Solved

Possible Virus?

Posted on 2011-03-21
11
652 Views
Last Modified: 2013-12-06
Hi Experts,

    It seems to only be happening in Firefox.  I'll open a website and will automatically get pop-up windows to other URL's.  For example, I'll click on a link from say a Google search, I'll click on that link and some bogus website appears.  I know I have a trojan, virus, mal-ware or something going on.  I've scanned with two different AV's i.e. Avast and Panda Cloud as well as 2 different Malware scanners i.e. Malwarebytes and SuperAntiSpyWare.  I'm also running a full system, including register clean with CCleaner.   I can't seem to shake this issue, no matter what I do.  As mentioned, I'm only seeing this in Firefox 3.16.15.  I even installed Security Task Manager which shows the underlying programs running not just the service level ones...It did not detect anything.  I'm at a loss here.  Any suggestions as to why it's behaving this way?
0
Comment
Question by:itsmevic
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 35179163

Try GooredFix first:
Please download GooredFix and save it to your Desktop.
http://jpshortstuff.247fixes.com/GooredFix.exe
Double-click GooredFix.exe on your Desktop to run it.

Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called

GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications

and reboot your system.
Please also allow any registry changes that may be prompted by any of your security programs.


Then if the problem persists we can try TDSSKiller and RougeKiller:
0
 
LVL 38

Expert Comment

by:younghv
ID: 35179165
This Article from 'rpggamergirl' might be what you're looking for:

"Google Hijack" - Google Search Gets Redirected:
http://www.experts-exchange.com/A_3299.html
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35179184
Here's also an article on RogueKiller, you can try:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html


TDSSKiller:
Download, extract and run TDSSkiller.exe
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
0
 
LVL 17

Expert Comment

by:sgsm81
ID: 35179264
Try creating a new user profile on the machine, log onto it and see if the problem is still there
0
 
LVL 38

Expert Comment

by:younghv
ID: 35179290
@sgsm81,
I don't understand that recommendation.
What is it you are hoping to accomplish?
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 

Author Comment

by:itsmevic
ID: 35183411
I'll look into everyone's suggestions and let you know.  Will try this evening.
0
 

Author Comment

by:itsmevic
ID: 35186694
Hi rpggamergirl ran GooredFix, below is the log.  
GooredFix by jpshortstuff (03.07.10.1)
Log created at 00:25 on 22/03/2011 (Owner)
Firefox version 3.6.15 (en-US)

========== GooredScan ==========

Removing Orphan:
"m3ffxtbr@mywebsearch.com"="C:\Program Files\MyWebSearch\bar\1.bin" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [06:35 16/03/2011]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [19:59 05/03/2010]

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fcjxqxkd.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [07:15 16/03/2011]
{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} [00:54 17/03/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [14:52 05/03/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:53 05/03/2010]
"widgetruntime@surfsecret.com"="C:\Program Files\Panda Security\Panda ID Protect\Firefox" [00:54 17/03/2011]

-=E.O.F=-

Open in new window

0
 

Author Comment

by:itsmevic
ID: 35186718
hi rpggamergirl...wow, after running GooredFix and TDSSKiller both which appear to have found and cleaned what it was they detected, I rebooted and my system hasn't booted up this quick since it came out of the box (so to speak).  Perhaps this fixed it.  I'm gonna do some test to see if perhaps it decides it's going to resolve to other URL's.  Will leave this open for a few days while testing then will award points if everything is solid.  
0
 
LVL 2

Expert Comment

by:Hapexamendios
ID: 35188221
Looks like "MyWebSearch" spyware/Trojan was the culprit - comes with lots of "optional" payloads...

@itsmevic: you should close the question now, I think :)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35188722
Good to know the issue seems to be fixed.

What GooredFix had removed was just an orphan reg entry, so maybe TDSSKiller got it. What did the TDSSKiller log show?

Just keep an eye on it for a day or so and if it comes back we can suggest running a diagnostic tool.
0
 

Author Closing Comment

by:itsmevic
ID: 35189461
Awesome input!  Suggestions that were solid and worked.  Thank you to everyone.  Wish I had more points to give...
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now