1. Hot New Devices! HTC One M9 | Samsung Galaxy S6 | LG G4

Angelfire redirect


  1. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

    So just noticed something to do with angelfire was giving me bogus search results in google and the top 10 results or so upon clicking them gave me a redirect to some malicious site(s)...

    As far as I can tell it isn't affecting my system anywhere else. Had a pretty serious attack 2 weeks ago and scanned (in safe mode) for 2 whole days till pc started acting right. Just occured to me tonight that this was happening, I assume since the original attack.

    Haven't been back in safe mode since original attack but regular scans with superantispyware and malwarebytes come up empty. Doing one last full scan with security essentials before i mess with safe mode again.....

    Only happens in FF 7.0.1... checked all the settings i can think of, cleared cookies, cache.....

    Any thoughts/ideas on how to gwet rid of or stop the redirects?

    Advertisement
  2. andruoid

    andruoid Well-Known Member

    off the top of my head, just check your hosts file in C:\windows\system32\drivers\etc ...right click hosts, select Open and open with notepad. Any odd entries that dont have a comment; "#" copy/paste them here.

    This is what a normal hosts file looks like:

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost
    NightAngel79 likes this.
  3. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

    Yea tried that... ^that is exactly what mine looks like....
  4. Xyro

    Xyro 4 8 15 16 23 42 Moderator

    Are there any other symptoms other than the google search results?
  5. andruoid

    andruoid Well-Known Member

    ComboFix, not sure if you have tried this. I've had 100% recovery on the systems I have run this in. It's another malware/spyware removal tool. Here is the link for the utility and instructions; A guide and tutorial on using ComboFix
    NightAngel79 likes this.
  6. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator


    The links almost look like real links but if clicked lead to malicious sites. Other than that no, left pc in safe mode scanning with malwarebytes. Will also try the above I guess...
  7. ToastPwnz

    ToastPwnz Well-Known Member

    Don't use ComboFix, its highly unlikely whatever is causing it is "serious" enough for ComboFix.
    No offense intended to the poster or you, I just hate seeing people screw up their computer because they haven't learned how ComboFix and programs like it work.

    I'm willing to help if you still need it, just let me know.
  8. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

    i'm down for any advice. i consider myself an advanced user so am willing to try anything.. scanning with antispyware and malwarebytes in safe mode yielded zero results still


    edit: combofix sounds promising but would love to hear your suggestions toast
  9. andruoid

    andruoid Well-Known Member

    I'm not offend. :cool: I'm just busy studying for Security+ ...my mindset right now is nuke first and don't give malware a chance ;)
  10. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

    Combo seems pretty straight forward. I've cleaned out systems you could barely use with the 2 programs i been using, hell my system had that fake AV going on couple weeks ago and i *thought* i got it all out. Its just this one little remnant i can't seem to get rid of
  11. ToastPwnz

    ToastPwnz Well-Known Member

    Its not so much that ComboFix is confusing, it is quite straight forward, its just that unless you know all the various commands, and theres a lot of them, and what they do, theres always a slight possibility you might mess something up.

    If you can download OTL, run it and put the two logs it spits out (OTL.txt and Extras.txt) on Pastebin I should, though never a 100% guarantee, be able to find whats causing the problem from that, you can PM me the links to the logs if you would rather do that instead of posting them in this thread. I'm guessing off past experience its a registry edit that the fake AV left behind.


    So many commas in those "passages". :p
  12. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

    So i shouldn't try OTL's 'run fix' or 'clean up' tools?

    (scanning with it now)
  13. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

    edited

    there they are
  14. ToastPwnz

    ToastPwnz Well-Known Member

    Run OTL.exe
    • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

      [edited]


      I'm thinking Audiogalaxy might be the problem, I can't see anything else in there that points toward the issue you're having. Run that fix and let me know if you still have that problem.
    NightAngel79 likes this.
  15. Xyro

    Xyro 4 8 15 16 23 42 Moderator

    I would have guessed 192.168.X.1 is the router.
    NightAngel79 likes this.
  16. ToastPwnz

    ToastPwnz Well-Known Member

    That would also make sense, I get in a hurry and I tend to overlook at least one thing. :p
    Better safe than sorry though, so far I haven't ran into any problems involving unrecognized IP's, but theres always that small chance.
    NightAngel79 likes this.
  17. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

    trying it now... i did have malware quarantine something from audiogalaxy instal folder.... maybe time to chuck that.... will run your fix and see whats up...

    about IP, i have 4 computers on network at any given time, plus phone, plus ps3, 360, sometimes a wii and sometimes a nook... no idea what is what as far as ip's go but always figured the .1.1 was router...
  18. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

    edited
  19. ToastPwnz

    ToastPwnz Well-Known Member

    Are you still getting the redirect? The script worked properly, so if Audiogalaxy was the problem, its gone now.
    NightAngel79 likes this.
  20. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

    Hmm still getting an abnormal amount of malicious results, the top 6 to 7 results lead to a site WOT gives a red/poor rating. The redirect doesn't seem to be happening though....

    what do you see as the top results for this: https://www.google.com/search?hl=en...81l3297l0l5168l8l8l0l0l0l0l282l1356l0.5.3l8l0

    and i just used the seard term pc error, it really doesn't matter what i google.
    on that link (or just google 'pc error') are the top results pc-error-free; pcaholic; smartpctools? (just the top 3 for me)
  21. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

    hmmm, trying other search terms it seems it may have stopped.... before it was redirecting what looked like wikipedia links to weird stuff, doesn't seem to be happening now... Thanks a ton toast!!

    Uninstalling audiogalaxy with revo now! Wonder what the deal with that is
  22. ToastPwnz

    ToastPwnz Well-Known Member

    In response to the post before this one, I see Smart PC Tools, PC Error Free and PC Hell.

    Glad I could help, if it pops up again just let me know.
    You can go ahead and use the Clean Up function in OTL now, assuming you still have it on your PC.
  23. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

    is there a need to 'clean up' ? still have on computer btw
  24. ToastPwnz

    ToastPwnz Well-Known Member

    You don't have to, but I would recommend it since it will remove the files it moved earlier.
    NightAngel79 likes this.
  25. NightAngel79

    NightAngel79 Bounty Hunter Administrator Moderator

Share This Page