4.8 and windows firewall.

[avastment]

you got back to me too soon. 

I found a skin I like.

Lite -on.

I sent below to Firefox form 20 minutes ago.

I'm using firefox 3.08.
I type in say Mozillazine into Firefox search bar, click enter, see a top link to Mozillazine web site and then I click to get to Mozillazine,
then in address bar I see firefox URL and then like moments, split moments late I am taken to an advertising site like Stopzilla or something like it and have to hit back button to get to Mozillzine web site.

Question is it my fault for using Firefox or a Firefox responsibility to keep "hijacking software out of Firefox search bar?

It would be like if I bought a Pizza and someone having to do with providing Pizza was adding peanuts to it and I'm allergic to peanuts.
Whose job is it to find out where those peanuts were added to my pizza?

Like am I suppose to take my Pizza to another store for it to be analyzed before I eat it?

Something or someone is Hijacking Firefox's search bar.
I would think Firefox would like to know why someone or something is messing with Firefox's search bar.

Please find a fix.

[avastment]

Avast
I'm going to help you fix this hijacking problem when using search bar in Mozilla Firefox and I know nothing about hijacking, virus or malware.

You can type
about:cache?device=disk
into address bar of Firefox and it will bring up firefox Cache.

I did it in my recent cache and found these files.

I see something though it might be nothing.
some of these expiration dates are 1969 and if I am not mistaken 1969 was a while ago and those are sites I have been directed to from where I wanted to go.

Couldn't there be some way to find where in registry they dates are coming from or at least block site links with expiration dates that have come and gone a long time ago?



 Key: http://media.lavasoft.com/img/boxes_segmentation_mid.gif
     Data size: 173 bytes
   Fetch count: 1
 Last modified: 2009-04-06 09:10:37
       Expires: 2009-04-26 18:31:32

           Key: http://www.greattranslators.com/images/logo_continental.gif
     Data size: 5629 bytes
   Fetch count: 1
 Last modified: 2009-04-06 10:36:38
       Expires: 2009-04-24 10:29:16

           Key: id=49da3b48&uri=http://safebrowsing.clients.google.com/safebrowsing/downloads?client=navclient-auto-ffox&appver=3.0.8&pver=2.2&wrkey=AKEgNiuPTBFCGH8zTprF1cyaBJYFoPktu-u2QcZmUcEHkRXaUnd5LGa8VdsKIiqVlAzb-LXPINHqDVDhIUT8xJnzwjzu-Y3_BA==
     Data size: 472 bytes
   Fetch count: 1
 Last modified: 2009-04-06 10:29:37
       Expires: 1969-12-31 16:00:00

           Key: http://static.trialpay.com/js/t/?p=tp&tpr=243783
     Data size: 4386 bytes
   Fetch count: 1
 Last modified: 2009-04-06 09:11:28
       Expires: 2009-04-06 10:11:23

           Key: http://www.trialpay.com/checkout/?c=10507bf&tid=9ahI9ha
     Data size: 25992 bytes
   Fetch count: 1
 Last modified: 2009-04-06 09:11:27
       Expires: 1969-12-31 16:00:00

[DavidR]

Firefox is less prone to these search hijackings than IE by a long way. There is however no way to establish who is responsible as for it to get established the use would normally have to have accepted the addition of something.

The problem being there are some toolbars that the user might feel helps them when in fact they only help the originator, you might well get some other unknown gifts that pay for your free toolbar. Personally I don't allow any toolbars to install and I take care of what add-ons I install, usually sourced at the Mozilla site.

If you haven't already got the NoScript add-on for firefox I suggest you do.

The safebrowsing is a security tool that blocks access to known malicious sites.

As for trialpay.com (this you can google if you can get past any redirects) is often used by software manufactures as a means of getting something for free, so there may be some payment involved, could be marketing information gathered or targeted adverts based on browsing, etc. http://www.trialpay.com/about/.

Typing about:cache?device=disk into firefox address basr gives a blank page on my system.

[avastment]

OK I added noscript to FF.

One other thing I noticed
I can't open my regedit file by going to
start
run and typing in
regedit
nothing happens.

I found a site suggesting I could possibly make some changes.  And yes I have gone into registry before this time trying this from another forum

It is VERY IMPORTANT that you learn how to examine your system for potential
problems as well as using 'fixit' programme such as AdAware or Spybot.

Check your startup folder and MSCONFIG (startup tab).  You can also check
the following registry keys and edit as appropriate (if you have experience
with same).

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce

[DavidR]

This and other areas are commonly blocked to prevent easy removal of malware.

You may find that regedit.exe has been intercepted and there is a way round that find regedit.exe, in my XP Pro it is in the Windows folder, copy it and paste it into another temporary folder, rename it to regedit.com, you will get a warning, it is OK.

Now if there are two files one with a file type of .exe and another .com the .com one takes precedence so by running the regedit.com that should allow you to open the registry for editing. This is a temporary measure to allow you to edit the registry if needs be and not a permanent solution.

http://www.taskmanagerfix.com/enable-disabled-regedit
Or
http://www.pchell.com/support/registryeditordisabled.shtml

[avastment]

David,
I may have found a cure and trust me I know very little about computers you can tell by my questions.

Let me test it for a day or so.

[DavidR]

OK, fingers crossed

[avastment]

I went to regedit not from run / command .  Had to download a shortcut to regedit to open it.
did a search for mshta.exe
then had to look very carefully for "%1"%* coming after mshta.exe.
if it was any different than above I had to modify it to above and then delete entry.
It was only in one place.  I either restarted or not, can' remember and did some searching.
I've done a lot of searching since in Firefox search bar using google and Yahoo and so far no hijacking to Advertising links.  none.
Also downloaded NoScript and at first it was annoying but now I kind of think it is doing things to help me.
my CPU and internet connection are fast.  So I am happy.
I will work on regedit problem from run command.  thanks.

[DavidR]

You're welcome.

NoScript whilst a bit of a pain at first it doesn't take long to build up permissions for your favourite sites, provided you trust the site (though it is possibly that it could be hacked, but you then have the web shield also).

You can export your noscript whitelist so you have a copy so you don't have to start from scratch if you have to reinstall firefox or the add-on at any time; just import the saved whitelist into your new installation, etc. and no need to have to allow all those you already did.

[avastment]

creating a folder on desktop
going to windows folder
finding regedit.exe
copy to new desktop folder
rename it regedit.com
will not allow me to open regedit
or trying run command regedit.exe or regedit.com.
However this does works from desktop
"C:\Program Files\Safer Networking\RegAlyzer\RegAlyzer.exe"

[DavidR]

If you place regedit.com in C:\ as in the desktop you would have to enter the full path into the run command for it to find and run regedit.com

Use the windows Start, Run and copy and paste c:\regedit.com and click OK.

If you are using Vista you are going to have to jump through some hoops first. right click on wherever you have regedit.com and select Run As now you would select administrator and you have to enter the password.

[avastment]

David,

I found this. 

http://www.raylanddelosreyes.com/how-to-restore-regedit-taskmanager-ang-msconfig-using-vbscript/

Downloaded restore.vbs file.  it ran then I went to enter regedit in run / open nothing happened.
I shut down, had lunch rebooted, tried again and it worked.
I can enter regedit in open box and regedit opens.

another question.  should this file be in registry? after doing registry search for mshta

@C:\WINDOWS\system32\mshta.exe,-6412

[DavidR]

I honestly don't know, but it appears to be a legitimate file name, though that doesn't mean it isn't a) infected or b) in the wrong location (mine is in the system32 folder). I have no idea why there would be an @ character before the path.

http://www.liutilities.com/products/wintaskspro/processlibrary/mshta/

Why were you doing a search for mshta.exe in the registry anyway ?

There are many registry entries for mshta.exe in mine, none with -6412 though most end in ,1

[avastment]

This all started when I had a problem with clicking in google or yahoo search box in Firefox and hijacked to another site after clicking on some link and seeing URL appear in URL box and a second later be hijacked to a advertising site.

I tried to find forum I found information, so I could show you link that explained to search for mshta.exe with an ending other than "%1" %* in registry

I found one with "%1"*
so I changed it to "%1" %*
then deleted whole line.

Either I rebooted or again went to google search bar in Firefox and what do you know I was able to go to a site from results from yahoo or google without going to an advertising site.

Never mind about -6412 ending.  So far my CPU and connection speeds are find and no problems.

[avastment]

I found link about mshta.exe

and I did delete all of them if I found them in list shown in below link and everything seems to be fine with my computer.

http://www.exterminate-it.com/malpedia/file/mshta.exe