Firefox start page (usually blank) opens to game site

[Cheryl_27]

My start page (specified in Tools>options to blank) just started opening to a game page (juego.com). It ONLY happens on a FF restart. It is NOT a redirect when doing searches in google, ixquick, etc.

I DON'T have google or mozilla as my home page - just blank. That's still what shows in options. I'm wondering if it's a trojan or a rogue installed extension?

Looking at the extensions, I don't see any odd - even opening more recent ones up - AFAICT. But, using another instance of FF, using a diff profile - doesn't open the game page - just to a blank page.

Before I get into a full blown malware erradication effort, I wondered if anyone has seen this?

I ran MBAM - full scan - nothing. Ran KIS 2012 full scan, w/ deepest settings - nothing.

Ran DDS - don't see anything unusal, but I'm no expert.

Maybe someone's seen a more simple explanation for this, but if not, I'll have to start running more malware scanners / cleaners.

I could just del the prob profile, but that doesn't mean the "infection" hasn't spread to other parts.

Thanks.

[redvamp128]

I would clear the internet cache for FF ... check your addons for tool bars etc....

http://www.howtogeek.com/howto/internet/firefox/restore-the-default-settings-in-firefox-without-uninstalling-it/

[TAZMINATOR]

Looks like a hosts file has been altered. Check your hosts file and see.

Or get hijackthis software and this program will tell you and fix it.

Someone else will come by here to give you alternative tips or software if any is better than hijackthis.

[Cheryl_27]

Thanks.

Redvamp128 - I have no toolbars & none show up in HJT. What's odd is I have cache set to clear everytime FF shuts down. So, considering after seeing the rogue startup page, I restarted FF couple times - but still same page. Then after an update to some addon installed - would have to check date for which one - my startup page is back to blank. May be pure coincidence.

I'm positive the 1st time I started up FF & the odd page appeared, I closed FF normally & that would've cleared the cache. But seems to have taken closing / restarting it a few times before going back to blank start page??? Any idea why?

Shozilla - Already ran HJT. showed the host file. I checked - there's nothing odd in the host file. Just the 127.0.0.1

Still, I'd like to know how it happened & given that I've already run some scanners, if there's much chance an infection of some sort will "reappear." Of course, if it was a truly malicious infection (if that start page was only prob), it wouldn't have given itself away so obviously.

[redvamp128]

You could if you know the page-- just turn that site into the restricted site list.. then set it to your home page-- see what happens...

The other option I would see is -- check to see if the syncronize option is enabled... and disable it... -- alternatively you could uninstall-- firefox....then search the %temp% and delete the mozilla folder...

then reinstal and start from scratch--

Also--

Does IE go to the same site??? that way you can tell if it is just a FF problem or not-- or an infection--

[badb0y]

in URL type: about:config and press Enter.

click on I'll be careful, i promise!

Now in the search, start typing the name of the site that opens (like write juego in search)

now if you see any entries matching the site name, right click on them and delete (if available)

restart and check!!!

[Cheryl_27]

The last 2 posts show having an earlier time than my last??? Anyway, obviously from my comments, it was related (at least) to only some (definitely not ALL) of my FF profiles, so starting IE you'd expect the problem wouldn't exist. It didn't.

No, didn't see anything in about:config - that's one of 1st places I looked.

Somehow, it must have been a page stored in MEMORY cache that was doing this, because disk cache is cleared each time FF is closed.

I think I rebooted at some point & maybe that's when the prob stopped. I did scans w/ several apps before going back online & never found anything. Since then, it hasn't returned.

I'm not exactly sure how w/ today's browsers, a malicious / advertising page in disk or memory cache can hijack your home page at startup, but not make any apparent changes in your browser settings or even add a registry change? Is it simply a script that keeps running over & over everytime the browser is restarted, until the script is removed? (Appears this case, it may have been stored in memory, but not sure).

[Cheryl_27]

I somehow got the hijacked start up home page to go away, but not sure how. Clearing cache (main & little startup), shutting down box to clear RAM - bunch of stuff.

Mysteriously went away, then about 1 - 2 wks later came back.

This time just created new profile - didn't copy over any extensions at 1st. That was OK, so then copied the Extensions folder & other "usual" files to transfer to new profile, but not prefs.js. So far, the home page is OK. This was much faster than all the hunting & scanning I did before, unless I'd found something sitting in prefs.js file. I still never found anything, anywhere that hinted at the w-w-w dot blank dot com, which apparently then served up ad sites or others. It was well hidden.