FireFox Browser Redirection Problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by meshaq2000, Apr 7, 2012.

  1. meshaq2000

    meshaq2000 Private E-2

    Hi there,

    I first noticed this in Firefox, but then it also happens in IE. whenever I do a search in either google or yahoo I get redirected to a weird site (but it only happens some of the time...some times I get to the real site, and whenever I do get the weird webpage, I just back out of it and click on the same link and I get to the page i'm supposed to get to).

    I attached the gooredfix.txt file to this. Hopefully someone can help out and let me know how to fix it.

    I originally downloaded Adware by Lavasoft, Housecall by Treadmicro, and CW Shredder as well as Malwarebytes. And while some of them found stuff, I still had the redirect problem. Then I purchased and downloaded Webroot Secure Anywhere (because of the high marks it was given by PC magazine) and that didn't find anything...so I ended up here and found the thread about using gooredfix.txt.

    Thanks
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  3. meshaq2000

    meshaq2000 Private E-2

    Re: all Browser(s) Redirection Problems

    So I followed that link and did all the steps (flushed the java cache, the firefox and IE caches, and the dns cache) and have included the Kaspersky TDSSKiller report because the problem persists (the browser redirect).

    Thanks, in advance, for helping!
     

    Attached Files:

  4. meshaq2000

    meshaq2000 Private E-2

    Also - I noticed that it said to see if the redirect problem persisted, so I did and the problem persisted - so I went on to step five and have attached the MBRCheck thing to this post.

    Thanks!
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let me repeat
     
  6. meshaq2000

    meshaq2000 Private E-2

    Oops - sorry, I did that too, I just thought the reports that I put below were all you needed at this point. Attached are the reports from the malware removal attempt.

    I have the SuperAnti Spyware log, the Malwarebytes log, the combofix, and the MGlog. I am running vista on a 64-bit so I didn't do the RRlog.

    I'm still having the browser redirect problem. Let me know if you need to know which sites its redirecting to...

    Thanks in advance!
     

    Attached Files:

    Last edited: Apr 8, 2012
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your MBRcheck log shows a possible infection
    Code:
          Size  Device Name          MBR Status
      --------------------------------------------
        465 GB  [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL]   Unknown MBR code
                SHA1: E6CCDBFD8F5B3DAA80CE1AA64C67955A606A347D
    Being unknown does not always mean there is an infection; however since you are having problems, this could be the cause. Do you have your Vista Boot DVD so that we can use it to fix your MBR?
     
  8. meshaq2000

    meshaq2000 Private E-2

    So, of course, I've searched everywhere and I can't find my windows vista boot disk anywhere. I did find an old windows XP professional (version 2002) from a pc that died a long time ago. Could I use that or should I buy or try to find a replacement for windows vista?
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No!


    Let's see if we can get lucky and use the below. Sometimes it will work but more frequently, it can not fix newer forms of MBR infections.
    • Run MBRCheck.exe
    • Wait until you see the following lines:
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
      • Options:
        [1] Dump the MBR of a physical disk to file.
        [2] Restore the MBR of a physical disk with a standard boot code.
        [3] Exit.
        Enter your choice:
    • Please push the 'Y' key and then press Enter
    • When the program asks you to Enter your choice: enter 2 to Rstore the MBR and press the Enter key
    • Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"
      • Enter 0 and press the Enter key.
    • The program will show Available MBR codes as below
    • You need to select your version of Windows frrom the list. Which means you need to enter 3 for Vista and then press Enter.
    • The program will prompt for confirmation. Type 'YES' and hit Enter.
    • Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All
    • You will see all the text in the window get highlighted.
    • Hit the Enter key on your keyboard to copy all of the text into the clipboard.
    • Paste that text into Notepad, save it to your desktop as MBRfix.txt
    • Restart your PC.
    • Attach the MBRfix.txt file to your next message.
    • Then also rerun a scan with MBRcheck and attach the new log so we can verify whether it actually succeeded.
     
  10. meshaq2000

    meshaq2000 Private E-2

    I think i'm reading that it still lists an unknown MBR code...

    I've attached the MBRfix as well as the MBR check.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Correct. So let's try another tool. First we will actually get a log with it.

