Annoying Firefox pop-up tab issue

Discussion in 'Malware Help (A Specialist Will Reply)' started by geekcat, Aug 8, 2010.

  1. geekcat

    geekcat Private E-2

    Hi, I truly hope someone can please help me. I have had trouble with my main PC since July 24/25 with pop-up tabs appearing randomly in Firefox. My main antivirus software is the paid version of AVG which claimed there was nothing wrong with my computer. I have installed a plethora of programs to scan for viruses/malware/etc, done a system restore, etc., and nothing has worked so far. I have done everything requested in the READ ME FIRST thread (at least I hope I have!).

    A few quick questions before I get to the logs:

    1) While looking at the list of currently installed programs, I saw something called "Browser Address Error Redirector." I have not uninstalled it, but it was not detected in any scans as being "bad." I wonder if this might be the cause of the issue?

    2) If my computer truly had a "backdoor" trojan of some kind, does that endanger all the other computers that use my wireless router? I do not have things on a true network; I do not have my laptops set up to print to my main computer's printer, and my laptops do not share files with the main computer. My main PC has a wired connection to the router, and my other laptops use wireless.

    3) How safe is it to connect an external hard drive to back up my files without risking transferring to that drive anything bad?

    First I want to post the ORIGINAL Malwarebytes log, so you can see the original "backdoor.bot" that appeared in its findings; then I will attach the current log along with the other requested log attachments.

    ORIGINAL Malwarebytes Log

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4372

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/30/2010 10:14:34 PM
    mbam-log-2010-07-30 (22-14-34).txt

    Scan type: Quick scan
    Objects scanned: 150716
    Time elapsed: 8 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Susan\Local Settings\Temp\7.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\YT16M5qn.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

    I deleted those files.

    The problem has obviously continued to occur (usually only after the computer has rebooted...not necessarily when I first open Firefox but within the first few minutes of my browsing the Internet, the tab will open on its own...always a different site).

    Thanks in advance; I'm so desperate to get this computer back in business. I've really lost trust in it.
     

    Attached Files:

    geekcat, Aug 8, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Attach the remaining, most important log: C:\mglogs.zip
     
    Kestrel13!, Aug 9, 2010
    #2
  3. geekcat

    geekcat Private E-2

    Thank you for assisting me. Since I am new to this forum, it would not allow me to reply to the initial post with the remaining attachment until a moderator approved it.

    In addition to the MGLogs.zip file, I am also attaching one screencap of the type of pop-up tab that has been appearing.

    Another question...my AVG Firewall pops up with "Generic Host Process for Win32 Services is trying to open a connection." I have been blocking this; not sure if this is safe or something bad. Any clue why this would be happening?

    My computer also seems to be continually gurgling. When I look at the "Processes" in the Windows Task Manager, the bulk of it is "System Idle Process" (usually 98 to 99%). I just do not remember it "talking" this much before all these issues.
     

    Attached Files:

    geekcat, Aug 9, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you knowingly install this?
    • WinPcap 4.0.2

    If not please uninstall.

    Uninstall the following outdated java

    • Java(TM) 6 Update 20
    • Java(TM) 6 Update 4
    • Java(TM) 6 Update 5

    Browser Address Error Redirector <--- You can uninstall this.

    Use windows explorer to delete avast remnants:
    • c:\documents and settings\All Users\Application Data\Alwil Software

    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
    • Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
    • Click Start scan
    • It will run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.


    Now please double-click the RootRepeal.exe previously downloaded.
    • Select File then Scan
    • On the Select Drives form select drive C by "ticking" the box for drive C and click OK
    • When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
      • C:\WINDOWS\Temp\91d06f2f-0769-4100-8aba-74567109f8bc.tmp
      • C:\WINDOWS\Temp\9b1b4d53-5f13-4b8b-978d-8d597ea6d7f3.tmp
      • C:\WINDOWS\Temp\a8bf0732-9dcb-42e8-a106-57586a22a1db.tmp
      • C:\WINDOWS\Temp\accf8f45-f07b-4092-896a-25cb06c084cf.tmp
      • C:\WINDOWS\Temp\bc07a306-261b-4d57-a298-2469ce32bea5.tmp
      • C:\WINDOWS\Temp\bd3392e0-a383-48af-95cf-d168bca7a230.tmp
      • C:\WINDOWS\Temp\2d9e0d69-8bf1-49d7-a05a-5987abaa187e.tmp
      • C:\WINDOWS\Temp\31133c02-e3d4-42b3-9437-2c9d4b73d3d7.tmp
      • C:\WINDOWS\Temp\35d8f731-b4c9-4e17-b4f4-dc5a2efe19d9.tmp
      • C:\WINDOWS\Temp\3ac7ad06-cd38-4485-a478-18d4bbe2444e.tmp
      • C:\WINDOWS\Temp\51587d12-3944-4da2-8898-11dad129d567.tmp
      • C:\WINDOWS\Temp\52cac55e-e879-491f-a299-a55a9ede6994.tmp
      • C:\WINDOWS\Temp\6c8a6003-9b7c-4b3c-bcf6-07c991428565.tmp
      • C:\WINDOWS\Temp\7f6b68e0-1ea7-4e64-94fa-983fb92b9f97.tmp
      • C:\WINDOWS\Temp\82136414-0a41-427d-84f9-6d4513de4a4e.tmp
      • C:\WINDOWS\Temp\8cee7d1d-02f4-499b-84ba-f3a721e24594.tmp
      • C:\WINDOWS\Temp\c88641df-863d-4130-a3f8-5db024b3b551.tmp
      • C:\WINDOWS\Temp\da3b60c8-fa51-45bb-8544-e0f5ec936f16.tmp
      • C:\WINDOWS\Temp\e28b320e-f306-4d34-a9ac-70e72a9ef96f.tmp
    • After Wiping all files, immediately reboot your pc!
    After reboot, continue with the below.


