Firefox hijacked

Discussion in 'malware problems & news' started by ohblu, Dec 5, 2009.

Thread Status:
Not open for further replies.
  1. ohblu

    ohblu Registered Member

    Joined:
    Jul 26, 2008
    Posts:
    79
    Location:
    Colorado
    Could someone please suggest what customized scanner to use to detect malware that has hijacked Firefox? I used the installed AV scanner (Webroot) and I also used MBAM. I then used Trend Micro's online scanner. They find some but not all of the infected files. They're missing some that are in the Windows\System 32 folder. Even when they get all the infected files, Firefox is still being hijacked. I tried running a rootkit scanner and some other online scanner but they take more than 4hrs to scan and both times the electric went off. Go figure! So a customized scanner would be more convenient.

    I really don't have the time or patience to post to a malware removal forum. So many of those people there are so condescending and rude and I'm sick of them. The infected computer is my grandmother's and she's getting ready to go on vacation so I need to get this malware off soon.

    I'm not asking for anyone to help me remove this malware. I'm just looking for suggestions about which tools to use. I'm usually really good at getting malware off a computer, but this time I'm getting my butt kicked.
     
  2. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Try Superantispyware and Spyware Terminator's HIPS to see if that can find and block it.
     
  3. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    All of the following free programs are also worth trying: Avira AntiVir, Avast!, Microsoft Security Essentials, Panda Cloud Antivirus, and Prevx. Panda Cloud Antivirus and Prevx both require an Internet connection for the duration of the scan.

    One point to bear in mind: The free version of Prevx won't remove what it finds (it will remove adware and MBR rootkits but only the paid version has full removal capability) but it scans very quickly, usually taking only a few minutes.

    It's worth running Prevx as well because in my experience Prevx will sometimes identify components of malware infections missed by other scanners. If Prevx does identify something, at least you'll have the necessary information to attempt manual cleanup if the infection can't be removed by any other means.
     
  4. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Run this in safe mode
    Norman Malware Cleaner

    Next time subscribe to Malware Blocker Subscriptions for Adblock Plus add-on
    This will slow down FireFox then install the add-on called FasterFox Lite.

    I have a family member ran into the same problem you're having. He had everything that was suggested. SmitFraudfix did remove the pest but left the system in a odd state. Now it has to be either restored from a safe backup or blow out the OS and re-install it then start all over again.
     
  5. ohblu

    ohblu Registered Member

    Joined:
    Jul 26, 2008
    Posts:
    79
    Location:
    Colorado
    I should hope Grandma doesn't have to rely on backups since she never bothered to do any. :eek:
     
  6. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
  7. ohblu

    ohblu Registered Member

    Joined:
    Jul 26, 2008
    Posts:
    79
    Location:
    Colorado
    I tried it and it did remove something but Firefox is still being redirected. I've run several different anti-malware scanners including online scanners and they're not finding anything. Right now I'm in the middle of running Root Repeal. I hope something turns up. I'm at a loss as to what to do. I've never encountered a problem like this before.
     
  8. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Windows XP?
    Navigate to "C:\WINDOWS\system32\drivers\etc" and double click on the file "HOSTS". Open it with notepad, and do not tick the box to always open this file with this program.
    It should look a bit like this:
    etc.
    Have a look at this.
     
  9. ohblu

    ohblu Registered Member

    Joined:
    Jul 26, 2008
    Posts:
    79
    Location:
    Colorado
    I'm already a step ahead of you. I checked the HOSTS file the other day and it was clean. I'm thinking this is some sort of TCP/IP hijacking and/or the atapi.sys file is infected. How would I go about replacing that file? Grandma doesn't know where any of her installation or rescue disks are. The computer is Win XP.
     
  10. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    I'd try:

    a-squared free - www.emsisoft.com/en/software/free/ (excellent for toolbars, redirections and so on, use a deep scan for the first time)
    a-squared online version - www.emsisoft.com/en/software/ax/ (must use IE)

    Hitman Pro - www.hitmanpro.com (free scanning, 30 day removal which can be activated anytime)

    If none of the above, you might want to try to back up your bookmarks, save the file to your desktop, uninstall firefox with www.revouninstaller.com in advanced mode removing all traces of firefox in the registry (including firefox add-ons, and anything related to firefox etc - be sure to review the list of the registry scan, and check all the necessary files).

    Then re-install firefox. You could also sort the installations in revo by installation date, see if anything was installed on a specific date without your knowledge. http://www.revouninstaller.com/ - it's free, I use the portable version which doesn't need to install.

    revo.jpg
     
    Last edited: Dec 6, 2009
  11. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Stop running as admin. Problem solved.
     
  12. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Helpful comment. NOT!
     
  13. ohblu

    ohblu Registered Member

    Joined:
    Jul 26, 2008
    Posts:
    79
    Location:
    Colorado
    I was not able to find any infections with any of the malware/rootkit scanners I tried. Every night it develops a Vundo infection but there's something else on there that I can't find. I even uninstalled and upgraded to a different version of Firefox with no luck. What I did discover is that this redirect problem is more noticeable and happens more when using a toolbar such as the Google or Yahoo toolbar. In fact, the average user probably wouldn't even notice anything if they weren't using a toolbar.

    After I discovered the computer would no longer boot into safe mode, I told grandma she needed to have a professional look at it. So she's going to have them reformat the C drive since it needed it anyway.
     
  14. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Couple of simple things to try.

    Turn off and unplug the router.
    WipeCMOS <---not a requirement, just a thought.
    (On 1 of my HDD I have an infection that attacks the CMOS from boot up.
    I'll get around to wiping the drive someday.)
    Turn Off and unplug computer.
    Make a cup of coffee or tea.
    Turn all back on.
     
  15. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  16. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi Searching_ _ _

    I think your find it is [was] the boot sector of the HDD, not the CMOS under attack.

    Take Care
    TheQuest :cool:
     
  17. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Yes I know. But it liked to change the CMOS time, so I wiped it just in case.
    I use the Black Flag method. Hold breath and spray everything. :D
     
Loading...
Thread Status:
Not open for further replies.