X
Tap here to go to the mobile version of the site.

Support Forum

Refresh did not fix startgo123 hijack

Posted

Have followed ALL suggestions from the web to remove this hijack with no luck. I then refreshed Firefox (v48.0) and even the default is still hijacked. Newtab always ends up with startgo123.com.

If I restart FF with all add-ons disabled, it's OK, but there are NO extensions or add-ons installed that I don't know about. All were installed by me some time ago.

Please help. I am going crazy trying to solve this.

No malware scans find this, no supposed programs to fix it can find it. Where can it be hiding?

Have followed ALL suggestions from the web to remove this hijack with no luck. I then refreshed Firefox (v48.0) and even the default is still hijacked. Newtab always ends up with startgo123.com. If I restart FF with all add-ons disabled, it's OK, but there are NO extensions or add-ons installed that I don't know about. All were installed by me some time ago. Please help. I am going crazy trying to solve this. No malware scans find this, no supposed programs to fix it can find it. Where can it be hiding?

Chosen solution

How did you install this one? I can't find an official distribution point:

Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com

According to one HijackThis log which showed up in a search, it might be globally installed here:

C:\Program Files\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com

or possibly if you previously had a 32-bit install and your current install is in the same folder:

C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com

Read this answer in context 3

Additional System Details

Installed Plug-ins

  • Shockwave Flash 22.0 r0
  • 5.1.41212.0

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0

More Information

FredMcD
  • Top 10 Contributor
3735 solutions 51349 answers

What scanners have you used?

Further information can be found in the Troubleshoot Firefox issues caused by malware article.

Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.

What scanners have you used? Further information can be found in the [[Troubleshoot Firefox issues caused by malware]] article. Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.

Question owner

Fred, I've used Malwarebytes, adwCleaner, HitmanPro, CCleaner and Avast.

The weird thing is that when I restart FF in safe mode - everything disabled - it works, but refreshing FF still has the exact same problem.

If I disable each/all extension(s) manually, the problem still exists.

So what can be the difference? I am at a total loss.

Startgo123 never showed as an extension, an installed program in Control Panel and doesn't show in the registry.

No idea where else it can hide and am not a novice computer user.

Fred, I've used Malwarebytes, adwCleaner, HitmanPro, CCleaner and Avast. The weird thing is that when I restart FF in safe mode - everything disabled - it works, but refreshing FF still has the exact same problem. If I disable each/all extension(s) manually, the problem still exists. So what can be the difference? I am at a total loss. Startgo123 never showed as an extension, an installed program in Control Panel and doesn't show in the registry. No idea where else it can hide and am not a novice computer user.
FredMcD
  • Top 10 Contributor
3735 solutions 51349 answers
Try this search link; https://www.bing.com/search?q=remove+startgo123.com&qs=n&form=QBRE&pq=remove+startgo123.com&sc=0-21&sp=-1&sk=&cvid=2841851C09AC4DEE9165112113CD9840

Question owner

Thanks Fred. I had already found those articles and have followed pretty much all of them.

The last thing left to try is boot to safe mode, reveal hidden files and hope something turns up.

Scary that none of the so-called startgo123 cleaners appears to find this malware.

Thanks Fred. I had already found those articles and have followed pretty much all of them. The last thing left to try is boot to safe mode, reveal hidden files and hope something turns up. Scary that none of the so-called startgo123 cleaners appears to find this malware.
FredMcD
  • Top 10 Contributor
3735 solutions 51349 answers

I am calling for more help.

I am calling for more help.

Question owner

Thank you so much Fred. Much appreciated.

Thank you so much Fred. Much appreciated.
poljos 143 solutions 1189 answers

Try to check the path to Firefox in the .lnk (shortcut), if anything inserted after .exe Example: "Program Files\firefox.exe startgo123.com". Also check in about:config - search startgo123.com and delete all found results.

Try to check the path to Firefox in the .lnk (shortcut), if anything inserted after .exe Example: "Program Files\firefox.exe startgo123.com". Also check in about:config - search startgo123.com and delete all found results.

