I seem to have picked up a browser hijacker that is only working on Firefox.

Not all the time, but occasionally, when opening a new Firefox window, it will get hijacked to a http://hzozwz2zpzlzazyz.zat/xxxx/ site. I've run Spybot, Adaware, Trendmicro, Rootkit Revealer, and Hijack This, and I can't find anything causing this.

Googling doesn't turn up anything either.

Any suggestions on what it is, or how to get rid of it?

Edit: 'z' s added to url for additional safety.

Please remove the link! If someone accidentally clicks on it, they won't be happy!

I'm not finding anything on google.

Try running ccleaner?

And your hijack log had no browser helpers or redirects?

Please remove the link! If someone accidentally clicks on it, they won't be happy!

Um, the /xxxx/ isn't a real link. It was things like /rummy/ and /lottery/. I'll make it more scrambled though.

I'm not finding anything on google.

Try running ccleaner?

And your hijack log had no browser helpers or redirects?

This is the BHO section of my log:
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

I've been doing some searching, and a lot of stuff that points to that site was added about a day ago. Looks like what you got may be something brand new. How long ago did all this start?

Infact looks like the URL (the one it's redirecting you too) just got purchased on the 8th of this month. So it couldn't have started before that. You may just have to wait until they update the defs to detect unless you want to go routing around for it.

I've been doing some searching, and a lot of stuff that points to that site was added about a day ago. Looks like what you got may be something brand new. How long ago did all this start?

Infact looks like the URL (the one it's redirecting you too) just got purchased on the 8th of this month. So it couldn't have started before that. You may just have to wait until they update the defs to detect unless you want to go routing around for it.

Yeah, I was pretty sure it was new. It has been happening for about a week or so. It looks like they host their video on youtube and then it gets shut down in a day or so, and they then set up a new one with a different subject. I've gotten how to play rummy, how to search for torrents on google, and how to play the lottery. I was a little disappointed that I got caught this early on in a malware cycle. :bang head :mad: , but I guess that is the way the cookie crumbles. I don't use Firefox to do a whole lot of browsing, mainly NexusWar and Trendmicro. I'm not sure where I picked it up.

I've got a recent backup, so I can just format the drive and restore the image, but I'm not sure I won't just get it again, if it is hidden on a site I occasionally frequent.

I would try uninstalling Firefox including all profiles related to it.

I would try uninstalling Firefox including all profiles related to it.

I did try that, at it went away for about a half a month. Now it is back again. I don't know if it is due to it never being gone, or a reinfection. I'll see if the tools (spybot, trendmicro, etc..) have anything on it now.

Are you running the tools in safe mode?

Have you tried Spyware Doctor?

Have you ran Hijack This?

Forgot to add, make sure no other programs are starting up with Windows other than the essentials. You have to limit the ways the hijacker can load.

If it loads in the user shell (explorer.exe) he'll have to have that closed as well. Perhaps the "smitfraud" package can fix this?

LA.

I've had similar issues with IE. AVG, Spybot and Adaware did not completely help. What did help was:

http://housecall.trendmicro.com/

Another tip that I learned from dealing with several of these very recently is:
Update all anti spyware and AV products that you own.
Disconnect the PC from the internet.
Run each program.
Run each program again if it found any bad files.
Repeat above if more found.
Reboot the machine.
Run the programs again.
If you find more bad programs, turn off system restore.
Repeat all above after you turn off system restore.

Just remember the simple UDRRRRRIR (lol).

I did not have this in Firefox just IE but I'd bet that this all applies.

HijackThis log, maybe?
Or run Process Explorer and find out if Firefox is referencing suspect .dlls (use the lower pane)

I've had similar issues with IE. AVG, Spybot and Adaware did not completely help. What did help was:

http://housecall.trendmicro.com/



Actually, I did use that. Nothing came up..

However, since I've upgraded to 2.0 it hasn't happened again.

HijackThis log, maybe?
Or run Process Explorer and find out if Firefox is referencing suspect .dlls (use the lower pane)

Sorry, I didn't save it. If it happens again, I will post it.

I haven't seen it since upgrading to 2.0, so knock on wood.

Also, I'm going to be switching over to a clean install of Vista once I get my new Q6600.