Laptop doing weird Firefox things

It doesn't happen all the time, but sometimes when I do web searches, it redirects them to another browser and tries to open several other links. I have NoScript enabled so it doesn't actually load the pages in question.

HijackThis had this to say:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:26, on 29/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\thinkbroadband.com\tbbMeter\tbbmeter.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\DestroyTwitter\DestroyTwitter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Turkey Machine\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [go.microsoft.com]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [go.microsoft.com]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [go.microsoft.com]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [go.microsoft.com]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [go.microsoft.com]
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [tbbMeter] C:\Program Files\thinkbroadband.com\tbbMeter\tbbmeter.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [bandmon] C:\Program Files\Rokario\Bandwidth Monitor\bandmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE'
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE'
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM'
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user'
O4 - Startup: DestroyTwitter.lnk = C:\Program Files\DestroyTwitter\DestroyTwitter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - [catalog.update.microsoft.com]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [www.update.microsoft.com]
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D366845-7180-448C-B86C-3D6ECB7928EA}: Domain = ads.ntu.ac.uk
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\DOCUME~1\TURKEY~1\LOCALS~1\APPLIC~1\Skype\Shared\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: IsposureAgent (isposure_svc) - Epitiro Ltd. - C:\Program Files\isposure\IsposureAgent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5908 bytes

MalwareBytes Anti-Malware is now running, but is anything in that HijackThis log worth mentioning?

---

Everyone knows that million-to-one chances happen 9 times out of 10; indeed, it's a common requirement in fairy tales. If the human didn't have to overcome huge odds, what would be the point? Terry Pratchett - The Science Of Discworld

GPGSL S5 Race driver for IED.

MalwareBytes found this:

Malwarebytes' Anti-Malware 1.41
Database version: 3056
Windows 5.1.2600 Service Pack 3

29/10/2009 20:40:35
mbam-log-2009-10-29 (20-40-35).txt

Scan type: Quick Scan
Objects scanned: 109910
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Turkey Machine\Local Settings\Temp\6E.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

---

Everyone knows that million-to-one chances happen 9 times out of 10; indeed, it's a common requirement in fairy tales. If the human didn't have to overcome huge odds, what would be the point? Terry Pratchett - The Science Of Discworld

GPGSL S5 Race driver for IED.

The log looks ok to me, try a firefox redirect blocker.

---

[www.mediafire.com] Some say you should click it, you know you want to. [www.gp4central.com] <----GP4 Central

That didn't work, and this is one of 3 tabs that get opened in a new FF window.

[67.201.36.16]

---

Everyone knows that million-to-one chances happen 9 times out of 10; indeed, it's a common requirement in fairy tales. If the human didn't have to overcome huge odds, what would be the point? Terry Pratchett - The Science Of Discworld

GPGSL S5 Race driver for IED.

Download and install this, [www.mvps.org]
Don't use the batch file. Just replace the existing file. If you have zone-alarm your hosts file will be locked ok. So disable that first otherwise windows will be unable to replace the file.
Read the section on the services client and do that too.
Download Superantispyware and run it as well. Possible you have a redirection virus.
The link you posted is this:
OrgName: Mzima Networks Inc.
OrgID: MZIMAN-1
Address: 707 Wilshire Blvd.
Address: Suite 4737
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US
NetRange: 67.201.0.0 - 67.201.63.255
CIDR: 67.201.0.0/18
OriginAS: AS25973
NetName: NETBLK-MZIMA-04
NetHandle: NET-67-201-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LAX01.MZIMA.NET
NameServer: NS2.LAX01.MZIMA.NET
NameServer: NS1.IAD01.MZIMA.NET
RegDate: 2007-07-11
Updated: 2007-07-17
RAbuseHandle: MAD53-ARIN
RAbuseName: Mzima Abuse Department
RAbusePhone: +1-213-426-6509
RAbuseEmail: abuse@mzima.net

You could send them an email and ask them why your browser is redirecting to their site. Add browser type and version number and what you were doing etc.

---

[www.mediafire.com] Some say you should click it, you know you want to. [www.gp4central.com] <----GP4 Central

You can't just replace the hosts file on a half-decent OS (Vista or 7). You have to rename the existing file, rename the new file then copy it into place, then rename to what the original had. You don't need to do any of the crap about making new sendto entries as that link says.

Frankly it's better to just install Spybot S&D and just use the immunisation feature to do it all for you.




Jethro, what if you set the default browser to IE (or Opera or Chrome or something other than Firefox) temporarily. Do these rogue windows still open? If so you can rule out the browser, profile, cache and cookies.

The best place to post your HijackThis log is their forums - those guys crawl over every last detail and have an eye for things spoofing other things.



Edited 1 time(s). Last edit at 10/30/2009 10:29AM by gav.

Gav, this one's on XP.

It happens in IE8. Ironically I was looking on Bing search for the Hijackthis forums, and it kept getting re-directed.

