Firefox hijacked

[ohblu]

Could someone please suggest what customized scanner to use to detect malware that has hijacked Firefox? I used the installed AV scanner (Webroot) and I also used MBAM. I then used Trend Micro's online scanner. They find some but not all of the infected files. They're missing some that are in the Windows\System 32 folder. Even when they get all the infected files, Firefox is still being hijacked. I tried running a rootkit scanner and some other online scanner but they take more than 4hrs to scan and both times the electric went off. Go figure! So a customized scanner would be more convenient.

I really don't have the time or patience to post to a malware removal forum. So many of those people there are so condescending and rude and I'm sick of them. The infected computer is my grandmother's and she's getting ready to go on vacation so I need to get this malware off soon.

I'm not asking for anyone to help me remove this malware. I'm just looking for suggestions about which tools to use. I'm usually really good at getting malware off a computer, but this time I'm getting my butt kicked.

[cheater87]

Try Superantispyware and Spyware Terminator's HIPS to see if that can find and block it.

[pegr]

All of the following free programs are also worth trying: Avira AntiVir, Avast!, Microsoft Security Essentials, Panda Cloud Antivirus, and Prevx. Panda Cloud Antivirus and Prevx both require an Internet connection for the duration of the scan.

One point to bear in mind: The free version of Prevx won't remove what it finds (it will remove adware and MBR rootkits but only the paid version has full removal capability) but it scans very quickly, usually taking only a few minutes.

It's worth running Prevx as well because in my experience Prevx will sometimes identify components of malware infections missed by other scanners. If Prevx does identify something, at least you'll have the necessary information to attempt manual cleanup if the infection can't be removed by any other means.

[tipstir]

Quote:

Originally Posted by ohblu

Could someone please suggest what customized scanner to use to detect malware that has hijacked Firefox? I used the installed AV scanner (Webroot) and I also used MBAM. I then used Trend Micro's online scanner. They find some but not all of the infected files. They're missing some that are in the Windows\System 32 folder. Even when they get all the infected files, Firefox is still being hijacked. I tried running a rootkit scanner and some other online scanner but they take more than 4hrs to scan and both times the electric went off. Go figure! So a customized scanner would be more convenient.

I really don't have the time or patience to post to a malware removal forum. So many of those people there are so condescending and rude and I'm sick of them. The infected computer is my grandmother's and she's getting ready to go on vacation so I need to get this malware off soon.

I'm not asking for anyone to help me remove this malware. I'm just looking for suggestions about which tools to use. I'm usually really good at getting malware off a computer, but this time I'm getting my butt kicked.

Run this in safe mode
Norman Malware Cleaner

Next time subscribe to Malware Blocker Subscriptions for Adblock Plus add-on
This will slow down FireFox then install the add-on called FasterFox Lite.

I have a family member ran into the same problem you're having. He had everything that was suggested. SmitFraudfix did remove the pest but left the system in a odd state. Now it has to be either restored from a safe backup or blow out the OS and re-install it then start all over again.

[ohblu]

Quote:

Originally Posted by tipstir

I have a family member ran into the same problem you're having. He had everything that was suggested. SmitFraudfix did remove the pest but left the system in a odd state. Now it has to be either restored from a safe backup or blow out the OS and re-install it then start all over again.

I should hope Grandma doesn't have to rely on backups since she never bothered to do any.

[Keyboard_Commando]

http://forums.majorgeeks.com/showthread.php?t=182559

Try GooRedFix.

[ohblu]

Quote:

Originally Posted by Keyboard_Commando

http://forums.majorgeeks.com/showthread.php?t=182559

Try GooRedFix.

I tried it and it did remove something but Firefox is still being redirected. I've run several different anti-malware scanners including online scanners and they're not finding anything. Right now I'm in the middle of running Root Repeal. I hope something turns up. I'm at a loss as to what to do. I've never encountered a problem like this before.

[Tarq57]

Windows XP?
Navigate to "C:\WINDOWS\system32\drivers\etc" and double click on the file "HOSTS". Open it with notepad, and do not tick the box to always open this file with this program.
It should look a bit like this:

Quote:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine (host) name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

etc.
Have a look at this.

[ohblu]

I'm already a step ahead of you. I checked the HOSTS file the other day and it was clean. I'm thinking this is some sort of TCP/IP hijacking and/or the atapi.sys file is infected. How would I go about replacing that file? Grandma doesn't know where any of her installation or rescue disks are. The computer is Win XP.

[Saraceno]

I'd try:

a-squared free - www.emsisoft.com/en/software/free/ (excellent for toolbars, redirections and so on, use a deep scan for the first time)
a-squared online version - www.emsisoft.com/en/software/ax/ (must use IE)

Hitman Pro - www.hitmanpro.com (free scanning, 30 day removal which can be activated anytime)

If none of the above, you might want to try to back up your bookmarks, save the file to your desktop, uninstall firefox with www.revouninstaller.com in advanced mode removing all traces of firefox in the registry (including firefox add-ons, and anything related to firefox etc - be sure to review the list of the registry scan, and check all the necessary files).

Then re-install firefox. You could also sort the installations in revo by installation date, see if anything was installed on a specific date without your knowledge. http://www.revouninstaller.com/ - it's free, I use the portable version which doesn't need to install.

[chronomatic]

Quote:

Originally Posted by ohblu

Could someone please suggest what customized scanner to use to detect malware that has hijacked Firefox? I used the installed AV scanner (Webroot) and I also used MBAM. I then used Trend Micro's online scanner. They find some but not all of the infected files. They're missing some that are in the Windows\System 32 folder.

Stop running as admin. Problem solved.

[Keyboard_Commando]

Quote:

Originally Posted by chronomatic

Stop running as admin. Problem solved.

Helpful comment. NOT!

[ohblu]

I was not able to find any infections with any of the malware/rootkit scanners I tried. Every night it develops a Vundo infection but there's something else on there that I can't find. I even uninstalled and upgraded to a different version of Firefox with no luck. What I did discover is that this redirect problem is more noticeable and happens more when using a toolbar such as the Google or Yahoo toolbar. In fact, the average user probably wouldn't even notice anything if they weren't using a toolbar.

After I discovered the computer would no longer boot into safe mode, I told grandma she needed to have a professional look at it. So she's going to have them reformat the C drive since it needed it anyway.

[Searching_ _ _]

Couple of simple things to try.

Turn off and unplug the router.
WipeCMOS <---not a requirement, just a thought.
(On 1 of my HDD I have an infection that attacks the CMOS from boot up.
I'll get around to wiping the drive someday.)
Turn Off and unplug computer.
Make a cup of coffee or tea.
Turn all back on.

[Franklin]

I'm infected - What do I do now?

[TheQuest]

Hi Searching_ _ _

Quote:

(On 1 of my HDD I have an infection that attacks the CMOS from boot up.

I think your find it is [was] the boot sector of the HDD, not the CMOS under attack.

Take Care
TheQuest

[Searching_ _ _]

Quote:

Originally Posted by TheQuest

I think your find it is [was] the boot sector of the HDD, not the CMOS under attack.

Yes I know. But it liked to change the CMOS time, so I wiped it just in case.
I use the Black Flag method. Hold breath and spray everything.