Firefox acting as if it was infected

After playing Modern Warfare 2 online for a couple of days I noticed my browser started having issues such as the Yahoo toolbar being installed without me doing it, my browser hanging up on me, a change in my homepage was attempted, and the format of the browser is not the same.

Around this time Avira said it found TR/Crypt.XPACK.Gen [trojan] around the same time. Despite cleaning it, it occasionally gets detected again. Now when I start my computer, Avira Guard is sometimes disabled at startup requiring me to manual turn it on.

I use winpatrol and noticed that there is a program that keeps asking to be placed in my startup. The program has no identifying information, so I keep clicking no.

I went through and followed all the procedures for the Read and Run Me First. My only issue was every time I tried to run Root Repeal I kept getting the following error:

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP2
Exception Code: 0xc0000005
Exception Address: 0x004cbf6b
Attempt to read from address: 0x00000004

My firewall, anti-virus and super anti-spyware were shut down during the scan. I re-ran rootrepeal about six times with the same issue each time. Rootrepeal appears to hangup in c:windows\winsxs\manifests\

When I examined the manifest folder I noticed several new files that were created shortly before I started having problems.

I ran SuperAntiSpyware and Malwarebytes and they both found nothing. I attached the combofix and MGlogs.zip to this thread.

Please help me out. Thank you!

 

The Yahoo toolbar isn't malicious and is installed along with a few different software downloads. If you don't unckeck it it gets installed.

I'm really not seeing anything in the logs but we can do a good thorough scan to see if anything new turns up.

First...

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.



ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please attach the ESET Online Scan Log

 

Hey EvilFantasy,

Thanks for helping me out. I followed your directions and received a success message about adding the registry. I ran the ESET and it came back with no threats found.

I wanted to ask you about Rootrepeal. I noticed that before it crashed it stated that there was a "size mismatch" in my "windows/ntbtlog.txt." Can you please explain what that means and what I could do to fix my issue with Rootrepeal?

Thanks.

 

RootRepeal has problems with some systems. It's nothing to worry about.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

Thanks EvilFantasy!:major

 

Your welcome.

Safe surfing...