    Please download aswMBR to your desktop.
    • Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
    • Select No when asked "Would you like to download latest Avast! virus definitions?"
    • Click the [Scan] button.
    • On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)
    Please make sure that you attach the above log first and then do the below.
    • Now rerun aswMBR.exe (for Vista or Win7 right-click and select Run as Administrator)
    • Select No when asked "Would you like to download latest Avast! virus definitions?"
    • Click the FixMBR button.
    • Then exit aswMBR and reboot your PC.
    • After reboot run a new Scan with aswMBR and attach the newest log for review
     
  12. meshaq2000

    meshaq2000 Private E-2

    I ran the aswMBR scan and have attached the log.
     

    Attached Files:

  13. meshaq2000

    meshaq2000 Private E-2

    And then I did the rest of it and here's the second scan log.
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay it seems to have worked as I see:
    Now just to double check, rerun MBRcheck and attach the log from it to make sure it also sees the proper MBR.


    Also let me know if you are still having any problems.
     
    Last edited: Apr 12, 2012
  15. meshaq2000

    meshaq2000 Private E-2

    I ran MBRcheck again - and here's the log
     

    Attached Files:

  16. meshaq2000

    meshaq2000 Private E-2

    Also - I'm still getting the browser redirect.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmm! The log from MBRcheck still indicates an unknown MBR code. This would seem to indicate that aswMBR really did not fix your MBR. Possibly because the infection in the MBR itself is actively blocking it.

    You need a boot CD to avoid having the infected MBR getting loaded. You need to fix a Vista boot DVD. You could borrow a friends temporarily just for the fix. Or another possible option may be to try what was posted in message # 12 of the below thread and see if you can get this CD to run.

    whistler/black internet@mbr again!
     
  18. meshaq2000

    meshaq2000 Private E-2

    I'm glad you guys have solutions for morons like myself who somehow lose their boot cd. I downloaded Hiren's Boot CD to a clean pc, burned it to disc and followed all the instructions from there.

    Then I ran another MBR check and have uploaded it. It has a different thing on it this time, so hopefully that means it's fixed...but, of course I wouldn't be here if I knew how to read it myself...
     

    Attached Files:

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it is now showing a Windows XP MBR. We really wanted a Vista MBR but this is still better than the infected one and really should not cause any problems.

    How are things running? Are you still having redirects? If so, is it only with Firefox?
     
  20. meshaq2000

    meshaq2000 Private E-2

    Hi there,

    So it appears that IE doesn't redirect any search links (I clicked on more than 20 and no redirect)...but it happens still in Firefox. What should I do about that?
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so Firefox itself or addons are infected.



    We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:
    • Run FireFox and click Bookmarks.
    • Then select Organize Bootmarks.
    • Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.
    Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

    You will need exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

    Start by uninstalling FireFox and then reboot. Do not skip the reboot.
    After reboot, delete the below folders:

    C:\Users\meshaq2000\AppData\Roaming\Mozilla
    C:\Program Files (x86)\Mozilla Firefox


    Now reinstall FireFox from the file previously downloaded.
    Import your bookmarks file. (similar process to exporting).

    How is it working now?
     
  22. meshaq2000

    meshaq2000 Private E-2

    Hi there,

    So I uninstalled Firefox (and rebooted) and then reinstalled it from the link you provided. When I relaunched it, I was asked to download the newest version of Firefox because the one I'm currently using is out of date. I didn't do that just yet - but should I?

    In the meantime I have been clicking on all sorts of links and I don't seem to have any redirects at the moment...

    A pop up window just came up with the headline "Warning: Unresponsive script" And in the body of it says, "A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete."

    And it gives the address: "Script: http://www.google.com/friendconnect/script/friendconnect.js:1064"

    I'm afraid to click continue or stop script on it. Also - I was on yahoo searching Bill Cosby. I'm not going to click on anything in firefox until I hear from you so I don't screw anything up. Is this a false stop script window? Or is it just related to an ad on the side of the yahoo search and I shouldn't worry about it?
     
    Last edited: Apr 17, 2012
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can just abort the script.

    I wanted to begin with an older version of Firefox you can update it now using the below download link:

    Mozilla Firefox 11.0 Final
     
  24. meshaq2000

    meshaq2000 Private E-2

    Hey there,

    So I downloaded the newest version of Firefox, as per your last post, and haven't had any problems with redirects. So thanks a lot for your help! I appreciate it!
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds