Firefox opens Trojan websites in new tabs

[smfcomics]

last week my computer was infected with the XP Antimalware 2010.

the computer is running Windows XP service pack 3 version 2002

 I have ran Avast, Malware Bytes - Antimalware, and SpyBot S&D to remove malware and viruses. I just ran the Avast Boot-time scan again and it found one infected file in the Windows folder. I placed that in the chest.

I am still having issues with FireFox opening new tabs with random websites and Avast pops up and says its a Trojan URL.

Any help would be greatly appreciated.

 

[Hermite15]

I have no idea how this rogue proceeds nor do I know how much you already removed from it...only tip I can give but that's probably not enough to solve your problem: check if any extension got installed silently in Firefox.

[smfcomics]

how do I check if there were any extensions installed?

[Jtaylor83]

Go to Tools and click on Add Ons, then click on Extensions.

If there's nothing in your Extensions, then it could be your HostsFile. Follow Essexboy's instructions.

[laurap414]

I believe this is the same rogue being discussed in another thread called AVE.exe.

Please check out this link and see if the description matches what you are experiencing.

http://www.malwarehelp.org/ave-exe-a-multiple-rogues-in-one-trojan-fakerean-2010.html

It explains how to remove the rogue and provides a little utility to do so.

[smfcomics]

here are the two OTL logs

[Jtaylor83]

I think it's time to make a new hosts file.

Please Download HostsXpert 4.3 by FunkyToad and Extract it out of the zip folder.

Run HostsXpert and then click on Make Hosts File Writable?.

* Click Restore Microsoft's Hosts file  and then click OK.
* Click the X to exit the program.
* Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

[smfcomics]

thank you for the help so far. i have done all the things suggested so far and I am still having issues with FireFox loading websites and redirecting to different sites from Google searches.

[Jtaylor83]

Okay. Since you now have reset your hosts file, it's time to remove OTL.

Run OTL and click on Cleanup. OTL will remove itself from your computer.


Next, clean up and defrag your disk drive with these programs.

CCleaner(Slim Version)

Defraggler (Slim Version)

Puran Defrag

[Hermite15]

thank you for the help so far. i have done all the things suggested so far and I am still having issues with FireFox loading websites and redirecting to different sites from Google searches.

Okay, you should uninstall FF and delete your profile >>> make a backup of your bookmarks and password database if you use it first and then reinstall. Again: it is important that you delete your profile for Firefox completely. If you use the default configuration it's located in \documents and settings\your user name\application data\Mozilla\Firefox (for XP)

[smfcomics]

I am running Defraggler and Avast System Shield keeps popping up with a Threat

-C:Windows\System32\Drivers\PCI.sys
-Win 32: Aluron-FZ
-Moved to chest
-PID4

it has come up with 160+ threats while the Degraggler is running. Is this a false positive?

[scythe944]

Usually not... as the system moves the files, it's accessing them.  Avast checks the files as they are accessed, and is reporting them correctly.

Sounds like a rootkit to me, if "PCI.sys" is infected.

Try this out: "TDS KILLER"

http://cid-f713962e2f5aa06d.skydrive.live.com/self.aspx/.Public/Programs/tdsskiller.zip?lc=1033

[smfcomics]

I ran the TDS Killer and it shows the Driver atapi.sys is infected.

memory 1 infected
file 1 infected and 1 cured at reboot

when the computer reboots and I run the TDS Killer again it comes up with the same thing.

[smfcomics]

from looking around it seesm that my system may be infected with the atapi.sys rootkit

what should I do next to resolve this?

thanks again for all the help

[Jtaylor83]

I suggest you use Hitman Pro (Cloud based Malware Scanner) for TDL3/TDSS removal. Hitman Pro will replace the patched atapi.sys with the original file. If it doesn't work, we'll try ComboFix.