X
Nhấn vào đây để đến phiên bản di động của trang web.

Diễn đàn trợ giúp

Refresh did not fix startgo123 hijack

Được đăng

Have followed ALL suggestions from the web to remove this hijack with no luck. I then refreshed Firefox (v48.0) and even the default is still hijacked. Newtab always ends up with startgo123.com.

If I restart FF with all add-ons disabled, it's OK, but there are NO extensions or add-ons installed that I don't know about. All were installed by me some time ago.

Please help. I am going crazy trying to solve this.

No malware scans find this, no supposed programs to fix it can find it. Where can it be hiding?

Have followed ALL suggestions from the web to remove this hijack with no luck. I then refreshed Firefox (v48.0) and even the default is still hijacked. Newtab always ends up with startgo123.com. If I restart FF with all add-ons disabled, it's OK, but there are NO extensions or add-ons installed that I don't know about. All were installed by me some time ago. Please help. I am going crazy trying to solve this. No malware scans find this, no supposed programs to fix it can find it. Where can it be hiding?

Giải pháp được chọn

How did you install this one? I can't find an official distribution point:

Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com

According to one HijackThis log which showed up in a search, it might be globally installed here:

C:\Program Files\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com

or possibly if you previously had a 32-bit install and your current install is in the same folder:

C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com

Đọc câu trả lời này trong ngữ cảnh 3

Chi tiết hệ thống bổ sung

Phần bổ trợ đã cài đặt

  • Shockwave Flash 22.0 r0
  • 5.1.41212.0

Ứng dụng

  • Chuỗi đại diện người dùng: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0

Thông tin chi tiết

FredMcD
  • Top 10 Contributor
4223 giải pháp 58930 câu trả lời
Được đăng

What scanners have you used?

Further information can be found in the Troubleshoot Firefox issues caused by malware article.

Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.

What scanners have you used? Further information can be found in the [[Troubleshoot Firefox issues caused by malware]] article. Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.

Người tạo câu hỏi

Fred, I've used Malwarebytes, adwCleaner, HitmanPro, CCleaner and Avast.

The weird thing is that when I restart FF in safe mode - everything disabled - it works, but refreshing FF still has the exact same problem.

If I disable each/all extension(s) manually, the problem still exists.

So what can be the difference? I am at a total loss.

Startgo123 never showed as an extension, an installed program in Control Panel and doesn't show in the registry.

No idea where else it can hide and am not a novice computer user.

Fred, I've used Malwarebytes, adwCleaner, HitmanPro, CCleaner and Avast. The weird thing is that when I restart FF in safe mode - everything disabled - it works, but refreshing FF still has the exact same problem. If I disable each/all extension(s) manually, the problem still exists. So what can be the difference? I am at a total loss. Startgo123 never showed as an extension, an installed program in Control Panel and doesn't show in the registry. No idea where else it can hide and am not a novice computer user.
FredMcD
  • Top 10 Contributor
4223 giải pháp 58930 câu trả lời
Được đăng
Try this search link; https://www.bing.com/search?q=remove+startgo123.com&qs=n&form=QBRE&pq=remove+startgo123.com&sc=0-21&sp=-1&sk=&cvid=2841851C09AC4DEE9165112113CD9840

Người tạo câu hỏi

Thanks Fred. I had already found those articles and have followed pretty much all of them.

The last thing left to try is boot to safe mode, reveal hidden files and hope something turns up.

Scary that none of the so-called startgo123 cleaners appears to find this malware.

Thanks Fred. I had already found those articles and have followed pretty much all of them. The last thing left to try is boot to safe mode, reveal hidden files and hope something turns up. Scary that none of the so-called startgo123 cleaners appears to find this malware.
FredMcD
  • Top 10 Contributor
4223 giải pháp 58930 câu trả lời
Được đăng

I am calling for more help.

I am calling for more help.

Người tạo câu hỏi

Thank you so much Fred. Much appreciated.

Thank you so much Fred. Much appreciated.
poljos
  • Top 25 Contributor
179 giải pháp 1598 câu trả lời
Được đăng

Try to check the path to Firefox in the .lnk (shortcut), if anything inserted after .exe Example: "Program Files\firefox.exe startgo123.com". Also check in about:config - search startgo123.com and delete all found results.