AVG ran last night and didn't find anything.

Replacing the HOSTS hasn't worked, as it happens with IE and Chrome.

Now running SUPERAntiSpyware on Mal's advise.

---

Everyone knows that million-to-one chances happen 9 times out of 10; indeed, it's a common requirement in fairy tales. If the human didn't have to overcome huge odds, what would be the point? Terry Pratchett - The Science Of Discworld

GPGSL S5 Race driver for IED.

I'm having the exact same problem, every website with searching function (Google, including gmail, picasa, Yahoo) gets redirected or won't open. Not in FF, IE, Chrome etc. Picasa won't connect to my Google account.


SuperAntiSpyware didn't help, with Spyware doctor I had no luck either.

The latest is that I ran Spyware S&D, it found the tracking virus, it successfully removed it and for a moment it seemed it was alright, but Google.com and Bing.com are still not working in Firefox.
However I can now reach Gmail, Picasa, Yahoo and all the other stuff I could not before except of course the two mentioned above which is quite disturbing. The funniest is that with Safari all is well and working (which too hadn't before).
I reinstalled Firefox and deleted all of the bookmarks and cookies, still no luck.

Would a winreinstall solve the problem? I really didn't want to do that, but it seems that's the only solution I can come up with.

GooredFix is a tool written to deal with this Firefox Hijack. Option#1 will display what it thinks is bad and Option#2 will delete what it thinks is bad. If you are unsure, post a log from Option#1.

This infection has been around since about October/November last year, and has 4 different "variants". Currently, no AntiVirus/AntiSpyware programs detect this.

[jpshortstuff.247fixes.com]

Try it and see what happens. You could also disable java script and disable the XUL cache. Info from the malwarebytes forum.

---

[www.mediafire.com] Some say you should click it, you know you want to. [www.gp4central.com] <----GP4 Central

I assume DestroyTwitter.exe is a legit app (did a quick google and could only find a Mac app with this name?)

__________________________



Help keep our forums tidy.

Use the search function...

That's a valid windows app, apparently it puts twitter on the desktop and displays tweets in real-time, or something like that.

---

[www.mediafire.com] Some say you should click it, you know you want to. [www.gp4central.com] <----GP4 Central

Okay, so here's the log:

GooredFix by jpshortstuff (24.09.09.1)
Log created at 09:24 on 06/11/2009 (Gergő)
Firefox version 3.5.4 (hu)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:43 17/12/2008]

-=E.O.F=-

Oh and btw I disabled Javascript in FF, didn't help...

Check this. [www.malwarebytes.org]

Try this Firefox hack. [www.labnol.org]

Also get this and run it. [www.besttechie.net]

I think you have an extension trojan. Even though Goored shows no extensions installed.
You can try to clean up your system by completely exiting Firefox, browsing to your extensions directory, then deleting any installed extensions with recent dates, if any are there. The hijack comes from a overlay.xul file in the trojan extension. Try an uninstall, reboot and re-install, export your bookmarks to the desktop first. If the other stuff I mentioned doesn't help it's worth a try.

---

[www.mediafire.com] Some say you should click it, you know you want to. [www.gp4central.com] <----GP4 Central



Edited 1 time(s). Last edit at 11/06/2009 10:04AM by mortal.

It looks like in your case it's not a Windows problem, but a Firefox profile one.

1) In Firefox go to Bookmarks > Organise Bookmarks > Import and Backup > and back up the bookmarks either with Export HTML or Backup options.

2) Still in Firefox, go to Tools > Clear Recent History and untick everything other than Cache, then hit OK and close Firefox.

3) Go to Start > Run (or enter it in the live search thing in Vista or Win7) and type (or copy this) %appdata%\Mozilla and press enter. Copy the Firefox folder to another location (Desktop, a temporary folder, whatever). Once copied, delete the original folder from %appdata%\Mozilla.

4) Start Firefox again. A new profile will have been made. If everything works, you can set about setting it up the way you want again, importing your old bookmarks and reinstalling any extensions you used. If it's still broken, you might as well restore the old profile (delete the new Mozilla folder and copy the old one back in to %appdata%\Mozilla as something else is causing the problem and we'll have to look a bit deeper.

Thanks guys for the quick help!

So I did everything you told me, I followed the instructions on the other forum Mal had posted.
My extensions folder is completely empty, I removed the registry entry, I deleted the Firefox folder to create a new profile, I have absolutely no search, cache etc history and the problem still occurs.
As reading other forums I can recall that when I installed the new FF it said it had installed one new extension. I only gave it a quick 'wtf, alright' moment, but it seems the problem's persisted since then.

So what now? :P

And I think that gooredfix problem didn't find anything because I have Firefox installed not in C:\ProgramFiles... but E:\...

What about uninstalling it from E and re-installing on C.

---

[www.mediafire.com] Some say you should click it, you know you want to. [www.gp4central.com] <----GP4 Central

(hides) :P