Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Opening Tabs, Adverts, etc.


  • Please log in to reply
5 replies to this topic

#1 vSanjo

vSanjo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 24 June 2010 - 05:18 AM

Hey guys.
I'll be brief, i'm being a little interrupted right now so I have to skim over the problem as quick as I can! Sorry!

(Also, since this is my first post; I'm David. Nice to meet you all. (: )

Firstly, a little about me and my computer. I'm very, very OCD about keeping my computer organized, clean and error free. That said, I usually format every 2-3 months and can get my computer back to how I like it in about 3-4 hours. I work as a technician at a small computer repair shop, and viruses are easily our number 1 problem there.
I'm very experienced with removing them through a myriad of programs that are the standard from what i've seen on the site. My usual toolbox would be Combofix > Smitfraudfix > MalwareBytes > Avast > Hijack This > CCleaner. Of course that won't clean everything and more work would be required for harder to remove ones, etc.
tl;dr and extension; I'm more than capable when it comes to computers, viruses, and the like. I don't require a 'simple-version' of instructions. :D

Now, my problem. I've tried searching on the forum for similar problems but Firefox, Google, viruses, tabs and other words ive used are just way too general! I promise I tried. .__.;

Basically here's what's happened. After formatting my computer a matter of days ago, I installed Firefox, my usual addons, my usual about:config edits, everything. Like I said before, I have an obsession with organization so if you'd like to see a .txt of what I install, links to them and edits to config, just ask.
Anyway.
I installed what I needed to, and carried on with my business installing the other programs after the re-installation. Then I noticed a few tabs open in Firefox. I opened it, and some where about news websites. Something like 'Mother of 1 earns $3000 a month' - i've seen it all before, I knew that this was a problem. The site name escapes me but it's something like 'News1' or ..similar.
I can get it when it happens again.

So I closed it, carried on with my business.

Now, it's happened frequently throughout the week - It's generally when I open a new tab via middle click, or search in the awesome-bar. It will open a new tab, directed at an IP of "http://208.94.233.34/go.php" (it obviously changes but i've seen this one most) and then redirects maybe another 3-4 times quickly. All the pages it redirects to have that ominous ? in a black triangle until it finally lands at the news page I described above, or some other general advert site. Then one link before the end result, it usually has a word i've searched for in it. If I search for.. Chicken Recipes, for example, then I might see Chicken or Recipes or some variant in the URL.

Now, what i've done to 'fix' this.
I've done my general sweep of virus removal programs. Combofix, followed by SmitFraudFix, followed by MalwareBytes, followed by Avast (boot-time scan). I've then checked running processes, Hijack This, done a very thorough clean both with CCleaner and Glary Utilities, and my own knowledge of where viruses hang out. This is all behind PeerBlock running P2P, Spyware, Advertising, Education, Infringement and Primary Threats lists (Allowed HTTP, because it usually spits and cries about everything). I've then checked the registry for anything that stands out (which would especially stand out after a new reinstall!). I've finished cleaning -again- today and reinstalled Firefox COMPLETELY. I've removed 'not-so-confident-about' addons from Firefox (I don't run alot, but usually ones like Add To Searchbar which have such a small fan base that malicious code could go rather unnoticed?). It's still doing it!

I've read around that Java had an exploit that allowed random programs to be installed without permission - now I distinctly remember not installing Java until very late into my Firefox installation sweep. I don't know if this is useful or not, but it was mentioned in another thread i've been reading.

The virus, or whatever it is, is not affecting anything else to the best of my knowledge. I'm having some random driver issues but I think it's just coincidental that they've happened around the same time - and i'm too lazy to fix them right now.
I've also thoroughly checked through a dds.scr scan. Nothing is where it shouldn't be, but i'm happy to show, I guess.

I appreciate any and all help - I understand i've wrote alot so I don't expect immediate help.
I'll try update what I do, but right now i'm just going to wait a while.

David.

[EDIT 1]: I wrote about PeerBlock just as I was finishing up, and realized I mights'well block HTTP and monitor what goes in and out for a while. I'm aware of the 'normal' connections that try to sneak up so anything that stands out, should.
[EDIT 2]: Emphasized key points.
[EDIT 3]: JUST as I finished the second edit, and clicked Submit Modified Post, it opened a new tab, and opened:
http://dbcummings.com/search.php then tried to connect to a very long link

EDIT: Moved from Web Browsing/Email to Am I Infected forum ~ Hamluis.

[EDIT 4]: Thank you, Hamluis. I was unsure and just looked for the most relevant.

Edited by vSanjo, 24 June 2010 - 11:51 AM.


BC AdBot (Login to Remove)

 


#2 StarGGundam2

StarGGundam2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 11 July 2010 - 07:05 PM

I CAN'T WAIT TO BOMB THIS VIRUS!

It's been annoying the shizzle out of me all morning long. But rest assured I will always find out what the hell is going on.

C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

here's your likely murder. Use Security Task Manager or other type program to isolate it and soft delete it. Don't worry about that folder's parent, I believe it just latched itself in there to be annoying. Just delete the Search Helper folder and you should be good.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:20 PM

Posted 11 July 2010 - 07:32 PM

Try this:

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 Rickenbacker77

Rickenbacker77

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 11 July 2010 - 09:49 PM

Try this:

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller


I was having the same issue (plus the weird debugging popup), but this seemed to fix it. Thanks Buda.

#5 biggerbear

biggerbear

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 26 July 2010 - 11:17 AM

Like Vsanjo I know my way around things and had tried all the usual. I'd found a proxy added and the hosts file altered as well as numerous randomly generated filenames being started from the registry (XP3). All fixed but the problem as described by V still there. Nothing showed up in HJT,Malware Bytes (after first probs fixed), SMitKillers, or the other tools V mentions. I found my way to this thread by googling the IP used 208.94.233.34 and have just used the TDSSKiller.exe. It found an infection in ../system32/drivers/imapi.sys and says it has cured it. It certainly seems to have solved the BHJ problem on some initial trials so figers crossed and many thanks to Budapest and Rickenbacker for pointing in the right direction.

#6 chris6690

chris6690

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 26 July 2010 - 01:26 PM

i was having the same issue as many others. i tried the tdss killer, it found one threat, i cured it, as of yet no problem. my scvhost had been running abnormally high which, i assume, was causing my comp to slow down. it has returned to normal levels and i am goin on a bit now with no site popups.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users