    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • now please ATTACH that report to this thread


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\WINDOWS\Temp\35d8f731-b4c9-4e17-b4f4-dc5a2efe19d9.tmp
C:\WINDOWS\Temp\8cee7d1d-02f4-499b-84ba-f3a721e24594.tmp

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this. Also attach the log from mbrcheck.exe.
     
    Kestrel13!, Aug 9, 2010
    #4
  5. geekcat

    geekcat Private E-2

    No, I did not install WinPcap 4.0.2. It said that it had been most recently used today; I take it this was a bad program?

    I uninstalled that along with the outdated Java and the Browser Address Error Redirector. I deleted the Avast files.

    The TDSSKiller log is attached.

    I also did the HJT as requested.

    When I did the RootRepeal.exe, the ONLY file that appeared was c:\hiberfil.sys

    The MBRCheck wouldn't allow me to select all/copy/paste, so instead, I did a screencap for you.

    Since I did not see all those temp files in the RootRepeal scan (and noticed that 2 of those were ones you wanted me to "kill" with ComboFix), I was nervous to use ComboFix.

    If you still feel I should use ComboFix anyway, despite those files not appearing in the RootRepeal scan, please let me know, and I will continue along with your suggestions.

    Could you please answer the below questions?

    1) My AVG Firewall pops up with "Generic Host Process for Win32 Services is trying to open a connection." I have been blocking this; not sure if this is safe or something bad. Any clue why this would be happening? This DID happen just now when I opened up this site.

    2) If my computer truly had a "backdoor" trojan of some kind, does that endanger all the other computers that use my wireless router? I do not have things on a true network; I do not have my laptops set up to print to my main computer's printer, and my laptops do not share files with the main computer. My main PC has a wired connection to the router, and my other laptops use wireless. I'm nervous to use any other computer right now.

    Thanks again for all of your help!
     

    Attached Files:

    geekcat, Aug 9, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Sorry! Your thread was lost to me for some reason, perhaps it was caught up in moderation and I did NOT see that you had responded in my subscribed threads. Reading your last post now. :)
     
    Kestrel13!, Aug 12, 2010
    #6
  7. geekcat

    geekcat Private E-2

    Bless you! Thanks so much. Appreciate your taking the time to review the issues. I was worried that my post might have gotten lost. You couldn't have written at a better time, as I have family visiting tomorrow and really hope the computer can get closer to being back in action! :) Thanks in advance for your response!
     
    geekcat, Aug 12, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    TDSSKiller dealt with an infected file.

    Not at all, but it can be put to bad uses by certain malware.

    I don't know at this point, could be something legit, could be something shady. Do it not give any more details?

    In any case, let's finish up here and we will see if you continue to receive this message after we have made some more progress.

    As long as you are not sharing files and connecting flashdrives/CD's from one to the other at the moment, until we are finished here. Then you can monitor the behaviour of the other computers.

    I need to ask some questions:
    1. Do you have any drives that has a non-windows installation on them
    2. Are all drives NTFS formatted
    3. Do you have any non-standard or special MBRs which can occur from companies like Dell or HP who frequently install additional partitions used for recovery partitions in lieu of giving CD/DVDs.
    4. Is any program like Grub ( see:http://www.gnu.org/software/grub/ ) being used
    5. Is drive-encryption being used?
    6. Are any drives external USB pen drives or external hard drives being used?
    7. VERY IMPORTANT: Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.
    Yes, use combofix as instructed and also complete the rest of my instructions. Then answer my questions that I asked and attach the new C:\Mglogs.zip.
     
    Kestrel13!, Aug 12, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, I saw you PM'ing me, on the active user list and wondered why, checked your last post..and lo and behold... my apologies, it's rare that I lose a thread but it has happened on occasion.
     
