Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox getting ads on every page, sporadic redirects and links spoofed


  • Please log in to reply
9 replies to this topic

#1 mottwww

mottwww

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 02 April 2015 - 02:47 AM

It's pretty much the topic. I've been watching a video on some site and then the ads just started appearing as soon as I opened my homepage. I've tried running MBAM, CCleaner and some other anti-adware i've found on google, and every tool detected some bits and pieces of PUPs and registry keys to be cleaned, but the problem still persists, even after creating a completely new Firefox profile, launching it in Safe Mode and disabling all add-ons and extensions. I'm using WinXP. What do I do?

Edited by mottwww, 02 April 2015 - 03:21 AM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,989 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:06 PM

Posted 02 April 2015 - 05:09 AM

Welcome to BC !

 

If you haven't installed the two most popular Firefox add-ons....NoScript and Adblock Plus...then you should for security and blocking annoying ads.

Adblock Plus is a no-brainer but NoScript will require some effort to learn to use for best results.

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  •  
  •  
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  •  
  •  
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

 

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


Edited by buddy215, 02 April 2015 - 05:12 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 mottwww

mottwww
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 02 April 2015 - 05:39 PM

I am afraid that using NoScript is going to be a problem since I'm not the only person using the computer, and my family isn't exactly tech savvy enough to figure out how to use it properly.
As I stated in my first post, I've used some of the software I know to try and clean out the problem myself before posting here. One of those programs was indeed AdwCleaner, but it seems that the old log got overwritten with the new (clean)one when I ran it again per the procedure you suggested. Here's the only log I found in the AdwCleaner folder:


# AdwCleaner v4.200 - Отчёт создан 02/04/2015 в 23:59:42
# Обновлено 29/03/2015 by Xplode
# База данных : 2015-03-29.1 [Сервер]
# Операционная система : Microsoft Windows XP Service Pack 3 (x86)
# Пользователь : Валентина - ADMIN-ED605350A
# Запущено из : E:\adwcleaner_4.200.exe
# Режим : Сканировать

***** [ Службы ] *****


***** [ Файлы / Папки ] *****


***** [ Назначенные задания ] *****


***** [ Ярлыки ] *****


***** [ Реестр ] *****


***** [ веб браузеры ] *****

-\\ Internet Explorer v7.0.6000.21376


-\\ Mozilla Firefox v37.0 (x86 ru)


*************************

AdwCleaner[R0].txt - [615 байт] - [02/04/2015 23:59:42]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [672 байт] ##########

The JRT log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.5.1 (04.02.2015:1)
OS: Microsoft Windows XP x86
Ran by  «Ґ­вЁ­  on 03.04.2015 at 0:04:42,34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 03.04.2015 at 0:05:33,67
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The ESET Scan log:

C:\Documents and Settings\?????????\Application Data\63rcsLCLi JS/Toolbar.Crossrider.C potentially unwanted application deleted - quarantined
C:\Documents and Settings\?????????\??? ?????????\????????\ess_trial32_rus.exe Win32/Tutnedorogo.B potentially unwanted application deleted - quarantined
C:\Documents and Settings\?????????\??? ?????????\????????\Optiarc_AD-5200A_??????????_????????_10-2014.exe a variant of Win32/Systweak.H potentially unwanted application deleted - quarantined
C:\Documents and Settings\?????????\??? ?????????\????????\torrent-3200319.torrent.exe a variant of Win32/Dlhelper.C potentially unwanted application deleted - quarantined

(the questionmarks are russian characters)

The CCleaner logs:

Startup:
Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
Yes HKCU:Run CTFMON.EXE Microsoft Corporation C:\WINDOWS\system32\ctfmon.exe
Yes HKCU:Run MSMSGS Microsoft Corporation "C:\Program Files\Messenger\msmsgs.exe" /background
Yes HKCU:Run PC Suite Tray Nokia "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
Yes HKLM:Run egui ESET "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
Yes HKLM:Run HP Software Update Hewlett-Packard C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Yes HKLM:Run NvCplDaemon Корпорация Майкрософт RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Yes HKLM:Run NvMediaCenter Корпорация Майкрософт RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
Yes HKLM:Run RTHDCPL Realtek Semiconductor Corp. RTHDCPL.EXE

