Izimpendulo zakamuva ze-Refresh did not fix startgo123 hijackhttps://support.mozilla.org/zu/questions/11347692016-08-15T01:05:03-07:00That was very good work. Well done.
Please flag your last post as Solved Problem so others will know2016-08-15T01:05:03-07:00fredmcd-hotmailhttps://support.mozilla.org/zu/questions/1134769#answer-906982<p>That was very good work. Well done.
Please flag your last post as <strong>Solved Problem</strong> so others will know.
</p>OK .. I think it's solved.
I just renamed that folder (googletestNT@mozillaonline.com) and newtab ap2016-08-15T01:02:49-07:00tomtphttps://support.mozilla.org/zu/questions/1134769#answer-906980<p>OK .. I think it's solved.
</p><p>I just renamed that folder (googletestNT@mozillaonline.com) and newtab appears to be back to normal. No sign of startgo123 redirect.
</p><p>Thanks to everyone's suggestions. This was a PITA to resolve.
</p>
<dl><dd>-)
</dd></dl>I think that's it! Yay!
There is a .xul file in that folder that has this code snippet:
ns.browserO2016-08-15T00:19:00-07:00tomtphttps://support.mozilla.org/zu/questions/1134769#answer-906958<p>I think that's it! Yay!
There is a .xul file in that folder that has this code snippet:
</p><pre>ns.browserOpenTab = function(event) {
openUILinkIn("<a href="http://www.startgo123.com/nav/index?src=u" rel="nofollow">http://www.startgo123.com/nav/index?src=u</a>", 'tab');
};
ns.onLoad = function() {
gBrowser.removeEventListener('NewTab', window.BrowserOpenTab, false);
window.originalBrowserOpenTab = window.BrowserOpenTab;
window.BrowserOpenTab = MOA.NTab.browserOpenTab;
gBrowser.addEventListener('NewTab', window.BrowserOpenTab, false);
newTabPref.init();
};
</pre>
<p>Now the question - how do I remove this? Can I just delete that folder from //features?
</p>Try looking for it in the features folder as noted toward the end of my post (you may have one or th2016-08-14T15:21:34-07:00jscher2000https://support.mozilla.org/zu/questions/1134769#answer-906871<p>Try looking for it in the features folder as noted toward the end of my post (you may have one or the other, or both).
</p><p>If it's not readily discoverable there, you can use the technique described in this thread to tease the location out of the extensions.json file: <a href="https://support.mozilla.org/questions/1132572" rel="nofollow">https://support.mozilla.org/questions/1132572</a>
</p>I have no idea what that is. It doesn't show up in the list when I go to Tools -> Add-ons.
So how2016-08-14T13:47:08-07:00tomtphttps://support.mozilla.org/zu/questions/1134769#answer-906851<p>I have no idea what that is. It doesn't show up in the list when I go to Tools -&gt; Add-ons.
</p><p>So how does one get rid of something like this&nbsp;?? I certainly did not knowingly install it.
</p><p>Wouldn't surprise me if that was it as when I look at page source of <a href="http://startgo123.com" rel="nofollow">startgo123.com</a>, it has lots of Chinese characters.
</p>How did you install this one? I can't find an official distribution point:
Firefox Homepage 0.10.42016-08-14T13:07:56-07:00jscher2000https://support.mozilla.org/zu/questions/1134769#answer-906837<p>How did you install this one? I can't find an official distribution point:
</p>
<blockquote>
Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com
</blockquote>
<p>According to one HijackThis log which showed up in a search, it might be globally installed here:
</p><p>C:\Program Files\Mozilla Firefox\browser\features\googletestNT@mozillaonline<em>.</em>com
</p><p>or possibly if you previously had a 32-bit install and your current install is in the same folder:
</p><p>C:\Program Files (x86)\Mozilla Firefox\browser\features\googletestNT@mozillaonline<em>.</em>com
</p>Sorry .. didn't know what you were going to do with it. Here's the text and I'll get to the new pro2016-08-14T12:35:57-07:00tomtphttps://support.mozilla.org/zu/questions/1134769#answer-906830<p>Sorry .. didn't know what you were going to do with it. Here's the text and I'll get to the new profile thing in the morning. Getting a tad late here.