Try to check the path to Firefox in the .lnk (shortcut), if anything inserted after .exe Example: "Program Files\firefox.exe startgo123.com". Also check in about:config - search startgo123.com and delete all found results.

Người tạo câu hỏi

Thx .. those were the first things I tried and didn't find anything amiss.

Thx .. those were the first things I tried and didn't find anything amiss.
jscher2000
  • Top 10 Contributor
8634 giải pháp 70619 câu trả lời
Được đăng

If a bad extension was installed in a shared location, Firefox will find it again after a refresh, just as it finds your plugins. However, you may have been asked to approve the extensions. Does that ring a bell??

We can review your extension list to see whether we can spot the culprit. You can copy/paste the full list from the troubleshooting information page. Either:

  • "3-bar" menu button > "?" button > Troubleshooting Information
  • (menu bar) Help > Troubleshooting Information
  • type or paste about:support in the address bar and press Enter/Return

Then scroll down to Extensions and just below that heading, select and copy the table, then paste that into a reply. It will look a bit messy, but we're used to it.

If a bad extension was installed in a shared location, Firefox will find it again after a refresh, just as it finds your plugins. However, you may have been asked to approve the extensions. Does that ring a bell?? We can review your extension list to see whether we can spot the culprit. You can copy/paste the full list from the troubleshooting information page. Either: * "3-bar" menu button > "?" button > Troubleshooting Information * (menu bar) Help > Troubleshooting Information * type or paste about:support in the address bar and press Enter/Return Then scroll down to Extensions and just below that heading, select and copy the table, then paste that into a reply. It will look a bit messy, but we're used to it.

Người tạo câu hỏi

Doesn't ring any bells. All the extensions in use I am aware of and have been using them for years.

I have attached a screen-grab of the exetensions table.

Thx

Doesn't ring any bells. All the extensions in use I am aware of and have been using them for years. I have attached a screen-grab of the exetensions table. Thx
jscher2000
  • Top 10 Contributor
8634 giải pháp 70619 câu trả lời
Được đăng

Okay, nice picture, but I'm not going to retype all their names to search them. Could you paste the text instead?

Or to simplify it, what extensions show up in a new profile? This would simulate a post-Refresh extensions list without your having to do a Refresh again.

New Profile Test

This takes about 3 minutes, plus the time to note any extensions other than the three from Mozilla (Firefox Hello, Multi-process staged rollout, and Pocket).

Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.

Click the Create a New Profile button. Assign a name like Aug2016, and skip the option to relocate the profile folder.

After creating the profile, scroll down to it and click the Set as default profile button below that profile, then scroll back up and click the Restart normally button.

Firefox should exit and then start up using the new profile folder, which will just look brand new.

Is the new profile infected? If so, do you see any unusual extensions?

When you are done with the experiment, open the about:profiles page again, click Set as default for your regular profile, then click Restart normally to get back to it.

Okay, nice picture, but I'm not going to retype all their names to search them. Could you paste the text instead? Or to simplify it, what extensions show up in a new profile? This would simulate a post-Refresh extensions list without your having to do a Refresh again. '''New Profile Test''' This takes about 3 minutes, plus the time to note any extensions other than the three from Mozilla (Firefox Hello, Multi-process staged rollout, and Pocket). Inside Firefox, type or paste '''about:profiles''' in the address bar and press Enter/Return to load it. Click the Create a New Profile button. Assign a name like Aug2016, and skip the option to relocate the profile folder. After creating the profile, scroll down to it and click the '''Set as default profile''' button below that profile, then scroll back up and click the '''Restart normally''' button. Firefox should exit and then start up using the new profile folder, which will just look brand new. Is the new profile infected? If so, do you see any unusual extensions? When you are done with the experiment, open the about:profiles page again, click Set as default for your regular profile, then click Restart normally to get back to it.
jscher2000
  • Top 10 Contributor
8634 giải pháp 70619 câu trả lời
Được đăng

Although it is rare, we occasionally see a program folder extension infection. This lives outside of your profile and was previously immune to Safe Mode, but to rule that out as well, you could do this:

Clean Reinstall

We use this name, but it's not about removing your settings, it's about making sure the program files are clean (no inconsistent or alien code files). As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed.

It only takes a few minutes.

(A) Download a fresh installer for Firefox 48.0 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.) For maximum plugin compatibility, choose the "Windows" version (32-bit) rather than the 64-bit version. -- since you already use the 64-bit version, this limitation may not be important to you (i.e., Flash and Silverlight are all you need)

(B) Exit out of Firefox (if applicable).

(C) Using Windows Explorer/My Computer, rename the program folder as follows:

C:\Program Files (x86)\Mozilla Firefox

to

C:\Program Files (x86)\OldFirefox

(D) Run the installer you downloaded in step (A). It should automatically connect to your existing settings.

Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders:

  • \OldFirefox\Plugins
  • \OldFirefox\browser\plugins

Any improvement?

Although it is rare, we occasionally see a program folder <s>extension</s> <u>infection</u>. This lives outside of your profile and was previously immune to Safe Mode, but to rule that out as well, you could do this: '''Clean Reinstall''' We use this name, but it's not about removing your settings, it's about making sure the program files are clean (no inconsistent or alien code files). As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed. It only takes a few minutes. (A) Download a fresh installer for Firefox 48.0 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.) '''For maximum plugin compatibility, choose the "Windows" version (32-bit) rather than the 64-bit version.''' -- since you already use the 64-bit version, this limitation may not be important to you (i.e., Flash and Silverlight are all you need) (B) Exit out of Firefox (if applicable). (C) Using Windows Explorer/My Computer, rename the program folder as follows: C:\Program Files (x86)\Mozilla Firefox to C:\Program Files (x86)\OldFirefox (D) Run the installer you downloaded in step (A). It should automatically connect to your existing settings. Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders: * \OldFirefox\Plugins * \OldFirefox\browser\plugins Any improvement?

Được chỉnh sửa bởi jscher2000 vào

Người tạo câu hỏi

Sorry .. didn't know what you were going to do with it. Here's the text and I'll get to the new profile thing in the morning. Getting a tad late here.

Adblock Plus 2.7.3 true {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Classic Theme Restorer 1.5.5.3 true ClassicThemeRestorer@ArisT2Noia4dev Download YouTube Videos as MP4 1.8.7 true {b9bfaf1c-a63f-47cd-8b9a-29526ced9060} F.B. Purity - Cleans Up Facebook 15.1.0.2 true fbp-signed@fbpurity.com Firefox Hello 1.4.3 true loop@mozilla.org Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com FireFTP 2.0.28 true {a7c6cf7f-112c-4500-a7ea-39801a327e5f} Multi-process staged rollout 1.0 true e10srollout@mozilla.org Open Bookmarks in New Tab 2.0.2016021001 true openbookmarkintab@piro.sakura.ne.jp Pocket 1.0.4 true firefox@getpocket.com Tab Auto Reload 1.0.17 true TabAutoReload@schuzak.jp Undo Closed Tabs Button 4.0.0 true undoclosedtabsbutton@supernova00.biz Video DownloadHelper 6.0.0 true {b9db16a4-6edc-47ec-a1f4-b86292ed211d} Avast Online Security 10.3.3.44 false wrc@avast.com Avast SafePrice 10.3.5.39 false sp@avast.com

Sorry .. didn't know what you were going to do with it. Here's the text and I'll get to the new profile thing in the morning. Getting a tad late here. Adblock Plus 2.7.3 true {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Classic Theme Restorer 1.5.5.3 true ClassicThemeRestorer@ArisT2Noia4dev Download YouTube Videos as MP4 1.8.7 true {b9bfaf1c-a63f-47cd-8b9a-29526ced9060} F.B. Purity - Cleans Up Facebook 15.1.0.2 true fbp-signed@fbpurity.com Firefox Hello 1.4.3 true loop@mozilla.org Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com FireFTP 2.0.28 true {a7c6cf7f-112c-4500-a7ea-39801a327e5f} Multi-process staged rollout 1.0 true e10srollout@mozilla.org Open Bookmarks in New Tab 2.0.2016021001 true openbookmarkintab@piro.sakura.ne.jp Pocket 1.0.4 true firefox@getpocket.com Tab Auto Reload 1.0.17 true TabAutoReload@schuzak.jp Undo Closed Tabs Button 4.0.0 true undoclosedtabsbutton@supernova00.biz Video DownloadHelper 6.0.0 true {b9db16a4-6edc-47ec-a1f4-b86292ed211d} Avast Online Security 10.3.3.44 false wrc@avast.com Avast SafePrice 10.3.5.39 false sp@avast.com
jscher2000
  • Top 10 Contributor
8634 giải pháp 70619 câu trả lời
Được đăng

Giải pháp được chọn

How did you install this one? I can't find an official distribution point:

Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com

According to one HijackThis log which showed up in a search, it might be globally installed here:

C:\Program Files\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com

or possibly if you previously had a 32-bit install and your current install is in the same folder:

C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline.com

How did you install this one? I can't find an official distribution point: <blockquote> Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com </blockquote> According to one HijackThis log which showed up in a search, it might be globally installed here: C:\Program Files\Mozilla Firefox\browser\features\googletestNT@mozillaonline''.''com or possibly if you previously had a 32-bit install and your current install is in the same folder: C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline''.''com

Người tạo câu hỏi

I have no idea what that is. It doesn't show up in the list when I go to Tools -> Add-ons.

So how does one get rid of something like this ?? I certainly did not knowingly install it.

Wouldn't surprise me if that was it as when I look at page source of startgo123.com, it has lots of Chinese characters.

I have no idea what that is. It doesn't show up in the list when I go to Tools -> Add-ons. So how does one get rid of something like this ?? I certainly did not knowingly install it. Wouldn't surprise me if that was it as when I look at page source of startgo123.com, it has lots of Chinese characters.
jscher2000
  • Top 10 Contributor
8634 giải pháp 70619 câu trả lời
Được đăng

Try looking for it in the features folder as noted toward the end of my post (you may have one or the other, or both).

If it's not readily discoverable there, you can use the technique described in this thread to tease the location out of the extensions.json file: https://support.mozilla.org/questions/1132572

Try looking for it in the features folder as noted toward the end of my post (you may have one or the other, or both). If it's not readily discoverable there, you can use the technique described in this thread to tease the location out of the extensions.json file: https://support.mozilla.org/questions/1132572

Người tạo câu hỏi

I think that's it! Yay! There is a .xul file in that folder that has this code snippet:

ns.browserOpenTab = function(event) {    
  openUILinkIn("http://www.startgo123.com/nav/index?src=u", 'tab');  
      };  
  ns.onLoad = function() {    
  gBrowser.removeEventListener('NewTab', window.BrowserOpenTab, false);  
      window.originalBrowserOpenTab = window.BrowserOpenTab;  
  window.BrowserOpenTab = MOA.NTab.browserOpenTab;    
  gBrowser.addEventListener('NewTab', window.BrowserOpenTab, false);  
      newTabPref.init();  
  };   

Now the question - how do I remove this? Can I just delete that folder from //features?

I think that's it! Yay! There is a .xul file in that folder that has this code snippet: ns.browserOpenTab = function(event) { openUILinkIn("http://www.startgo123.com/nav/index?src=u", 'tab'); }; ns.onLoad = function() { gBrowser.removeEventListener('NewTab', window.BrowserOpenTab, false); window.originalBrowserOpenTab = window.BrowserOpenTab; window.BrowserOpenTab = MOA.NTab.browserOpenTab; gBrowser.addEventListener('NewTab', window.BrowserOpenTab, false); newTabPref.init(); }; Now the question - how do I remove this? Can I just delete that folder from //features?

Câu trả lời hữu ích

OK .. I think it's solved.

I just renamed that folder (googletestNT@mozillaonline.com) and newtab appears to be back to normal. No sign of startgo123 redirect.

Thanks to everyone's suggestions. This was a PITA to resolve.

-)
OK .. I think it's solved. I just renamed that folder (googletestNT@mozillaonline.com) and newtab appears to be back to normal. No sign of startgo123 redirect. Thanks to everyone's suggestions. This was a PITA to resolve. :-)
FredMcD
  • Top 10 Contributor
4223 giải pháp 58930 câu trả lời
Được đăng

That was very good work. Well done. Please flag your last post as Solved Problem so others will know.

That was very good work. Well done. Please flag your last post as '''Solved Problem''' so others will know.