Install:

Adobe Flash Player 16 ActiveX Adobe Systems Incorporated 27.03.2015 16.0.0.305
Adobe Flash Player 16 NPAPI Adobe Systems Incorporated 27.03.2015 16.0.0.305
Canon CanoScan Toolbox 4.1 08.11.2014
Canon iP3500 series 25.09.2014
CCleaner Piriform 02.04.2015 5.04
Combined Community Codec Pack 2014-07-13 CCCP Project 25.09.2014 2014.07.13.0
ESET NOD32 Antivirus ESET, spol s r. o. 19.12.2014 31,50 MB 8.0.304.1
ESET Online Scanner v3 03.04.2015
HP Imaging Device Functions 14.5 HP 15.11.2014 14.5
HP Scanjet 200 HP 15.11.2014 14.5
HP Update Hewlett-Packard 15.11.2014 2,97 MB 5.002.006.003
Malwarebytes Anti-Malware, версия 2.1.4.1018 Malwarebytes Corporation 01.04.2015 2.1.4.1018
Microsoft Office Стандартный 2007 Microsoft Corporation 15.10.2014 12.0.4518.1014
Microsoft Visual C++ 2005 Redistributable - x86 8.0.61001 Microsoft Corporation 25.09.2014 5,28 MB 8.0.61001
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation 25.09.2014 10,21 MB 9.0.30729.6161
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219 Microsoft Corporation 25.09.2014 11,12 MB 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 Корпорация Майкрософт 25.09.2014 11.0.61030.0
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 Корпорация Майкрософт 25.09.2014 12.0.21005.1
Mozilla Firefox 37.0 (x86 ru) Mozilla 02.04.2015 37.0
Mozilla Maintenance Service Mozilla 01.04.2015 37.0
MSXML 4.0 SP3 Parser (KB2758694) Microsoft Corporation 25.09.2014 3,01 MB 4.30.2117.0
Nokia Connectivity Cable Driver Nokia 02.03.2015 3,35 MB 7.1.78.0
Nokia PC Suite Nokia 02.03.2015 7.1.180.94
NVIDIA Графический драйвер 340.52 NVIDIA Corporation 25.09.2014 340.52
REALTEK GbE & FE Ethernet PCI NIC Driver Realtek 25.09.2014 1.23.0000
Realtek High Definition Audio Driver Realtek Semiconductor Corp. 25.09.2014 5.10.0.7111
RTLSetup
Skype 7.1 Skype Technologies S.A. 29.01.2015 48,38 MB 7.1.105
User Profile Hive Cleanup Service Microsoft Corporation 25.09.2014 0,39 MB 1.6.36
WinRAR 5.11 (32-разрядная) win.rar GmbH 26.10.2014 5.11.0
Пакет драйверов Windows - Nokia Modem (02/25/2011 4.7) Nokia 02.03.2015 02/25/2011 4.7
Пакет драйверов Windows - Nokia Modem (02/25/2011 7.01.0.9) Nokia 02.03.2015 02/25/2011 7.01.0.9


As the logs are mostly clean as I've already used the common cleanup tools that came to mind, I've decided to take a screenshot of the ESET scan page to show how most every page looks for me:
http://rghost.ru/8yFwGYY4g.view

#4 buddy215

buddy215

  • BC Advisor
  • 12,989 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:06 PM

Posted 02 April 2015 - 07:10 PM

I don't see the CCleaner list of Scheduled Tasks...maybe you missed posting it. Please post it.