Question owner

Thx .. those were the first things I tried and didn't find anything amiss.

Thx .. those were the first things I tried and didn't find anything amiss.
jscher2000
  • Top 10 Contributor
7781 solutions 63380 answers

If a bad extension was installed in a shared location, Firefox will find it again after a refresh, just as it finds your plugins. However, you may have been asked to approve the extensions. Does that ring a bell??

We can review your extension list to see whether we can spot the culprit. You can copy/paste the full list from the troubleshooting information page. Either:

  • "3-bar" menu button > "?" button > Troubleshooting Information
  • (menu bar) Help > Troubleshooting Information
  • type or paste about:support in the address bar and press Enter/Return

Then scroll down to Extensions and just below that heading, select and copy the table, then paste that into a reply. It will look a bit messy, but we're used to it.

If a bad extension was installed in a shared location, Firefox will find it again after a refresh, just as it finds your plugins. However, you may have been asked to approve the extensions. Does that ring a bell?? We can review your extension list to see whether we can spot the culprit. You can copy/paste the full list from the troubleshooting information page. Either: * "3-bar" menu button > "?" button > Troubleshooting Information * (menu bar) Help > Troubleshooting Information * type or paste about:support in the address bar and press Enter/Return Then scroll down to Extensions and just below that heading, select and copy the table, then paste that into a reply. It will look a bit messy, but we're used to it.

Question owner

Doesn't ring any bells. All the extensions in use I am aware of and have been using them for years.

I have attached a screen-grab of the exetensions table.

Thx

Doesn't ring any bells. All the extensions in use I am aware of and have been using them for years. I have attached a screen-grab of the exetensions table. Thx
jscher2000
  • Top 10 Contributor
7781 solutions 63380 answers

Okay, nice picture, but I'm not going to retype all their names to search them. Could you paste the text instead?

Or to simplify it, what extensions show up in a new profile? This would simulate a post-Refresh extensions list without your having to do a Refresh again.

New Profile Test

This takes about 3 minutes, plus the time to note any extensions other than the three from Mozilla (Firefox Hello, Multi-process staged rollout, and Pocket).

Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.

Click the Create a New Profile button. Assign a name like Aug2016, and skip the option to relocate the profile folder.

After creating the profile, scroll down to it and click the Set as default profile button below that profile, then scroll back up and click the Restart normally button.

Firefox should exit and then start up using the new profile folder, which will just look brand new.

Is the new profile infected? If so, do you see any unusual extensions?

When you are done with the experiment, open the about:profiles page again, click Set as default for your regular profile, then click Restart normally to get back to it.

Okay, nice picture, but I'm not going to retype all their names to search them. Could you paste the text instead? Or to simplify it, what extensions show up in a new profile? This would simulate a post-Refresh extensions list without your having to do a Refresh again. '''New Profile Test''' This takes about 3 minutes, plus the time to note any extensions other than the three from Mozilla (Firefox Hello, Multi-process staged rollout, and Pocket). Inside Firefox, type or paste '''about:profiles''' in the address bar and press Enter/Return to load it. Click the Create a New Profile button. Assign a name like Aug2016, and skip the option to relocate the profile folder. After creating the profile, scroll down to it and click the '''Set as default profile''' button below that profile, then scroll back up and click the '''Restart normally''' button. Firefox should exit and then start up using the new profile folder, which will just look brand new. Is the new profile infected? If so, do you see any unusual extensions? When you are done with the experiment, open the about:profiles page again, click Set as default for your regular profile, then click Restart normally to get back to it.
jscher2000
  • Top 10 Contributor
7781 solutions 63380 answers

Although it is rare, we occasionally see a program folder extension infection. This lives outside of your profile and was previously immune to Safe Mode, but to rule that out as well, you could do this:

Clean Reinstall

We use this name, but it's not about removing your settings, it's about making sure the program files are clean (no inconsistent or alien code files). As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed.

It only takes a few minutes.

(A) Download a fresh installer for Firefox 48.0 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.) For maximum plugin compatibility, choose the "Windows" version (32-bit) rather than the 64-bit version. -- since you already use the 64-bit version, this limitation may not be important to you (i.e., Flash and Silverlight are all you need)

(B) Exit out of Firefox (if applicable).

(C) Using Windows Explorer/My Computer, rename the program folder as follows:

C:\Program Files (x86)\Mozilla Firefox

to

C:\Program Files (x86)\OldFirefox

(D) Run the installer you downloaded in step (A). It should automatically connect to your existing settings.

Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders:

  • \OldFirefox\Plugins
  • \OldFirefox\browser\plugins

Any improvement?

Although it is rare, we occasionally see a program folder <s>extension</s> <u>infection</u>. This lives outside of your profile and was previously immune to Safe Mode, but to rule that out as well, you could do this: '''Clean Reinstall''' We use this name, but it's not about removing your settings, it's about making sure the program files are clean (no inconsistent or alien code files). As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed. It only takes a few minutes. (A) Download a fresh installer for Firefox 48.0 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.) '''For maximum plugin compatibility, choose the "Windows" version (32-bit) rather than the 64-bit version.''' -- since you already use the 64-bit version, this limitation may not be important to you (i.e., Flash and Silverlight are all you need) (B) Exit out of Firefox (if applicable). (C) Using Windows Explorer/My Computer, rename the program folder as follows: C:\Program Files (x86)\Mozilla Firefox to C:\Program Files (x86)\OldFirefox (D) Run the installer you downloaded in step (A). It should automatically connect to your existing settings. Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders: * \OldFirefox\Plugins * \OldFirefox\browser\plugins Any improvement?

Modified by jscher2000

Question owner

Sorry .. didn't know what you were going to do with it. Here's the text and I'll get to the new profile thing in the morning. Getting a tad late here.

Adblock Plus 2.7.3 true {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Classic Theme Restorer 1.5.5.3 true ClassicThemeRestorer@ArisT2Noia4dev Download YouTube Videos as MP4 1.8.7 true {b9bfaf1c-a63f-47cd-8b9a-29526ced9060} F.B. Purity - Cleans Up Facebook 15.1.0.2 true fbp-signed@fbpurity.com Firefox Hello 1.4.3 true loop@mozilla.org Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com FireFTP 2.0.28 true {a7c6cf7f-112c-4500-a7ea-39801a327e5f} Multi-process staged rollout 1.0 true e10srollout@mozilla.org Open Bookmarks in New Tab 2.0.2016021001 true openbookmarkintab@piro.sakura.ne.jp Pocket 1.0.4 true firefox@getpocket.com Tab Auto Reload 1.0.17 true TabAutoReload@schuzak.jp Undo Closed Tabs Button 4.0.0 true undoclosedtabsbutton@supernova00.biz Video DownloadHelper 6.0.0 true {b9db16a4-6edc-47ec-a1f4-b86292ed211d} Avast Online Security 10.3.3.44 false wrc@avast.com Avast SafePrice 10.3.5.39 false sp@avast.com

Sorry .. didn't know what you were going to do with it. Here's the text and I'll get to the new profile thing in the morning. Getting a tad late here. Adblock Plus 2.7.3 true {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Classic Theme Restorer 1.5.5.3 true ClassicThemeRestorer@ArisT2Noia4dev Download YouTube Videos as MP4 1.8.7 true {b9bfaf1c-a63f-47cd-8b9a-29526ced9060} F.B. Purity - Cleans Up Facebook 15.1.0.2 true fbp-signed@fbpurity.com Firefox Hello 1.4.3 true loop@mozilla.org Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com FireFTP 2.0.28 true {a7c6cf7f-112c-4500-a7ea-39801a327e5f} Multi-process staged rollout 1.0 true e10srollout@mozilla.org Open Bookmarks in New Tab 2.0.2016021001 true openbookmarkintab@piro.sakura.ne.jp Pocket 1.0.4 true firefox@getpocket.com Tab Auto Reload 1.0.17 true TabAutoReload@schuzak.jp Undo Closed Tabs Button 4.0.0 true undoclosedtabsbutton@supernova00.biz Video DownloadHelper 6.0.0 true {b9db16a4-6edc-47ec-a1f4-b86292ed211d} Avast Online Security 10.3.3.44 false wrc@avast.com Avast SafePrice 10.3.5.39 false sp@avast.com
jscher2000
  • Top 10 Contributor
7781 solutions 63380 answers

Chosen Solution

How did you install this one? I can't find an official distribution point:

Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com

According to one HijackThis log which showed up in a search, it might be globally installed here:

C:\Program Files\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com

or possibly if you previously had a 32-bit install and your current install is in the same folder:

C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com

How did you install this one? I can't find an official distribution point: <blockquote> Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com </blockquote> According to one HijackThis log which showed up in a search, it might be globally installed here: C:\Program Files\Mozilla Firefox\browser\features\googletestNT@mozillaonline''.''com or possibly if you previously had a 32-bit install and your current install is in the same folder: C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline''.''com

Question owner

I have no idea what that is. It doesn't show up in the list when I go to Tools -> Add-ons.

So how does one get rid of something like this ?? I certainly did not knowingly install it.

Wouldn't surprise me if that was it as when I look at page source of startgo123.com, it has lots of Chinese characters.

I have no idea what that is. It doesn't show up in the list when I go to Tools -> Add-ons. So how does one get rid of something like this ?? I certainly did not knowingly install it. Wouldn't surprise me if that was it as when I look at page source of startgo123.com, it has lots of Chinese characters.
jscher2000
  • Top 10 Contributor
7781 solutions 63380 answers

Try looking for it in the features folder as noted toward the end of my post (you may have one or the other, or both).

If it's not readily discoverable there, you can use the technique described in this thread to tease the location out of the extensions.json file: https://support.mozilla.org/questions/1132572

Try looking for it in the features folder as noted toward the end of my post (you may have one or the other, or both). If it's not readily discoverable there, you can use the technique described in this thread to tease the location out of the extensions.json file: https://support.mozilla.org/questions/1132572

Question owner

I think that's it! Yay! There is a .xul file in that folder that has this code snippet:

ns.browserOpenTab = function(event) {    
  openUILinkIn("http://www.startgo123.com/nav/index?src=u", 'tab');  
      };  
  ns.onLoad = function() {    
  gBrowser.removeEventListener('NewTab', window.BrowserOpenTab, false);  
      window.originalBrowserOpenTab = window.BrowserOpenTab;  
  window.BrowserOpenTab = MOA.NTab.browserOpenTab;    
  gBrowser.addEventListener('NewTab', window.BrowserOpenTab, false);  
      newTabPref.init();  
  };   

Now the question - how do I remove this? Can I just delete that folder from //features?

I think that's it! Yay! There is a .xul file in that folder that has this code snippet: ns.browserOpenTab = function(event) { openUILinkIn("http://www.startgo123.com/nav/index?src=u", 'tab'); }; ns.onLoad = function() { gBrowser.removeEventListener('NewTab', window.BrowserOpenTab, false); window.originalBrowserOpenTab = window.BrowserOpenTab; window.BrowserOpenTab = MOA.NTab.browserOpenTab; gBrowser.addEventListener('NewTab', window.BrowserOpenTab, false); newTabPref.init(); }; Now the question - how do I remove this? Can I just delete that folder from //features?

Helpful Reply

OK .. I think it's solved.

I just renamed that folder (googletestNT@mozillaonline.com) and newtab appears to be back to normal. No sign of startgo123 redirect.

Thanks to everyone's suggestions. This was a PITA to resolve.

-)
OK .. I think it's solved. I just renamed that folder (googletestNT@mozillaonline.com) and newtab appears to be back to normal. No sign of startgo123 redirect. Thanks to everyone's suggestions. This was a PITA to resolve. :-)
FredMcD
  • Top 10 Contributor
3735 solutions 51349 answers

That was very good work. Well done. Please flag your last post as Solved Problem so others will know.

That was very good work. Well done. Please flag your last post as '''Solved Problem''' so others will know.