Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a browser virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 polarlight

polarlight

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 27 December 2008 - 11:21 PM

While simply using our Firefox browser (version 3.0.5), we'll get random launches of other Firefox browser windows with URLs that look something like this:

<http://sagipsul.com/go/rfe.php?cmp=vm_mg_fails_juan&uid=5ADFD982D2B711DD8629166350CFFFFF&guid=7EA6311A85B84420A22EACEB57CFDF91&lid=&url=clients1.google.com%2Fcomplete%2Fsearch%3Fhl%3Den%26gl%3Dus%26q%3Db&affid=166350&b42=0.0022>

I've attached the 3 recommended files: Attach.txt, DDS.txt, and hijackthis.log

We'd sincerely appreciate any help in getting rid of the offending virus or malware...

Thank you,
Steve

Attached Files


Edited by Orange Blossom, 28 December 2008 - 01:26 PM.
killed potentially harmful link.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:57 AM

Posted 28 December 2008 - 12:14 AM

Hello polarlight,

Posted Image

I edited the link you posted. Please don't post live links like that. There are some people that would actually click on them. :) :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 polarlight

polarlight
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 28 December 2008 - 02:40 PM

Hi Tea,

First, I'd like to say we appreciate your quick response - and second, I'd like to apologize for the original post containing the clickable link - I didn't intend for it to be a hyperlink and should have been more careful (like maybe doing a preview of the post before posting it!) ...

I did as you instructed - and I've attached both the logs you requested - the log from running ComboFix ( log.txt ) and a new hijackthis.log file after running HijackThis.

I look forward to hearing back from you after you examine these log files.

Sincerely,
Steve

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:57 AM

Posted 28 December 2008 - 03:49 PM

Hi Steve,

You're most welcome. :) It's okay. :thumbsup: But some people really do click on those things. :)

How is it running now please?

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O18 - Protocol: NCTV - {EB8F4D2E-5DDE-4F7D-8187-120E92D987AF} - (no file)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 polarlight

polarlight
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 28 December 2008 - 07:06 PM

Hi Tea,

Thank you once again - yes, the system does seem better, although I thought I'd follow all the instructions first (including this step) before doing a more exhaustive check.

I've attached the Mlawarebytes Anti-Malware log file, as well as a new HijackThis log, as you requested.

After I've heard back from you, I'll go ahead and do a more thorough check of everything, as well as get back to you about the results.

Sincerely,
Steve

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:57 AM

Posted 28 December 2008 - 07:20 PM

Hi Steve,

HijackThis looks good, except for Java : It looks like MBAM got the leftovers from the ComboFix log as well. Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Your Java is out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6_u_11.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Test away, and do let me know how it feels now. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 polarlight

polarlight
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 28 December 2008 - 08:07 PM

Hi Tea,

Thank you once again - I did as you instructed and all went well, but when I launched my Firefox browser, it showed that 2 new add-ons have been installed:

Adblock Filterset.G Updater 0.3.1.3 ( It says, "Synchronizes Adblock with Filterset.G" )
Adblock Plus 0.7.5.3 ( It says, "Ads were yesterday! Version 1.0 is available. Not compatible with Firefox 3.0.5" )

I have the latest Firefox (version 3.0.5). What do you make of those 2 new add-ons? Is this expected - or do they represent a possible problem?

I'll still hold off doing my exhaustive and thorough testing until I hear back from you. Thanks so much for your prompt attention to our problem - it's a real pleasure to receive so much help so quickly - a real nice change. We'll promise to contribute something back to you.

Sincerely,
Steve

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:57 AM

Posted 28 December 2008 - 08:37 PM

You're most welcome. :)

Looks to be okay. http://search.techrepublic.com.com/search/adblock+pro.html I think what it's saying is you need to update your AdblockPlus to the latest version to be compatible with FF3. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 polarlight

polarlight
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 28 December 2008 - 09:33 PM

Hi Tea,

Thank you so much - all looks good and I believe we are back to normal now. Your assistance has been greatly appreciated and we made a small donation to you - we wish we could afford more, but things are a little tight right now. Again, thank you very much!

Sincerely,
Steve & Becky

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:57 AM

Posted 28 December 2008 - 10:21 PM

Hi Steve and Becky,

Thank you so much. :thumbsup: Thank you for the kind words, and you were also a pleasure to work with. :)

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:57 AM

Posted 31 December 2008 - 03:02 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users