Refresh did not fix startgo123 hijack
Have followed ALL suggestions from the web to remove this hijack with no luck. I then refreshed Firefox (v48.0) and even the default is still hijacked. Newtab always ends up with startgo123.com.
If I restart FF with all add-ons disabled, it's OK, but there are NO extensions or add-ons installed that I don't know about. All were installed by me some time ago.
Please help. I am going crazy trying to solve this.
No malware scans find this, no supposed programs to fix it can find it. Where can it be hiding?
Solution choisie
How did you install this one? I can't find an official distribution point:
Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com
According to one HijackThis log which showed up in a search, it might be globally installed here:
C:\Program Files\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com
or possibly if you previously had a 32-bit install and your current install is in the same folder:
C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com
Lire cette réponse dans son contexte 👍 3Toutes les réponses (19)
What scanners have you used?
Further information can be found in the Troubleshoot Firefox issues caused by malware article.
Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.
Fred, I've used Malwarebytes, adwCleaner, HitmanPro, CCleaner and Avast.
The weird thing is that when I restart FF in safe mode - everything disabled - it works, but refreshing FF still has the exact same problem.
If I disable each/all extension(s) manually, the problem still exists.
So what can be the difference? I am at a total loss.
Startgo123 never showed as an extension, an installed program in Control Panel and doesn't show in the registry.
No idea where else it can hide and am not a novice computer user.
Thanks Fred. I had already found those articles and have followed pretty much all of them.
The last thing left to try is boot to safe mode, reveal hidden files and hope something turns up.
Scary that none of the so-called startgo123 cleaners appears to find this malware.
I am calling for more help.
Thank you so much Fred. Much appreciated.
Try to check the path to Firefox in the .lnk (shortcut), if anything inserted after .exe Example: "Program Files\firefox.exe startgo123.com". Also check in about:config - search startgo123.com and delete all found results.
Thx .. those were the first things I tried and didn't find anything amiss.
If a bad extension was installed in a shared location, Firefox will find it again after a refresh, just as it finds your plugins. However, you may have been asked to approve the extensions. Does that ring a bell??
We can review your extension list to see whether we can spot the culprit. You can copy/paste the full list from the troubleshooting information page. Either:
- "3-bar" menu button > "?" button > Troubleshooting Information
- (menu bar) Help > Troubleshooting Information
- type or paste about:support in the address bar and press Enter/Return
Then scroll down to Extensions and just below that heading, select and copy the table, then paste that into a reply. It will look a bit messy, but we're used to it.
Doesn't ring any bells. All the extensions in use I am aware of and have been using them for years.
I have attached a screen-grab of the exetensions table.
Thx
Okay, nice picture, but I'm not going to retype all their names to search them. Could you paste the text instead?
Or to simplify it, what extensions show up in a new profile? This would simulate a post-Refresh extensions list without your having to do a Refresh again.
New Profile Test
This takes about 3 minutes, plus the time to note any extensions other than the three from Mozilla (Firefox Hello, Multi-process staged rollout, and Pocket).
Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.
Click the Create a New Profile button. Assign a name like Aug2016, and skip the option to relocate the profile folder.
After creating the profile, scroll down to it and click the Set as default profile button below that profile, then scroll back up and click the Restart normally button.
Firefox should exit and then start up using the new profile folder, which will just look brand new.
Is the new profile infected? If so, do you see any unusual extensions?
When you are done with the experiment, open the about:profiles page again, click Set as default for your regular profile, then click Restart normally to get back to it.
Although it is rare, we occasionally see a program folder extension infection. This lives outside of your profile and was previously immune to Safe Mode, but to rule that out as well, you could do this:
Clean Reinstall
We use this name, but it's not about removing your settings, it's about making sure the program files are clean (no inconsistent or alien code files). As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed.
It only takes a few minutes.
(A) Download a fresh installer for Firefox 48.0 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.) For maximum plugin compatibility, choose the "Windows" version (32-bit) rather than the 64-bit version. -- since you already use the 64-bit version, this limitation may not be important to you (i.e., Flash and Silverlight are all you need)
(B) Exit out of Firefox (if applicable).
(C) Using Windows Explorer/My Computer, rename the program folder as follows:
C:\Program Files (x86)\Mozilla Firefox
to
C:\Program Files (x86)\OldFirefox
(D) Run the installer you downloaded in step (A). It should automatically connect to your existing settings.
Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders:
- \OldFirefox\Plugins
- \OldFirefox\browser\plugins
Any improvement?
Modifié le
Sorry .. didn't know what you were going to do with it. Here's the text and I'll get to the new profile thing in the morning. Getting a tad late here.
Adblock Plus 2.7.3 true {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Classic Theme Restorer 1.5.5.3 true ClassicThemeRestorer@ArisT2Noia4dev Download YouTube Videos as MP4 1.8.7 true {b9bfaf1c-a63f-47cd-8b9a-29526ced9060} F.B. Purity - Cleans Up Facebook 15.1.0.2 true fbp-signed@fbpurity.com Firefox Hello 1.4.3 true loop@mozilla.org Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com FireFTP 2.0.28 true {a7c6cf7f-112c-4500-a7ea-39801a327e5f} Multi-process staged rollout 1.0 true e10srollout@mozilla.org Open Bookmarks in New Tab 2.0.2016021001 true openbookmarkintab@piro.sakura.ne.jp Pocket 1.0.4 true firefox@getpocket.com Tab Auto Reload 1.0.17 true TabAutoReload@schuzak.jp Undo Closed Tabs Button 4.0.0 true undoclosedtabsbutton@supernova00.biz Video DownloadHelper 6.0.0 true {b9db16a4-6edc-47ec-a1f4-b86292ed211d} Avast Online Security 10.3.3.44 false wrc@avast.com Avast SafePrice 10.3.5.39 false sp@avast.com
Solution choisie
How did you install this one? I can't find an official distribution point:
Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com
According to one HijackThis log which showed up in a search, it might be globally installed here:
C:\Program Files\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com
or possibly if you previously had a 32-bit install and your current install is in the same folder:
C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com
I have no idea what that is. It doesn't show up in the list when I go to Tools -> Add-ons.
So how does one get rid of something like this ?? I certainly did not knowingly install it.
Wouldn't surprise me if that was it as when I look at page source of startgo123.com, it has lots of Chinese characters.
Try looking for it in the features folder as noted toward the end of my post (you may have one or the other, or both).
If it's not readily discoverable there, you can use the technique described in this thread to tease the location out of the extensions.json file: https://support.mozilla.org/questions/1132572
I think that's it! Yay! There is a .xul file in that folder that has this code snippet:
ns.browserOpenTab = function(event) { openUILinkIn("http://www.startgo123.com/nav/index?src=u", 'tab'); }; ns.onLoad = function() { gBrowser.removeEventListener('NewTab', window.BrowserOpenTab, false); window.originalBrowserOpenTab = window.BrowserOpenTab; window.BrowserOpenTab = MOA.NTab.browserOpenTab; gBrowser.addEventListener('NewTab', window.BrowserOpenTab, false); newTabPref.init(); };
Now the question - how do I remove this? Can I just delete that folder from //features?
OK .. I think it's solved.
I just renamed that folder (googletestNT@mozillaonline.com) and newtab appears to be back to normal. No sign of startgo123 redirect.
Thanks to everyone's suggestions. This was a PITA to resolve.
- -)
That was very good work. Well done. Please flag your last post as Solved Problem so others will know.