Firefox Virus..HELP


Recommended Posts

Hey everyone,

Like two days ago my homepage was hijacked, or what i think was a hijack, and it now appears as some chinese thing. Its definitiely a virus or something, because it happens with several sites, at random, within Firefox.

If i can get Internet connection in IE, then I cant get it in Firefox, and my suspicion is that it is because of this new "thing"

I have posted a screenshot to show you the Chinese lettered page...whether it tells you much I dont know.

I ran CCleaner...nothing.

I dont have an Antivirus right now cus im renewing my id or whatever with eset,

Spybot didnt remove or detect it.

Thanks

Medking

post-157272-1199512285_thumb.jpg

Link to comment
Share on other sites

Well cCleaner isnt a virus scan nor a spyware scan. Spy Bot is ineffective now a days. Use SuperAntiSpyware and Spyware Terminator. Surfing without a virus scan even when using Firefox is dumb. You can always uninstall Firefox and reinstall it. Make sure you delelted all files and registry entries. Use Mozbackup to back up all your settings.

http://www.tweakguides.com/Firefox_1.html

Uninstall instuctions

Link to comment
Share on other sites

Why do you have to wai to renew? Just go to one of the many free online scans:

TrendMicro: http://housecall.trendmicro.com/

Microsoft: http://onecare.live.com/site/en-us/default.htm

Or simply download some free anti-virus and anti-spyware programs. No need to pay stupid yearly subscriptions.

And as mentioned, CCleaner does nothing with viruses, it knows nothing about them.

Link to comment
Share on other sites

Why do you have to wai to renew? Just go to one of the many free online scans:

TrendMicro: http://housecall.trendmicro.com/

Microsoft: http://onecare.live.com/site/en-us/default.htm

Or simply download some free anti-virus and anti-spyware programs. No need to pay stupid yearly subscriptions.

And as mentioned, CCleaner does nothing with viruses, it knows nothing about them.

True....................................Avast is free but I went with NOD32. Its the best out there and worth the $40.

Link to comment
Share on other sites

True....................................Avast is free but I went with NOD32. Its the best out there and worth the $40.

Yes, Avast is very good. No doubt, though, that programs that cost some cash are sometimes better than those that do not. I just don't like paying for stuff.

Link to comment
Share on other sites

ok heres my advice:

1. download kaspersky 7.0 AV trial from here : http://www.filehippo.com/download_kaspersky_antivir/

2. do an update

3. get both superantispyware and spyware terminator : http://www.filehippo.com/software/antispyware/

4. do full updates for both

5. restart and boot into safe mode

6. do a full system scan with all 3 Kaspersky AV, Spyware terminator and Superantispyware

7. by the looks of it...something should turn up

8. remove and delete all malware

9. remove KAV, superantispyware + spyware terminator if you dont want them anymore

10. run Ccleaner...do a full registry + program settings clean up

11. restart pc

Link to comment
Share on other sites

ok guys thanks a lot for the advice! Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:57:28 AM, on 1/5/2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16575)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Users\Alex\Documents\Downloads\Programs\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\VistaCodecPack\QT\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NodLogin] C:\Program Files\ESET\ESET Smart Security\nodlogin.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Desktop Manager 5.7.712.18632 (GoogleDesktopManager-121807-210419) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--

End of file - 9075 bytes

Currently installing free version of Kapersky following up on what Kaboose posted.

In Safe Mode it DOES Appear!

Thanks,

Medking

Link to comment
Share on other sites

That image looks suspiciously like the filter page that my school used to use, but in Chinese, it has the same layout and stuff...

Can't remember which program it was through though, where you getting your internet connection from?

I'm not too experienced with HijackThis logs, but i don't see anything standing out there, just a few o4's that you probably don't need, just start-up entries...

Still, that image gave me nasty memories of my school's white-list filter :/

Link to comment
Share on other sites

Just uninstall Firefox completely and reinstall. Use Revo Uninstaller and after there are several other files to clean up. Firefox was getting some odd pop up for me with no spyware found. I just uninstalled and reinstalled and all was fine. Take only about 10 min.

Link to comment
Share on other sites

hmm, im getting my internet from here..panama. a few days ago i used hideip to access some nbc videos hehe...and one of the ips it gave me was chinese...but i switched it straight away..soo..

maybe ill uninstall and then reinstall..

medking

im also doing the onecare scan but its taking agesss! so ill just leave it running hehe

sorry, another edit...if i remove firefox will it remove all my saved bookmarks etc

Link to comment
Share on other sites

You might be running through a proxy, go to Tools > Options > Advanced > Network and click the settings button in the Connection section.

What does that say?

Edit: your bookmarks are saved in your profile, if you remove the profile without backing them up (either export them through Firefox or copy the bookmarks.html file somewhere), then yes, they'll be deleted.

Link to comment
Share on other sites

wow! good on ya!

thats it, i was running through some chinese proxy! no wonder the other day when i changed my ip it still said it was coming from china. thanks a lot...firefox is back to its normal speed and functionality hehe...

Thanks to everyone whos put in their efforts here...really appreciate it!

Medking

Link to comment
Share on other sites

hmm, im getting my internet from here..panama. a few days ago i used hideip to access some nbc videos hehe...and one of the ips it gave me was chinese...but i switched it straight away..soo..

maybe ill uninstall and then reinstall..

medking

im also doing the onecare scan but its taking agesss! so ill just leave it running hehe

sorry, another edit...if i remove firefox will it remove all my saved bookmarks etc

I told you to use Mozbackup....its free.

Link to comment
Share on other sites

Hello,

I took a quick glance through your Hijack This log and did notice one thing which should not be there:

O4 - HKLM\..\Run: [NodLogin] C:\Program Files\ESET\ESET Smart Security\nodlogin.exe

The program is malicious and should be removed.

While you're waiting to renew your NOD32 license, you can run a copy of the ESET Online Scanner on yur system for free from http://www.esetonlinescanner.com/.

Regards,

Aryeh Goretsky

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.