Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Startgo123 new tab hijacker in Firefox


  • This topic is locked This topic is locked
10 replies to this topic

#1 Mark Dunn

Mark Dunn

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 16 August 2016 - 06:28 AM

HI, I have the above minor but annoying adware. It only appears in new tabs and on startup. I'd rather not uninstall FF inless it's unavoidable.

Farbar logs attached.

TIA.Attached File  Addition.txt   49.17KB   5 downloadsAttached File  FRST.txt   32.8KB   6 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 AM

Posted 17 August 2016 - 10:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE ->
Startup: C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\??zill? Fir?f??.lnk [2016-08-13]
ShortcutTarget: ??zill? Fir?f??.lnk -> C:\Users\Mark\AppData\Roaming\HPRewriter2\RewRun3.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Extension: Firefox Homepage - C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com [2016-08-13] [not signed]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-10]
S2 HPWriter Service; no ImagePath
C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\??zill? Fir?f??.lnk
C:\Users\Mark\AppData\Roaming\HPRewriter2
C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com
C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Task: {BB5C16DB-D37E-4E04-9FA1-04D031E82491} - no filepath
Task: {CF4BFE01-DDB1-4260-93CD-FD3665352FE8} - no filepath

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Please post the log and let me know if the problem persists.

#3 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 17 August 2016 - 10:53 AM

The new tab hijack has gone, however when I restart FF I get a separate window with 2 tabs, each open on a Google results page on the search terms "0" and "2"

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-08-2016 01
Ran by Mark (17-08-2016 16:33:29) Run:2
Running from C:\Users\Mark\Desktop
Loaded Profiles: Mark (Available Profiles: Mark)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE ->
Startup: C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\??zill? Fir?f??.lnk [2016-08-13]
ShortcutTarget: ??zill? Fir?f??.lnk -> C:\Users\Mark\AppData\Roaming\HPRewriter2\RewRun3.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Extension: Firefox Homepage - C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com [2016-08-13] [not signed]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-10]
S2 HPWriter Service; no ImagePath
C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\??zill? Fir?f??.lnk
C:\Users\Mark\AppData\Roaming\HPRewriter2
C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com
C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Task: {BB5C16DB-D37E-4E04-9FA1-04D031E82491} - no filepath
Task: {CF4BFE01-DDB1-4260-93CD-FD3665352FE8} - no filepath

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\EnableShellExecuteHooks => value removed successfully
HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE => value removed successfully
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE => value removed successfully
Could not move "C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\??zill? Fir?f??.lnk" => Scheduled to move on reboot.
C:\Users\Mark\AppData\Roaming\HPRewriter2\RewRun3.exe => not found.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect" => key removed successfully
C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com => moved successfully
C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com => path removed successfully
C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
HPWriter Service => service removed successfully
"C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\??zill? Fir?f??.lnk" => not found.
"C:\Users\Mark\AppData\Roaming\HPRewriter2" => not found.
"C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com" => not found.
"C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{BB5C16DB-D37E-4E04-9FA1-04D031E82491}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BB5C16DB-D37E-4E04-9FA1-04D031E82491}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CF4BFE01-DDB1-4260-93CD-FD3665352FE8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CF4BFE01-DDB1-4260-93CD-FD3665352FE8}" => key removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 8982551 B
Java, Flash, Steam htmlcache => 1389 B
Windows/system/drivers => 276852 B
Edge => 0 B
Chrome => 68361613 B
Firefox => 417092069 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 6112 B
Mark => 148116727 B

RecycleBin => 0 B
EmptyTemp: => 621.1 MB temporary data Removed.

================================
 

Thanks

 

Mark



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 AM

Posted 17 August 2016 - 12:18 PM

Click on menu icon google-chrome-setting-icon.png which is located right side top of page.

Select Options and look under the Startup Section.
When Firefor start. Anthing not required that can be removed/changed.?

#5 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 17 August 2016 - 01:21 PM

No, changing startup tab options doesn't make any difference.

It still generates those 2 search pages.


Edited by Mark Dunn, 17 August 2016 - 01:36 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 AM

Posted 18 August 2016 - 07:17 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#7 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 18 August 2016 - 09:54 AM

Unfortunately I had to shut down after 90 minutes as I couldn't wait any longer.

The startup tab hijack is unchanged.

 

Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by Mark on 18/08/2016 at 14:16:53.40.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Mark\Desktop\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2016-08-16-111112.log    29962 bytes

==== System Restore Info ======================

18/08/2016 14:19:37 Zoek.exe System Restore Point Created Successfully.

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\rv1ym6vv.default-1471448754896\prefs.js:
user_pref("browser.startup.homepage", "about:home");

Added to C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\rv1ym6vv.default-1471448754896\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Deleted from C:\Users\Mark\AppData\Roaming\Thunderbird\Profiles\sfypp91r.default\prefs.js:

Added to C:\Users\Mark\AppData\Roaming\Thunderbird\Profiles\sfypp91r.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\rv1ym6vv.default-1471448754896

user.js not found
---- Lines offers removed from prefs.js ----
user_pref("extensions.ebaycomp.alerts.bidding.update.to.offers.enabled", true);
---- Lines browser.startup.page removed from prefs.js ----
user_pref("browser.startup.page", 3);
---- FireFox user.js and prefs.js backups ----

prefs_082016_1440_.backup

ProfilePath: C:\Users\Mark\AppData\Roaming\Thunderbird\Profiles\sfypp91r.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_082016_1440_.backup

==== Batch Command(s) Run By Tool======================


==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\rv1ym6vv.default-1471448754896
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\Mark\AppData\Roaming\Thunderbird\Profiles\sfypp91r.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Firefox Extensions ======================

ProfilePath: C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\rv1ym6vv.default-1471448754896
- Autofill Forms - %ProfilePath%\extensions\autofillForms@blueimp.net.xpi
- Exify - %ProfilePath%\extensions\exify@dev13.version.xpi
- Skype Web - %ProfilePath%\extensions\hjmrR5thYsewq1hnY@jetpack.xpi
- Translate This - %ProfilePath%\extensions\jid0-k75TfRGfOXPHfEZmJ9cKu5eCgLc@jetpack.xpi
- TinEye Reverse Image Search - %ProfilePath%\extensions\tineye@ideeinc.com.xpi
- Image Zoom - %ProfilePath%\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}.xpi
- eBay pour Firefox - %ProfilePath%\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}.xpi
- Google Image Search - %ProfilePath%\extensions\{73007fef-a6e0-47d3-b4e7-dfc116ed6f65}.xpi
- Googlebar Lite - %ProfilePath%\extensions\{79c50f9a-2ffe-4ee0-8a37-fae4f5dacd4f}.xpi

ProfilePath: C:\Users\Mark\AppData\Roaming\Thunderbird\Profiles\sfypp91r.default
- Theme Font amp; Size Changer - %ProfilePath%\extensions\{f69e22c7-bc50-414a-9269-0f5c344cd94c}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Skype - %AppDir%\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\rv1ym6vv.default-1471448754896
62D98B286C805E193568037B70D936D2    - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll -    Shockwave Flash
E62CBAFEEACE53C0E372D6D96487BBE5    - C:\Users\Mark\AppData\Local\SkypePlugin\7.18.0.58\npGatewayNpapi.dll -    Skype Web Plugin
E3B4EA121F7BDEB0F6366E2BA9608CB5    - C:\Users\Mark\AppData\Local\Citrix\Plugins\104\npappdetector.dll -    Citrix Online Web Deployment Plugin 1.0.0.104
709DA97E502A3881D46800EE36DF8E6F    - C:\Users\Mark\AppData\Local\SkypePlugin\7.18.0.58\npGatewayNpapi-x64.dll -    Skype Web Plugin
 


Edited by Mark Dunn, 18 August 2016 - 09:55 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 AM

Posted 18 August 2016 - 10:51 AM

What I suspect is that possibly it's comming from these items.

Startup: C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\??zill? Fir?f??.lnk [2016-08-13]
ShortcutTarget: ??zill? Fir?f??.lnk -> C:\Users\Mark\AppData\Roaming\HPRewriter2\RewRun3.exe (No File)


The ?? are non ascii characters and could be difficult to locate.

Make sure you see all the files.
Unhide files/folders Windows 7.
How To:
http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7
<<<>>>

Then look in the folder in bold C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup if any unidentified entries are listed.

If using the Malwarebytes tool, enrure you have the latest version and run it.
Remove everything that will be found.

#9 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 18 August 2016 - 11:18 AM

Nothing found by Malwarebytes. I remember deleting the HPRewriter folder before contacting you.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 AM

Posted 18 August 2016 - 12:36 PM



If the problem is only in Firefox check the config file.

Open Firefox and type about:config in the url bar.

Open the page but be carefull.

Using the following string ??zill? Fir?f??.lnk search for this

zill
Fir*f
lnk
search terms
Startup
Startpage
HPRewriter



Lines with the search term will be listed in bold.
===

If all fails, remove and reinstall Firefox.

Remove Firefox using the instructions one this page.
https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer

Before proceeding save your Bookmarks.
https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

Install the latest version of the application.

You can then import them to the new version of Firefox.

Firefox Password manager -
Remember, delete and change saved passwords in Firefox
https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-passwords
<<<>>>

#11 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 19 August 2016 - 07:51 AM

None of those terms is present so it looks like I'll need to reinstall.

Thanks for all the help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users