Avast WEBforum
Other => Viruses and worms => Topic started by: bigp76460 on July 01, 2012, 08:54:49 AM
-
I have been having a problem recently, while running Firefox if I click on a link sometimes an additional tab will pop up as well as the one that I wanted to go to. Usually the second tab will be an ad, sometimes all that will appear in the address bar is about:blank and still other times Avast will trigger an alert, saying in blocked a harmful site. I have run scans with Avast, Malwarebytes, Spybot and SUPERAntispyware and none of them have detected a problem, yet the problem persists. Attached are my most recent malwarebytes log as well as the two OTL logs. Any directions you could point me in as to what I might be dealing with and how to remedy it would be greatly appreciated.
-
hey i suggest you follow this guide and wait for a malware expert to check those logs. they will give you further instructions on how to proceed.
http://forum.avast.com/index.php?topic=53253.0
there is one more log they need to be able to help you. its the aswmbr log.
good luck
-
Essexboy has been notified to assist with the OP. Thank you.
-
Could you confirm that this does not occur in IE
Is it only firefox ?
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
(http://jpshortstuff.247fixes.com/GooredFix.exe)Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
- Ensure all Firefox windows are closed.
- To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
- When prompted to run the scan, click Yes.
- GooredFix will check for infections, and then a log will appear.
Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).[/list]
-
Hope I did everything correctly. Attached is the logs you requested. I haven't noticed the problem in IE, though I rarely run IE that much. I did take it out for a spin, just to kick the tires and see if anything would happen, and I didn't notice any problems with it when I did. MY problems seem to be limited to Firefox at this point, at least that is the only place I have encountered them.
-
OK I will now need to check the FF addons
First we will try Firefox in safe mode http://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode
Do the problems still occur in safe mode ?
If no then restart Firefox normally
Disable all Addons
Still no problem?
If all is good then enable the addons one at a time checking between each for the extrra tabs
As soon as they apear disable the last addon that you started and let me know which one it was
If the still occur in safe mode then let me know
-
I went into Firefox and restarted it in safe mode with no add ons, as soon as the Firefox window opened there was another window that opened with it, one of the many ads that pop up.
-
OK next phase I feel, what version of FF do you have
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Here is the Combofix log.
-
What version of Firefox do you have ?
Also are the ads of a specific type ?
-
I am running Firefox 13.0.1 currently. The ads that pop up, when they come through fall into ads for money making schemes (such as Abbey's Blog/easykits.org), though sometimes the additional tabs come up as empty pages with about.blank in the address bar, or that the site has timed out. A few of the times Avast has prevented the additional page, recognizing it as JS:ScriptIP-inf[Trj.], but scans of my hard with Avast have come up with nothing.
-
I am just going to download Firefox to see if I can replicate this
-
just got one of the alerts, when avast does catch something, this is what pops up
Infection Details
URL:htt p://cpv.srv-ad.com/srv/index.php?pubi...
Process: C:\Program Files (x86)\Mozilla Firefox\f...
Infection: JS:ScriptIP-inf [Trj]
not sure this will help or not, but figure the more information the better
-
just got one of the alerts, when avast does catch something, this is what pops up
Infection Details
URL: hxxp://cpv.srv-ad.com/srv/index.php?pubi...
Process: C:\Program Files (x86)\Mozilla Firefox\f...
Infection: JS:ScriptIP-inf [Trj]
not sure this will help or not, but figure the more information the better
Please make the url posted above non-clickable as above. Clicking link above securi says invalid web site, so I clicked your url and got the attached warning from avast!
-
OK lets clear your java and temp caches
Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
-
Okay, downloaded and run. Sorry about the issue with the URL, still relatively new at this.
-
Could you now run Firefox to see if the alerts persist
-
Sure, I usually have Firefox on at work anyway, so I will run it for a while and see if the problem persists.
-
Yes, I have still have had a few of those additional windows pop up, mostly the ones with about:blank in the address bar. I have not received any alerts from Avast since running the program, but those didn't pop up all that much before, so it could be they stopped or I just haven't been lucky enough to get one yet.
-
Been keeping track of the sites that have popped up in additional tabs this evening. I received no alerts from Avast, but here is what popped up between 4pm and 11pm my time this evening.
hxxp://www.en.tv-in-pc.com/?source=ccfb09vjzde6llbe58nsthyqfb&player=P2P40921274&tid=P2P40921274
about:blank
about:blank
hxxp://www.satellitedirect.com/?hop=pplmedia
about:blank
hxxp://cem.easykits.org/index3.html
Again, I don't know if this will help, but those sites had been some of the ones that popped up in the past as well.
-
That sounds like they are in the user.js which my tools do not look at
So lets have a look see
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:contents
C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\hpyocceq.default\user.js
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-
here is the result I got, I think I had to have done something wrong with this result, but here it is
-
SystemLook 30.07.11 by jpshortstuff
Log created at 10:42 on 06/07/2012 by Matt
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.
========== contents ==========
C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\hpyocceq.default\user.j - Unable to open file.
-= EOF =-
For some reason the s was left off of the .Js
Could you re-run and ensure that the whole path is entered
-
Okay, fixed that issue, mistake on my part there. Here is the new report I got.
-
OK it's not in there
So lets try this
At the top of the Firefox window, click on the Firefox button (Tools menu in Windows XP) and then click Options On the menu bar,
click on the Firefox menu and select Preferences...
At the top of the Firefox window, click on the Edit menu and select Preferences
At the top of the Firefox window, click on the Tools menu and select Options...
On the menu bar, click on the Firefox menu and select Preferences...
At the top of the Firefox window, click on the Edit menu and select Preferences...
Select the General panel.
In the Home Page text box, replace all pipes (|) with %7C
Click OK to close the Options window
Click Close to close the Preferences window
Close the Preferences window
-
This is where my noviceness will kick in, the homepage selected for Firefox to start from is hxxp://www.google.com/ig . Not sure what is meant by removing pipes in that address.
-
Tripped another Avast alert with one of the tabs that pop up, this time the site was hxxp://tergosales.com that tried to pop up but was caught by Avast.
-
The additional tabs continue to be a problem (just had this site pop up hxxp://visibleweb.com/creditscore/index101.php?src=mt&kw=.yahoo.com). Should I go all the way back to the beginning and reinstall all of the previous virus detection programs, just in case I may have missed something, or did something wrong to begin with. Just not sure what my next step should be.
-
And this is in Firefox only ?
Could you try IE to see if the same occurs
-
I have run IE some recently, haven't had any problems with it, the tabs only seem to be occurring when using Firefox.
-
The easiest solution to this problem would be a full uninstall of Firefox and then reinstall, it is hiding there somewhere but I just cannot see it.
Do you know how to totally uninstall Firefox ?
http://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer
Also do this part Removing user data and settings
-
Uninstalled and then reinstalled Firefox last night, for now I haven't had a single additional tab pop up, keeping my fingers crossed for another day or so just to be sure.
-
I just wish that I could have located the responsible addon that did this.. Would make my job easier ;D
-
A couple of days now and no recurrence of the pop ups/unders that were coming up previously. Everything has been fine since uninstalling and reinstalling Firefox. Thanks for your help in getting me back and functional.
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave: