don't use bing. But still, something wrote that there. Actually, google searching the IP address 188.8.131.52 found more hits of google search redirects and malware....
I came across this website and saw lots of similarities to my problem and my paranoia grew further as I learned about rootkits. So, with the possibility that my identity was stolen and getting a re-direct when I tried to access my 401K website, I REALLY would like someone to walk me through this step by step to make sure there is nothing wrong with my machine. I do a lot of banking and bill paying on it and bills are due. I'll reinstall the OS if I have to, but that is moot if my external HD is infected too...
Is there someone that can help me out?
Edited by DeanEx, 01 July 2013 - 11:53 PM.