 

Check one of your Firefox shortcuts on the desktop to see if the Target has anything other than “C:\Program Files\Mozilla Firefox\firefox.exe” for Windows 32-bit OR “C:\Program Files (x86)\Mozilla Firefox\firefox.exe” for Windows 64-bit, Right Click on a Shortcut.....Choose Properties.....Click on Shortcut Tab

If there is something added to the end of the Target you will need to delete ALL shortcuts for ALL browsers....Firefox, IE, Chrome, etc.

firefox-hijack.jpg

 

 

 

Disable these Windows Startups: (You can use CCleaner...Click to highlight each item...choose Disable on the right)

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
Yes HKCU:Run CTFMON.EXE Microsoft Corporation C:\WINDOWS\system32\ctfmon.exe ( Converts Text to speech...you may or may not need it...See What is CTFMON.EXE )
Yes HKCU:Run MSMSGS Microsoft Corporation "C:\Program Files\Messenger\msmsgs.exe" /background
Yes HKCU:Run PC Suite Tray Nokia "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
Yes HKLM:Run HP Software Update Hewlett-Packard C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

Yes HKLM:Run NvMediaCenter Корпорация Майкрософт RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

Uninstall This Program: (You can use CCleaner...Click to highlight each item...choose Uninstall on the right)

ESET Online Scanner v3 03.04.2015


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 buddy215

buddy215

  • BC Advisor
  • 12,989 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:06 PM

Posted 02 April 2015 - 07:23 PM

I should of added...if one of the shortcuts is infected then you will need to clean up all browser shortcuts on the Task Bar, Desktop and in the Start Menu.


Edited by buddy215, 02 April 2015 - 07:24 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#6 Zavarzin

Zavarzin

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 03 April 2015 - 01:39 AM

Here's the solution: https://support.mozilla.org/bs/questions/1055403



#7 mottwww

mottwww
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 03 April 2015 - 06:59 AM

Here's the Scheduled Tasks page:

Yes Task 63rcsLCLi C:\Documents and Settings\Application Data\63rcsLCLi.exe --c=nFM54W3f5AFlSLZ65DNfujLITh/I/dc5LhvFdRmCKJYoNVD76emDFJt8lMVcNReijc373zMUDGElKCYEua+btouBTK1pt5uxIn3bFYyHrUsGdJG4dFr+JWhjtWw8Y7KhkJLCxXaJ/XFxEVEaG9b9UwsbJaHx9/+RMUMPuAQSoaeUTwxJtdC5CaFHDT1NfhHC7lKsvJ4Qu3tadZN1hEN+YT7FXRwaqXmZyz2ZYyRRXdI/JxGbEiktTGUBXcmp/Wec5piHfB1xaXRb3Lm6/ul8w27Gzk/Tnd8/DEMOPu+Pttkv3VXOsYPeR4Z9HVgOj7O3YTEnN/kE15Jb03ajGiksmQ==
Yes Task Adobe Flash Player Updater Adobe Systems Incorporated C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe


That first task seems weird to me. Should I disable it?


Nothing extra was appended to any of the browser icons.

Edited by mottwww, 03 April 2015 - 07:00 AM.


#8 buddy215

buddy215

  • BC Advisor
  • 12,989 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:06 PM

Posted 03 April 2015 - 07:20 AM

Not just disable it...remove/ delete it.

 

You can disable the Flash Player updater.

 

If after removing that task and you still have a problem with Firefox, you will need to do a clean reinstall....that means removing ALL Mozilla and Firefox files

from the computer. Run the uninstaller for Firefox from CCleaner. Then do a search for Mozilla and Firefox....delete all.

You can save your Bookmarks first to the Desktop and reinstall them after removing all of Mozilla and Firefox. Just be sure not to delete them during your file search.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#9 mottwww

mottwww
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 03 April 2015 - 08:37 AM

Yeah, the clean reinstall seems to have fixed the problem. It's odd, because I've tried reinstalling Firefox normally (by deleting it from Task Manager), but the problem persisted through that. Thanks for helping out, I've spent way too much time on this!

#10 buddy215

buddy215

  • BC Advisor
  • 12,989 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:06 PM

Posted 03 April 2015 - 08:45 AM

You're welcome...enjoyed working with you...happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users