So just noticed something to do with angelfire was giving me bogus search results in google and the top 10 results or so upon clicking them gave me a redirect to some malicious site(s)...
As far as I can tell it isn't affecting my system anywhere else. Had a pretty serious attack 2 weeks ago and scanned (in safe mode) for 2 whole days till pc started acting right. Just occured to me tonight that this was happening, I assume since the original attack.
Haven't been back in safe mode since original attack but regular scans with superantispyware and malwarebytes come up empty. Doing one last full scan with security essentials before i mess with safe mode again.....
Only happens in FF 7.0.1... checked all the settings i can think of, cleared cookies, cache.....
Any thoughts/ideas on how to gwet rid of or stop the redirects?
off the top of my head, just check your hosts file in C:\windows\system32\drivers\etc ...right click hosts, select Open and open with notepad. Any odd entries that dont have a comment; "#" copy/paste them here.
This is what a normal hosts file looks like:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
Last edited by andruoid; October 19th, 2011 at 11:46 PM.
The Following User Says Thank You to andruoid For This Useful Post:
off the top of my head, just check your hosts file in C:\windows\system32\drivers\etc ...right click hosts, select Open and open with notepad. Any odd entries that dont have a comment; "#" copy/paste them here.
This is what a normal hosts file looks like:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
Yea tried that... ^that is exactly what mine looks like....
ComboFix, not sure if you have tried this. I've had 100% recovery on the systems I have run this in. It's another malware/spyware removal tool. Here is the link for the utility and instructions; A guide and tutorial on using ComboFix
The Following User Says Thank You to andruoid For This Useful Post:
Are there any other symptoms other than the google search results?
The links almost look like real links but if clicked lead to malicious sites. Other than that no, left pc in safe mode scanning with malwarebytes. Will also try the above I guess...
Don't use ComboFix, its highly unlikely whatever is causing it is "serious" enough for ComboFix.
No offense intended to the poster or you, I just hate seeing people screw up their computer because they haven't learned how ComboFix and programs like it work.
I'm willing to help if you still need it, just let me know.
Don't use ComboFix, its highly unlikely whatever is causing it is "serious" enough for ComboFix.
No offense intended to the poster or you, I just hate seeing people screw up their computer because they haven't learned how ComboFix and programs like it work.
I'm willing to help if you still need it, just let me know.
i'm down for any advice. i consider myself an advanced user so am willing to try anything.. scanning with antispyware and malwarebytes in safe mode yielded zero results still
edit: combofix sounds promising but would love to hear your suggestions toast
Last edited by NightAngel79; October 20th, 2011 at 05:55 PM.
I'm not offend. I'm just busy studying for Security+ ...my mindset right now is nuke first and don't give malware a chance
Combo seems pretty straight forward. I've cleaned out systems you could barely use with the 2 programs i been using, hell my system had that fake AV going on couple weeks ago and i *thought* i got it all out. Its just this one little remnant i can't seem to get rid of
i'm down for any advice. i consider myself an advanced user so am willing to try anything.. scanning with antispyware and malwarebytes in safe mode yielded zero results still
edit: combofix sounds promising but would love to hear your suggestions toast
Its not so much that ComboFix is confusing, it is quite straight forward, its just that unless you know all the various commands, and theres a lot of them, and what they do, theres always a slight possibility you might mess something up.
If you can download OTL, run it and put the two logs it spits out (OTL.txt and Extras.txt) on Pastebin I should, though never a 100% guarantee, be able to find whats causing the problem from that, you can PM me the links to the logs if you would rather do that instead of posting them in this thread. I'm guessing off past experience its a registry edit that the fake AV left behind.
Run OTL.exe[list][*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
[edited]
I'm thinking Audiogalaxy might be the problem, I can't see anything else in there that points toward the issue you're having. Run that fix and let me know if you still have that problem.
Last edited by NightAngel79; October 22nd, 2011 at 08:46 AM.
The Following User Says Thank You to ToastPwnz For This Useful Post:
That would also make sense, I get in a hurry and I tend to overlook at least one thing.