</p><p>Adblock Plus 2.7.3 true {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
Classic Theme Restorer 1.5.5.3 true ClassicThemeRestorer@ArisT2Noia4dev
Download YouTube Videos as MP4 1.8.7 true {b9bfaf1c-a63f-47cd-8b9a-29526ced9060}
F.B. Purity - Cleans Up Facebook 15.1.0.2 true fbp-signed@fbpurity.com
Firefox Hello 1.4.3 true loop@mozilla.org
Firefox Homepage 0.10.43 true googletestNT@mozillaonline.com
FireFTP 2.0.28 true {a7c6cf7f-112c-4500-a7ea-39801a327e5f}
Multi-process staged rollout 1.0 true e10srollout@mozilla.org
Open Bookmarks in New Tab 2.0.2016021001 true openbookmarkintab@piro.sakura.ne.jp
Pocket 1.0.4 true firefox@getpocket.com
Tab Auto Reload 1.0.17 true TabAutoReload@schuzak.jp
Undo Closed Tabs Button 4.0.0 true undoclosedtabsbutton@supernova00.biz
Video DownloadHelper 6.0.0 true {b9db16a4-6edc-47ec-a1f4-b86292ed211d}
Avast Online Security 10.3.3.44 false wrc@avast.com
Avast SafePrice 10.3.5.39 false sp@avast.com
</p>Although it is rare, we occasionally see a program folder extension infection. This lives outside of2016-08-14T12:33:40-07:00jscher2000https://support.mozilla.org/zu/questions/1134769#answer-906829<p>Although it is rare, we occasionally see a program folder <s>extension</s> <u>infection</u>. This lives outside of your profile and was previously immune to Safe Mode, but to rule that out as well, you could do this:
</p><p><strong>Clean Reinstall</strong>
</p><p>We use this name, but it's not about removing your settings, it's about making sure the program files are clean (no inconsistent or alien code files). As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed.
</p><p>It only takes a few minutes.
</p><p>(A) Download a fresh installer for Firefox 48.0 from <a href="https://www.mozilla.org/firefox/all/" rel="nofollow">https://www.mozilla.org/firefox/all/</a> to a convenient location. (Scroll down to your preferred language.) <strong>For maximum plugin compatibility, choose the "Windows" version (32-bit) rather than the 64-bit version.</strong> -- since you already use the 64-bit version, this limitation may not be important to you (i.e., Flash and Silverlight are all you need)
</p><p>(B) Exit out of Firefox (if applicable).
</p><p>(C) Using Windows Explorer/My Computer, rename the program folder as follows:
</p><pre>C:\Program Files (x86)\Mozilla Firefox
</pre>
<p>to
</p><pre>C:\Program Files (x86)\OldFirefox
</pre>
<p>(D) Run the installer you downloaded in step (A). It should automatically connect to your existing settings.
</p><p>Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders:
</p>
<ul><li> \OldFirefox\Plugins
</li><li> \OldFirefox\browser\plugins
</li></ul>
<p>Any improvement?
</p>Okay, nice picture, but I'm not going to retype all their names to search them. Could you paste the 2016-08-14T12:29:52-07:00jscher2000https://support.mozilla.org/zu/questions/1134769#answer-906828<p>Okay, nice picture, but I'm not going to retype all their names to search them. Could you paste the text instead?
</p><p>Or to simplify it, what extensions show up in a new profile? This would simulate a post-Refresh extensions list without your having to do a Refresh again.
</p><p><strong>New Profile Test</strong>
</p><p>This takes about 3 minutes, plus the time to note any extensions other than the three from Mozilla (Firefox Hello, Multi-process staged rollout, and Pocket).
</p><p>Inside Firefox, type or paste <strong>about:profiles</strong> in the address bar and press Enter/Return to load it.
</p><p>Click the Create a New Profile button. Assign a name like Aug2016, and skip the option to relocate the profile folder.
</p><p>After creating the profile, scroll down to it and click the <strong>Set as default profile</strong> button below that profile, then scroll back up and click the <strong>Restart normally</strong> button.
</p><p>Firefox should exit and then start up using the new profile folder, which will just look brand new.
</p><p>Is the new profile infected? If so, do you see any unusual extensions?
</p><p>When you are done with the experiment, open the about:profiles page again, click Set as default for your regular profile, then click Restart normally to get back to it.
</p>Doesn't ring any bells. All the extensions in use I am aware of and have been using them for years.
2016-08-14T11:11:39-07:00tomtphttps://support.mozilla.org/zu/questions/1134769#answer-906812<p>Doesn't ring any bells. All the extensions in use I am aware of and have been using them for years.
</p><p>I have attached a screen-grab of the exetensions table.
</p><p>Thx
</p>If a bad extension was installed in a shared location, Firefox will find it again after a refresh, j2016-08-14T10:32:32-07:00jscher2000https://support.mozilla.org/zu/questions/1134769#answer-906804<p>If a bad extension was installed in a shared location, Firefox will find it again after a refresh, just as it finds your plugins. However, you may have been asked to approve the extensions. Does that ring a bell??
