Web Browser Opens Up Random Sites?

[bp96]

The results were clean- no malware was detected

 

[bp96]

Doesn't anyone have any ideas?

 

[jav]

I can't watch the video on that site

So I am not sure what I am facing..

 

[Jacee]

Please download GooredFix from one of the locations below and save it to your Desktop
http://jpshortstuff.247fixes.com/GooredFix.exe
http://downloads.securitycadets.com/GooredFix.exe"

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista and Windows7).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

 

[Jacee]

This is the best <snippet> I could get from your video

 

[Jacee]

What ever the site was that you clicked on, must have been infected with malware .... this is not a pop-up from SpywareBlaster.

Did you click out of that pop-up?
Was this from your Antivirus or a 'fake'/rogue antivirus message? It's really too blurry for me to tell.

 

[jav]

What ever the site was that you clicked on, must have been infected with malware .... this is not a pop-up from SpywareBlaster.

Did you click out of that pop-up?
Was this from your Antivirus or a 'fake'/rogue antivirus message? It's really too blurry for me to tell.

ok, I managed to watch video

I think It was warning from user's legit Avast AV.
It blocked trojan horse from the malicious site.

 

[Frostmourne]

Back in your first combo fix log, the url's pointed to hxxp - I'd reinstall 7, clean format.

 

[Jacee]

LimeWire, P2P sharing would be the most likely suspect for the problem you are encountering.
I have to agree with Frostmourne

 

[bp96]

The message was from a legit Avast! copy. You see, I visited that website and I visited the AVG website, I was redirected from both websites to different websites. However, when I closed Firefox and reopened it, the redirects from the two websites were gone and opened the actual websites so I don't think the websites were malicious (especially the AVG homepage) but the redirects were.

BTW, I don't use Limewire, torrents or fo P2P sharing as I hate doing it.

 

[Orpheous]

Back in your first combo fix log, the url's pointed to hxxp - I'd reinstall 7, clean format.

Missed that completely as I was only checking th HJT file....
hxxp according to Wiki
uStart Page = hxxp://www.google.co.uk/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
LSP: c:\progra~1\SPEEDB~1\sblsp.dll
TCP: {BB929842-C69D-49F1-BCF1-183BECE4CD17} = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Brijesh Patel\AppData\Roaming\Mozilla\Firefox\Profiles\5xaz82fm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.google.co.uk/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

 

[Jacee]

The hxxp:// is a 'munged' URL, in case it's malicious. That way, people looking at a CF log won't accidently click on a working link to malware.
In this case, it's by design and it's a safe URL

 

[bp96]

Here's GooredFix Log I did in Safe Mode as it kept on freezing on 'General Malware' in Normal Mode

 GooredFix by jpshortstuff (08.01.10.1)
Log created at 15:54 on 20/01/2010 (Brijesh Patel)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:10 24/10/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [17:45 24/10/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [10:51 18/01/2010]

C:\Users\Brijesh Patel\Application Data\Mozilla\Firefox\Profiles\5xaz82fm.default\extensions\
[EMAIL="[email protected]"][email protected][/EMAIL] [13:20 05/12/2009]
SkipScreen@SkipScreen [18:52 15/12/2009]
yetanothersmoothscrolling@kataho [11:39 19/01/2010]
{73a6fe31-595d-460b-a920-fcc0f8843232} [08:46 18/01/2010]
{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [08:08 19/12/2009]
{c36177c0-224a-11da-8cd6-0800200c9a91} [14:23 06/12/2009]
{cf47767d-5f3a-4e32-9fce-5d79565c9702} [19:17 15/01/2010]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [16:18 08/01/2010]
{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} [07:05 25/10/2009]
{DDC359D1-844A-42a7-9AA1-88A850A938A8} [16:14 12/01/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

 

[jav]

Back in your first combo fix log, the url's pointed to hxxp - I'd reinstall 7, clean format.

wait, what do you mean?
all hxxp I can find point to the legit and safe site (google)
except one which points to google search results :sarc:

EDIT: ohh, haven't seen Orpheous and Jacee's replies

 

[bp96]

Doesn't anyone know how to fix this?

 

[Carolyn]

Hi bp96,

I recommend that you post for assistance at one of the malware removal forums

Security Cadets
MalWare Removal
Spyware Warrior

 

[jav]

ok, try these.
1. Download Ccleaner CCleaner - Home
and clean up your temp files and browser cache.

2. Press Start.
Write cmd
right click, run as admin
write Ipconfig /flushdns

3. Download http://www.funkytoad.com/download/HostsXpert.zip
Unzip it
Click Restore Microsoft's Host files

4. Press Start
write clean
Enter Disk Cleanup
Tick Temporary files, Temporary Internet Files, Offline webpages
And delete them

5. Try disabling all extensions on your browser.

6. Try reverting back to your own ISP dns server

 

[Vino Rosso]

Doesn't anyone know how to fix this?

Suggest you wait for Jacee's reply.

3. Download http://www.funkytoad.com/download/HostsXpert.zip
Unzip it
Click Restore Microsoft's Host files

Already done by running a previous tool.

 

[Carolyn]

Doesn't anyone know how to fix this?

Suggest you wait for Jacee's reply.

Oops, sorry Jacee

I suggest you follow Vino's suggestion

 

[Jacee]

There is nothing suspicious in the log.

Clear Firefox's cache:
Tools, options, Advanced, Network, Offline Storage <--cache, click 'clear now'.

In case one of your add-on's isn't working properly, you can check it in 'safe mode':
Safe Mode