goingonearth redirect virus - how do I remove this from firefox?

Oooh. This is a fun one. We might have to do a little "live" troubleshooting, because what I'm seeing is that this isn't well taken care of by the normal stuff. Download http://public.avast.com/~gmerek/aswMBR.exe, give it a run, and post the log back here (or in a MeMail to me). Also, grab http://support.kaspersky.com/faq/?qid=208280684 and give that a run. Report back from there, I'll try to monitor the thread for your updates.

This is a case of http://en.wikipedia.org/wiki/DNS_hijacking. What OS are you using?

Antivirus is only as good as what it knows to detect (sure there's heuristics too, but even this can be fooled). Either Avira or Microsoft Security Essentials might pick up on what happened once the DATS are updated to detect your particular infection. But keep in mind, over 70 thousand variants of malware are being released monthly nowadays, many of which are written to evade popular antivirus programs. Welcome to the warfront! First and easiest thing to do, is to take a look at your startup (start/run and type "msconfig") tab in msconfig. Uncheck anything there that looks suspicous and reboot...you don't have to worry about what's unchecked as you can recheck it later if it's needed. Also look at the services tab in msconfig and check the "Hide Microsoft Services" checkbox. Uncheck anything suscpicious from there as well. See if you can get a copy of http://free.antivirus.com/hijackthis/ running (you might need to use a different PC and transfer it to a USB thumbdrive or CDR...just make sure the USB thumbdrive hasn't been in your infected PC for awhile before hand...just in case) Deezil's got a very good start for you to follow to see if you might have a rootkit. I would also give http://www.gmer.net a go along with those which can pick up on non-TDSS or non-MBR/Torpig/etc variant rootkits. This also might be a case of DNS redirection as alby mentioned. Double check your TCP/IP settings under your Network Adapter's properties (start/run and type "control ncpa.cpl"). When looking at your TCP/IP settings you want to make sure that DNS is being obtained automatically, or is the correct DNS IP. (eg. if you're using Google DNS or OpenDNS). In FireFox and Internet Explorer, go under options and make sure your browser is not set to use a proxy, which would be another cause for redirection. Also, if you can get a copy of http://majorgeeks.com/download.php?det=5756 installed, update it and run a full scan. You might need to use a different PC to get any of the programs suggested however, as DNS redirection might make it a pain to accomplish. (unless IE works and FF does not...in that case I'd highly suspect your proxy settings).

You don't need to run more software. The goingonearth virus has been removed by Malwarebytes and Avira but neither of those will fix the DNS problem, which will redirect all net traffic and probably lead to further infection. You need to fix your DNS problem, including flushing the cache. Of course the best idea is to nuke it from orbit: DBAN and reinstall the OS.

has someone written a tool to remove this? Yes. This is a tough one, but it can be done. Malwarebytes can't remove it. You need Combofix. Even Malwarebytes endorses Combofix. Read about it here: Malwarebytes http://forums.malwarebytes.org/index.php?showtopic=75367 Bleeping Computer http://www.bleepingcomputer.com/forums/topic398430.html Bleeping Computer: http://www.bleepingcomputer.com/combofix/how-to-use-combofix CNET http://forums.cnet.com/7723-6132_102-293341.html Download it here: http://www.combofix.org/ http://download.cnet.com/Combofix/3000-8022_4-75221073.html%20

This might be just a personal preference, but I really don't recommend using combofix unless I have a good feel for what variety of malware is installed and am ready to assist bringing a PC back to life if combofix bombs out for whatever reason. It's like a heavy shot of anti-biotics which is not always a good thing, and can sometimes make a system fairly unstable if used in the wrong scenario or without certain precautions. If you decide to use combofix, read the warnings on the bleeping computer forum very closely and make sure your antivirus is fully disabled beforehand. It may prove to be a quick fix, but has its risks so use your best judgement from what you read about this program. It's very useful when used properly.

I have used combofix successfully, specifically to remove the goingonearth highjack. It wrked perfectly (Win XP machine). That said, I also endorse everything Samsara said above.

Can't see anything useful here, I've tried everything that's been mentioned here! windows 7 64 bit. aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software Run date: 2011-07-25 16:58:46 ----------------------------- 16:58:46.431 OS Version: Windows x64 6.1.7600 16:58:46.433 Number of processors: 4 586 0xF0B 16:58:46.436 ComputerName: HANIFF-PC UserName: Haniff 16:58:50.015 Initialize success 16:59:20.193 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 16:59:20.196 Disk 0 Vendor: WDC_WD5000AAKS-08V0A0 05.01D05 Size: 476940MB BusType: 3 16:59:20.200 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\Si3114r51Port6Path0Target0Lun0 16:59:20.203 Disk 1 Vendor: ST332062 3.AA Size: 305245MB BusType: 8 16:59:20.207 Disk 2 \Device\Harddisk2\DR2 -> \Device\Scsi\Si3114r51Port6Path1Target0Lun0 16:59:20.212 Disk 2 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 8 16:59:20.243 Disk 0 MBR read successfully 16:59:20.249 Disk 0 MBR scan 16:59:20.254 Disk 0 Windows 7 default MBR code 16:59:20.259 Service scanning 16:59:23.161 Modules scanning 16:59:23.167 Disk 0 trace - called modules: 16:59:23.184 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys 16:59:23.190 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80058ea060] 16:59:23.200 3 CLASSPNP.SYS[fffff8800197843f] -> nt!IofCallDriver -> [0xfffffa80053b2e40] 16:59:23.207 5 ACPI.sys[fffff88000fad781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80053d2060] 16:59:23.215 Scan finished successfully 16:59:44.034 Disk 0 MBR has been saved successfully to "C:\Users\Haniff\Desktop\MBR.dat" 16:59:44.047 The log file has been saved successfully to "C:\Users\Haniff\Desktop\aswMBR.txt"

With Windows 7, make sure you're right-clicking and running these tools as Administrator too just to get past any UAC restrictions. With that in mind however, you might want to make a bootable USB or CD to get around any rootkit circumvention that is going on (rootkits by their very nature work to hide their payload and defend against detection or removal). There have been reports of success using the http://www.sevenforums.com/tutorials/166445-microsoft-standalone-system-sweeper.html from sevenforums. Kapersky's http://support.kaspersky.com/viruses/rescuedisk is also top notch. More rescue CDs can be found http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/. The reason a bootable rescue CD might work in place of running the virus scanner on the working system (or in safe mode), is that it takes the possibility of a rookit hiding traces and protecting itself largely out of the equation. Good luck, and keep us posted on your progress! At a certain point you might want to nuke and reload, but if you have the time to try some of these approaches you might save some time having to set up a PC from scratch (plus...it can sometimes be fun figuring out the puzzle).