Better safe than sorry though, so far I haven't ran into any problems involving unrecognized IP's, but theres always that small chance.
The Following User Says Thank You to ToastPwnz For This Useful Post:
trying it now... i did have malware quarantine something from audiogalaxy instal folder.... maybe time to chuck that.... will run your fix and see whats up...
about IP, i have 4 computers on network at any given time, plus phone, plus ps3, 360, sometimes a wii and sometimes a nook... no idea what is what as far as ip's go but always figured the .1.1 was router...
Hmm still getting an abnormal amount of malicious results, the top 6 to 7 results lead to a site WOT gives a red/poor rating. The redirect doesn't seem to be happening though....
and i just used the seard term pc error, it really doesn't matter what i google.
on that link (or just google 'pc error') are the top results pc-error-free; pcaholic; smartpctools? (just the top 3 for me)
hmmm, trying other search terms it seems it may have stopped.... before it was redirecting what looked like wikipedia links to weird stuff, doesn't seem to be happening now... Thanks a ton toast!!
Uninstalling audiogalaxy with revo now! Wonder what the deal with that is
hmmm, trying other search terms it seems it may have stopped.... before it was redirecting what looked like wikipedia links to weird stuff, doesn't seem to be happening now... Thanks a ton toast!!
Uninstalling audiogalaxy with revo now! Wonder what the deal with that is
In response to the post before this one, I see Smart PC Tools, PC Error Free and PC Hell.
Glad I could help, if it pops up again just let me know.
You can go ahead and use the Clean Up function in OTL now, assuming you still have it on your PC.
In response to the post before this one, I see Smart PC Tools, PC Error Free and PC Hell.
Glad I could help, if it pops up again just let me know.
You can go ahead and use the Clean Up function in OTL now, assuming you still have it on your PC.
is there a need to 'clean up' ? still have on computer btw
What was the cause of this? Was it the audiogalaxy program or something else?
You may want to look into NoScript. A very helpful firefox extension.
Noscript blocked way too much shit, always had to 'allow' crap and i got tired of messing with it, usually am fine with adblockplus...
Quote:
Originally Posted by ToastPwnz
It seems that it was Audiogalaxy, nothing else in the log looked to be related to that kind of problem.
yea, really am wondering what the deal with audiogalaxy was, didnt really use it any more so no big deal to delete it just wonder how/what infected it...
(btw, gonna edit those logs out of my posts, dont see any reason for them to stay. will leave thread open though, hard telling who else it might help
I've been too busy to help but it looks like everything ToastPwnz killed off the issue. 8)
"If" something is redirecting you in the future open a command line and type: netstat -an this will show current connections and port numbers they are using. From there you can select the redirect IP and just add it to a firewall deny/block rule until you find out what is going on.
Last edited by andruoid; October 22nd, 2011 at 10:41 AM.
The Following User Says Thank You to andruoid For This Useful Post:
Noscript blocked way too much shit, always had to 'allow' crap and i got tired of messing with it, usually am fine with adblockplus...
yea, really am wondering what the deal with audiogalaxy was, didnt really use it any more so no big deal to delete it just wonder how/what infected it...
(btw, gonna edit those logs out of my posts, dont see any reason for them to stay. will leave thread open though, hard telling who else it might help
According to its entry on SystemLookup, it has some adware programs packaged with it.
It seems the other profile on my pc is having redirect issues also. havent had time to look at it yet though, *thought* i completely got rid of audiogalaxy so not sure what the dealio is
Well i I figured out when the initial infection left behind. The other profile has NO extensions in firefox, so when i saw XUL Cache 1.0 on the list i knew something was up. Removed it and redirects stopped completely
When i went back to my desktop to remove it it completely looked up firefox. I'm on a rare visit with chrome right now. Don't wanna kill the process cause i have like 9 tabs open for research (helping SO with homework.)
Angelfire redirect
button.
I'm just busy studying for Security+ ...my mindset right now is nuke first and don't give malware a chance 