    Kestrel13!, Aug 12, 2010
    #9
  10. geekcat

    geekcat Private E-2

    My responses are in bold.

    1) My AVG Firewall pops up with "Generic Host Process for Win32 Services is trying to open a connection." I have been blocking this; not sure if this is safe or something bad. Any clue why this would be happening? This DID happen just now when I opened up this site.

    I don't know at this point, could be something legit, could be something shady. Do it not give any more details? Nope...no additional details!

    I need to ask some questions:
    Do you have any drives that has a non-windows installation on them

    Forgive me, because I'm not exactly sure what you mean...right now I do not have any other external drives associated with or connected to the computer.

    Are all drives NTFS formatted

    The ironic thing is I have a brand new external hard drive that has yet to be set up to back up my files. It is still in its box. I know some drives are formatted with FAT? At least, I think that is what it is called, but I'm not sure what this new drive might start out with format-wise if I were to connect it to back up my files.

    Do you have any non-standard or special MBRs which can occur from companies like Dell or HP who frequently install additional partitions used for recovery partitions in lieu of giving CD/DVDs.

    What is an MBR? There IS a D partition on my drive; it is a Gateway computer, and I believe that the restore files are on that drive.

    Is any program like Grub ( see:http://www.gnu.org/software/grub/ ) being used

    I went to the site, and nothing looked familiar to me, so I'm guessing no. :)

    Is drive-encryption being used? I do not think so. How would I go about checking?

    Are any drives external USB pen drives or external hard drives being used?

    I did recently use one 2 GB USB drive only AFTER all this started to back up some files before I attempted the system restore. I was just saving some photo files, so I don't know if this drive would even be safe to use again. I didn't realize that doing a system restore would not remove the most recent files I had saved.

    VERY IMPORTANT: Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.

    Sadly, no. If I attach this new drive to the system to back up files (which could take hours, of course), how would I know or make sure that I wouldn't be transferring over anything bad? I just really want to save photos, documents, videos, etc.

    Yes, use combofix as instructed and also complete the rest of my instructions. Then answer my questions that I asked and attach the new C:\Mglogs.zip.

    Before using combofix again, I just wanted to answer your other questions to see if that would change anything as far as how you'd like for me to proceed next. I'm using my laptop right now; have not even turned on the sick creature yet. Waiting to hear what you have to say. Thanks so much again! By the way, very odd that it indicated I was writing you a private message, because I never got to that step. I know that it is frowned upon on this board to do so, and I couldn't do it anyway as I hadn't accumulated 50 posts yet. Oh, well. Thank goodness you found my post again! :)
     
    geekcat, Aug 12, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, hold off on that for now because I don't think you have an MBR infection. It was showing as unknown MBR due to the recovery partition.

    Yes, do use combofix again, and then onto the next step with getlogs.bat as instructed in my last fix message. But I should think TDSSKiller dealt with the problem. How are things running, please let me know.
    Hmm, very odd indeed. :-D I am having oddities with your posts not showing too, again, I am having to check back myself and it seemed your last reply was in moderation as once I had checked "approve post" it was visible again as a latest post.
     
    Kestrel13!, Aug 12, 2010
    #11
  12. geekcat

    geekcat Private E-2

    O.K. I ran ComboFix, and it was weird because even though I had shut off my AVG, it kept popping up warnings, but I told it to just allow ComboFix. Even after the computer rebooted, it (AVG) was still a bit upset about ComboFix. I think it has settled down now.

    I also installed the Java Runtime 6 as you had requested and ran the MGTools file.

    See the attached. I did see that "generic host" pop-up again; I did a screen grab for you.

    So far so good - I have not seen any weird pop-ups. Fingers crossed that all will meet your approval! :) Thanks so much again for all of your help!!!
     

    Attached Files:

    geekcat, Aug 13, 2010
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Those logs look good. :)

    You can ask any non malware related questions in the software forum.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Aug 13, 2010
    #13
  14. geekcat

    geekcat Private E-2

    Woo hoo! Great news that the logs look A-O.K.

    Do you have any idea though about the generic host screen cap I had attached? I guess it is O.K. to keep hitting "block"?

    I won't have a chance to tackle the final steps until later in the day. Again, I so appreciate all of your assistance; you're the best! :)
     
    geekcat, Aug 13, 2010
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ask about it in software :)
     
    Kestrel13!, Aug 13, 2010
    #15
  16. geekcat

    geekcat Private E-2

    Just wanted to post that I have completed the final steps, and everything is still working great!

    Cannot thank you enough! Wish that the site accepted online donations, because I would gladly donate! Have a wonderful weekend, and I certainly know where to go if anything like this ever happens to my computer again! Take care!
     
    geekcat, Aug 13, 2010
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're *most* welcome. :) Take care and safe surfing!
     
    Kestrel13!, Aug 14, 2010
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds