8
   

Firefox google links redirected

 
 
JPB
 
Reply Fri 26 Jun, 2009 08:59 am
I use firefox 3.0.11 as my main browser. Beginning yesterday my google search links are being redirected to another site. http://www.x-xn.com/f/search.php?q=#KEYWORD#

It doesn't seem to affect links on google searches with IE.

I ran a full virus scan (zone alarm pro) and nothing was found.

Any ideas on how to get my links on firefox to go where I want to go?
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Question • Score: 8 • Views: 23,336 • Replies: 51
No top replies

 
Robert Gentel
 
  1  
Reply Fri 26 Jun, 2009 09:58 am
@JPB,
First try to disable all firefox add ons and see if that fixes it, if it doesn't then I would next look at the network settings, and see if the dns servers specifically have been changed.
Setanta
 
  1  
Reply Fri 26 Jun, 2009 10:04 am
@JPB,
I'm mystified. We are using that same version of Firefox, and have not had this problem. In fact, after reading this post, i tried several google searches, and did not have that problem. Something more specific is going on that just this version of Firefox.
0 Replies
 
JPB
 
  1  
Reply Fri 26 Jun, 2009 05:29 pm
@Robert Gentel,
crazy busy day here today. It will probably be tomorrow before I can give this a try. I'll let you know what happens. Thanks.
0 Replies
 
thefuzzyhulk
 
  1  
Reply Sat 27 Jun, 2009 09:04 am
Yeah I am getting the same thing, tried spybot, adaware, windows malware remover and kaspersky, still redirects some (but not all) search results. Not always to x-xn either, sometimes to

http://www.icityfind.com/jump2/?affiliate=c91&subid=3728&terms=

or

http://marrying.mobi/result.php?Keywords=hijackers+suck&r=940ed6d4da4e53cb0b5b858749a84fa67edd41493258f03d0bfe3f7bc786f8435d1d2e933c7d457f43d3636d403da914&Submit=Go


JPB
 
  1  
Reply Sat 27 Jun, 2009 10:03 am
@thefuzzyhulk,
yeah, same here... I've seen the icityfind site, not sure about the marrying mobi site. And, yes, I'm able to get to the correct link about 10% of the time - particularly on a first click.

I'm on auto-update with FF. I'm wondering if there's something in a recent update that caused this. I'm about to try Robert's suggestion. I'm also thinking about doing a system restore back to a day or two before this problem showed up.
JPB
 
  1  
Reply Sat 27 Jun, 2009 11:47 am
@JPB,
The only add on I have is flashblock 1.5.10. Removing it had no impact.

I was just doing a search for a local store in my area. The store's own web site came up as one of the choices. I selected it but rather than getting the store's site I was sent to a national realtor site. I watched the browser window as it was making the connection. First I saw "redirect" and then I saw 'find adequate info' (spacing might be off). then I saw the realtor site. My history tab shows (top to bottom)

q-Walgreens-... (the link I was trying to get)
FAv2QNeX6V4xYNu8Ymlk.... (runs off the tab listing)
Blinkx (with a logo)
/jump2/?affiliate=... (runs off the tab listing)
www.blinkx.com.../cb (with a logo)
Redirect
c.php
c.php
modesearch.info/.../search.php
(A2K logo) Reply-Firefox google links redirected
0 Replies
 
Robert Gentel
 
  1  
Reply Sat 27 Jun, 2009 01:30 pm
@JPB,
JPB wrote:
I'm on auto-update with FF. I'm wondering if there's something in a recent update that caused this.


This is probably malware and very unlikely to have come from Mozilla itself (but add-ons are more likely which is why I asked about them).

Are you (and thefuzzyhulk for that matter) sure that IE is not affected? That would rule out certain exploits.

And can you post a HijackThis log? I can review the entries and tell you if I notice anything suspicious.
Robert Gentel
 
  1  
Reply Sat 27 Jun, 2009 01:44 pm
Please also post the contents of your HOSTS file, which is usually located in:

c:\windows\System32\drivers\etc\

JPB
 
  1  
Reply Sat 27 Jun, 2009 02:30 pm
@Robert Gentel,
just saw the same thing with an IE search.

I'll download HijackThis next.
JPB
 
  1  
Reply Sat 27 Jun, 2009 02:36 pm
@Robert Gentel,
The hosts file only contains two entries and was last modified on 12/20/06.

There are two ip addresses, the first for "localhost" and the second for my offsite business server. I'd rather not post the ip address for my business server. Do you need the first one?
Robert Gentel
 
  1  
Reply Sat 27 Jun, 2009 02:36 pm
@JPB,
JPB wrote:
just saw the same thing with an IE search.


If this is the case I'd check HOSTS first, as this is a very likely attack vector for this kind of thing (but it would affect IE too, which is why I didn't initially suggest it).
0 Replies
 
Robert Gentel
 
  1  
Reply Sat 27 Jun, 2009 02:41 pm
@JPB,
JPB wrote:
Do you need the first one?


No, it's just a reference to your own computer, and will usually have 127.0.0.1 as the IP address.

I don't think you've posted whether you checked your DNS settings for your network connection, but that would be the last easy check I'd run before doing a lot of lengthy scans. If the HijackThis log doesn't reveal anything I'll post a list of tools that might be able to dig deeper.
0 Replies
 
JPB
 
  1  
Reply Sat 27 Jun, 2009 02:43 pm
@Robert Gentel,
Here you go

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:46 PM, on 6/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nutsrv4.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
C:\oracle\product\10.1.0\Db_1\jdk\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 2300 series\Toolbox\HPWJTBX.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\quicken\QWDLLS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\MKS Toolkit\mksnt\viw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061130
O1 - Hosts: [ip number deleted] offsite server
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\MKSTOO~1\bin\ncoeenv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPWJTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 2300 series\Toolbox\HPWJTBX.exe "-i"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\quicken\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\quicken\QWDLLS.EXE
O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleCSService - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - C:\oracle\product\10.1.0\Db_1\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - C:\oracle\product\10.1.0\Db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8405 bytes
Robert Gentel
 
  1  
Reply Sat 27 Jun, 2009 03:38 pm
@JPB,
Are you familiar with the following process?

C:\Program Files\MKS Toolkit\mksnt\viw.exe

This pagesays it has been linked to a trojan, but it looks like legit software from MKS Software.

Other than that nothing really aroused my suspicion, but malware has been getting better about using legitimate processes and this doesn't mean that the computer is clean.

My research leads me to indicate that your Firefox problem might be able to be fixed easily by doing the following, but that if you still have the malware that put it on your computer it is likely to come back once you reboot.

Here is the quick fix that targets a recent popular search hijack similar to what you describe:

Go to C:\Program Files\Mozilla Firefox\extensions\ and look in the folders for an Overlay.xul file. You should replace that with a blank file (just create a blank text file and name it that once you move the bad file to a backup location or delete it).

But this is only a quick solution for Firefox and you really need to eliminate whatever managed to put that malware there as it is likely to try other attacks. And for that I would run the following scans/repairs (in safe mode when possible).


GooredFix
http://jpshortstuff.247fixes.com/GooredFix.exe

Malwarebytes' Anti-Malware
http://www.malwarebytes.org/mbam.php

Trend Micro Online scan
http://housecall.trendmicro.com/

SUPERAntiSpyware (free version is fine)
http://www.superantispyware.com/

Windows Defender
http://www.microsoft.com/windows/products/winfamily/defender/default.mspx

CWShredder
http://download.cnet.com/CWShredder/3000-8022_4-10301587.html

Note: this program was very effective against a variety of search hijack malware applications, but it does not address all malware so your exploit may not be detected.
JPB
 
  1  
Reply Sat 27 Jun, 2009 03:41 pm
@Robert Gentel,
yeah viw is vi (editor) for windows. It's a unix tool kit for ms applications.

I can try those other fixes but there's nothing new on my system of importance since this showed up on Thursday. Couldn't I just do a system restore back to Tuesday or Wednesday? I'll look a couple files but nothing that too critical.
JPB
 
  1  
Reply Sat 27 Jun, 2009 03:52 pm
@JPB,
well that's weird. I just went to the system restore dialogue box and it won't let me select any dates.
JPB
 
  1  
Reply Sat 27 Jun, 2009 03:54 pm
@Robert Gentel,
out for the evening. I'll try some of those other links tomorrow.

Thanks!
0 Replies
 
Robert Gentel
 
  1  
Reply Sat 27 Jun, 2009 03:54 pm
@JPB,
JPB wrote:
well that's weird. I just went to the system restore dialogue box and it won't let me select any dates.


Yeah, it's common for malware to remove previous restore points. They don't want it to be that easy.
JPB
 
  1  
Reply Sat 27 Jun, 2009 03:56 pm
@Robert Gentel,
figures... bastids!

ok -- mission one for tomorrow then.

thanks again.
 

Related Topics

So I just joined Facebook.... - Discussion by DrewDad
YouTube Is Doomed - Discussion by Shapeless
Internet disinformation overload - Discussion by rosborne979
Participatory Democracy Online - Discussion by wandeljw
OpenDNS and net neutrality - Question by Butrflynet
Internet Explorer 8? - Question by Pitter
 
  1. Forums
  2. » Firefox google links redirected
Copyright © 2021 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 09/23/2021 at 07:19:31