Firefox-Google redirects??

I've got a strange problem.  I downloaded the new Firefox 3.5 and occaisionally when I search something om Google and then click on one of the results I'm redirected to some other search type results.  See below for an example:

Did search on Google for Print Shop, then click on link for Broderbund it provided but went to here:
http://www.toseeka.com/search.php?q=print_shop

Did search for Fedex, clicked on fedex.com/printonline link , but it went here:
http://www.x-xn.com/f/search.php?q=#KEYWORD#

These are just some examples, there's been more instances.  It will also just start to work normal again and direct me to the proper sites.  Seems intermittent, but ?????
I ran Super AntiSpyware Professional, no problems.
I ran HiJack This and I attached the log file, but I see no problems causing this on the log.
Is this a Firefox bug?

Let me know what you find out.  Thanks.

hijackthis.log
ArtG2521Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
rpggamergirlConnect With a Mentor Commented:
I am terribly sorry. I must've missed the alerts.
Thank you for posting again. I don't see any obvious malicious entries in the log.

<<<"I saw some info that said ComboFix when run finishes and then is gone.  Is that right?">>>

No that is not right.

If the pc is running fine, yes you can uninstall Combofix.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

Again I'm so sorry for the much delayed reply.
0
 
rpggamergirlCommented:
Does it only happens in Firefox and not IE?
Have you also tried scanning with MalwareBytes?
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php


OR: use GooredFix.
Please download GooredFix and save it to your Desktop.
http://www.geekstogo.com/forum/redirect.php?url=http%3A%2F%2Fjpshortstuff.247fixes.com%2FGooredFix.exe

Double-click GooredFix.exe on your Desktop to run it.
Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.

Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system.

Please also allow any registry changes that may be prompted by any of your security programs.
0
 
techzterCommented:
It certainly sounds like some malware is on the machine.

Try posting you HighJack This log into the following site. I have found that it works fairly well.
http://www.hijackthis.de/


Also I have found MalwareBytes to be a really good software for finding these type of intrusions.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
techzterCommented:
Sorry rpggamergirl for the duplicate information regarding Malwarebytes. I was typing while you posted.
0
 
rpggamergirlCommented:
I have Firefox 3.0.11 and it's okay.

How about when you click the back button and then clicking on the exact same search result for a second time, does it take you to the right location?

Check also if this is only happening on the first page of the search results.
0
 
ArtG2521Author Commented:
I had Firefox 3.0.11 before and it was fine too.  It seems to be intermittent as sometimes it will direct fine.  This only seems to happen with Google search results and nothing else.  I will try some of the things you recommend later as I must be leaving on appointments now.  I will post the results sometime today.  
0
 
rpggamergirlCommented:
No not a bug by the looks.
I installed Firefox 3.5...I then googled "Print_shop" then clicked on the Broderbund link and it took me to the right place(below).

http://www.broderbund.com/store/broder/DisplayHomePage 
0
 
techzterConnect With a Mentor Commented:
I noticed that you had attached your HJT log. I ran it through the log analyzer and nothing showed up as suspicious.
0
 
rpggamergirlCommented:
I also googled "Fedex" and the first link "FedEx Australia" took me to the link below:
http://fedex.com/au/

The second search result link took me to the one below:
http://fedex.com/

So it looks like it's your pc that has the problem


@ techzter:
it's okay, it happens, :)

0
 
ArtG2521Author Commented:
Ok, here is the log created by GooredFix.  I did not run MalwareBytes.  I will be out of town tomorrow and I may or may not see you comments until late Tuesday or early Wednesday.


GooredFix by jpshortstuff (03.07.09)
Log created at 21:53 on 06/07/2009 (Art)
Firefox version 3.5 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [18:56 27/04/2007]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [00:43 08/06/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [13:16 22/07/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [10:59 10/10/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [11:44 10/03/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [12:47 13/07/2008]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [13:25 30/11/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [01:13 18/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [10:35 02/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [10:49 11/06/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"FFToolbar@bitdefender.com"="C:\Program Files\BitDefender\BitDefender 2009\FFToolbar\" [22:31 18/02/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [13:25 30/11/2008]

-=E.O.F=-
0
 
ArtG2521Author Commented:
This is getting ridiculous.  Every link I click on in every search I do on Google redirects me to all kinds of various web pages.  Like:

http://www.couponmountain.com/search.php?searchText=runofcategorydirectoriesresources
www.yahoo.com
www.msn.com
http://www.toseeka.com/search.php?q=The+Grapes+Of+Wrath

Sometimes I see it redirect to a couple of different sites rapidly changing in the address bar and then it settles on one.  Almost like a slot machine.  I really hope I do not have to wipe my whole system because of this.
0
 
rpggamergirlCommented:
Run MalwareBytes or even better run Combofix and show us the logfile. It's important that see look at the log.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run re-download but rename before saving to your desktop)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 
 
0
 
ArtG2521Author Commented:
I ran MalwareBytes, it found 2 items, it got rid of them and it did nothing to solve the problem.  It's still as bad or worse than ever.

I tried IE7 and this is even weirder. If I use Google to search for anything (like I did with Firefox) then I click on any link, it CRASHES IE7 and it has to close.  If I just browse sites by typing them into the address bar, no problem (same as in Firefox).  What ever this is it only seems to affect Google.

I just searched on "Google redirect virus" on another computer and found this:

www.geekstogo.com/forum/how-to-remove-google-redirect-virus-t243398.html

Apparently it's something new?  There is a whole process to remove it.  Check it out.  Unfortunately,
I have to attend to this when I get back it town on Wednesday.  Let me know what else you find out, and if this is true as it seems to be, TELL EVERYONE.
0
 
rpggamergirlCommented:
There are so many nasties that hijack search engines and TDSS*, UAC*, GAO* rootkits, Trojan:Win32/Daonol, Trojan.JSRedir, Zlob.DNS.Changer are just a few of them.
Combofix will already remove all the above-mentioned ones and if there are new that are not in its databse we can remove it using its script function(if they show up in the log) that's why it's important that we see the log.
0
 
ArtG2521Author Commented:
Ran ComboFix.  Everything seems just fine now.  It seems to have worked.  I must go now asap. I'll be back by tomorrow morning (Wednesday).  Post any other comments or things I should do and I will see it soon.  Perhaps by then we can close this out.
0
 
techzterCommented:
Glad to hear it. Thanks for the tip on ComboFix. That is a software that I had not heard of before. I will have to check it out.
0
 
rpggamergirlCommented:
If you could attach the Combofix log that would be nice.
If the Combofix log shows clean and the pc is running fine, then you can uninstall Combofix... we'll post Combofix uninstall command then.

@ techzter:

Where have you been :).. Combofix is the number one anti-malware tool and every anti-spyware forums use it. Thanks to sUBs for developing it and making it free.
0
 
ArtG2521Author Commented:
Got back early.  Here 's the ComboFix log.  See attached.
0
 
ArtG2521Author Commented:
Oops here it is.
Combo-fix-7-7-09-log.txt
0
 
ArtG2521Author Commented:
Did you see the log?  How do I uninstall ComboFix?  I saw some info that said ComboFix when run finishes and then is gone.  Is that right?
0
 
ArtG2521Author Commented:
Sorry everyone, I forgot to close out the question.  I will do so now and award points.
0
 
ArtG2521Author Commented:
You guys and girls are the best!
0
 
rpggamergirlCommented:
Thanks!
0
All Courses

From novice to tech pro — start learning today.