</p><p>We can review your extension list to see whether we can spot the culprit. You can copy/paste the full list from the troubleshooting information page. Either:
</p>
<ul><li> "3-bar" menu button &gt; "?" button &gt; Troubleshooting Information
</li><li> (menu bar) Help &gt; Troubleshooting Information
</li><li> type or paste about:support in the address bar and press Enter/Return
</li></ul>
<p>Then scroll down to Extensions and just below that heading, select and copy the table, then paste that into a reply. It will look a bit messy, but we're used to it.
</p>Thx .. those were the first things I tried and didn't find anything amiss.
2016-08-14T10:31:57-07:00tomtphttps://support.mozilla.org/zu/questions/1134769#answer-906803<p>Thx .. those were the first things I tried and didn't find anything amiss.
</p>Try to check the path to Firefox in the .lnk (shortcut), if anything inserted after .exe Example: "P2016-08-14T09:42:27-07:00poljos-mozhttps://support.mozilla.org/zu/questions/1134769#answer-906783<p>Try to check the path to Firefox in the .lnk (shortcut), if anything inserted after .exe Example: "Program Files\firefox.exe <a href="http://startgo123.com" rel="nofollow">startgo123.com</a>". Also check in about:config - search <a href="http://startgo123.com" rel="nofollow">startgo123.com</a> and delete all found results.
</p>Thank you so much Fred. Much appreciated.
2016-08-14T07:31:00-07:00tomtphttps://support.mozilla.org/zu/questions/1134769#answer-906755<p>Thank you so much Fred. Much appreciated.
</p>I am calling for more help.
2016-08-14T07:16:33-07:00fredmcd-hotmailhttps://support.mozilla.org/zu/questions/1134769#answer-906754<p>I am calling for more help.
</p>Thanks Fred. I had already found those articles and have followed pretty much all of them.
The last2016-08-14T02:35:54-07:00tomtphttps://support.mozilla.org/zu/questions/1134769#answer-906709<p>Thanks Fred. I had already found those articles and have followed pretty much all of them.
</p><p>The last thing left to try is boot to safe mode, reveal hidden files and hope something turns up.
</p><p>Scary that none of the so-called startgo123 cleaners appears to find this malware.
</p>Try this search link;
https://www.bing.com/search?q=remove+startgo123.com&qs=n&form=QBRE&2016-08-13T11:53:10-07:00fredmcd-hotmailhttps://support.mozilla.org/zu/questions/1134769#answer-906553<p>Try this search link;
<a href="https://www.bing.com/search?q=remove+startgo123.com&amp;qs=n&amp;form=QBRE&amp;pq=remove+startgo123.com&amp;sc=0-21&amp;sp=-1&amp;sk=&amp;cvid=2841851C09AC4DEE9165112113CD9840" rel="nofollow">https://www.bing.com/search?q=remove+startgo123.com&amp;qs=n&amp;form=QBRE&amp;pq=remove+startgo123.com&amp;sc=0-21&amp;sp=-1&amp;sk=&amp;cvid=2841851C09AC4DEE9165112113CD9840</a>
</p>Fred,
I've used Malwarebytes, adwCleaner, HitmanPro, CCleaner and Avast.
The weird thing is that whe2016-08-13T10:47:46-07:00tomtphttps://support.mozilla.org/zu/questions/1134769#answer-906532<p>Fred,
I've used Malwarebytes, adwCleaner, HitmanPro, CCleaner and Avast.
</p><p>The weird thing is that when I restart FF in safe mode - everything disabled - it works, but refreshing FF still has the exact same problem.
</p><p>If I disable each/all extension(s) manually, the problem still exists.
</p><p>So what can be the difference? I am at a total loss.
</p><p>Startgo123 never showed as an extension, an installed program in Control Panel and doesn't show in the registry.
</p><p>No idea where else it can hide and am not a novice computer user.
</p>What scanners have you used?
Further information can be found in the Troubleshoot Firefox issues cau2016-08-13T10:38:41-07:00fredmcd-hotmailhttps://support.mozilla.org/zu/questions/1134769#answer-906530<p>What scanners have you used?
</p><p>Further information can be found in the <a href="/en-US/kb/troubleshoot-firefox-issues-caused-malware" rel="nofollow">Troubleshoot Firefox issues caused by malware</a> article.
</p><p>Run most or all of the listed malware scanners. Each works differently. If one
program misses something, another may pick it up.
</p>