Quantcast

Maximum PC

It is currently Wed Oct 22, 2014 8:07 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 15 posts ] 
Author Message
 Post subject: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Fri Jan 17, 2014 12:21 am 
Team Member Top 500
Team Member Top 500
User avatar

Joined: Sun Nov 12, 2006 12:16 am
Posts: 1242
Hey guys, maybe you can help me as I'm scratching my head. My desktop has been running pretty lean and smooth until one day one of the kids had been using it. I fired up Firefox and as I was using it browsing my web comics I noticed several tabs began opening. They went to spam sites, the type saying you've won something or crap spam about the Affordable Health Care Act. So I ran Norton Internet Security 2014 and it found nothing. Okay...maybe it was a fluke? Must have been something I accidentally clicked on one of those websites. However, it continued, prompting a reformat. Besides, it had been months anyhow.

So I'm a week into my reformat and no one has used the computer but me. Well, the problems have returned and are escalating. This time though I have NIS 2014, Malwarebytes, and SUPERAntiSpyware in preparation if anything happens. Problem is...no scan finds anything. All three are fully updated, ready to rock, full-scan, and find no problems. It's sporadic, as well. It can happen on Yahoo, on my company's business website, on the AHCA website, or just perusing the internet.

There are no other symptoms with my PC at all.

Here is a list of my extensions:

Image

Here is my Hijackthis Log:

Code:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:20:19 AM, on 1/17/2014
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.9600.16384)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\Corsair\Corsair Headset Software\HeadsetControlPanel.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\coIEPlg.dll
O4 - HKLM\..\Run: [Corsair Headset Software] "C:\Program Files (x86)\Corsair\Corsair Headset Software\HeadsetControlPanel.exe" /minimized
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE
O4 - HKLM\..\Run: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files (x86)\Logitech\Ereg\eReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{74589640-B24E-4457-941B-20F2D4028AA0}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{D72BE203-DD4C-4F5B-BEAC-53C34FB0CB08}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{74589640-B24E-4457-941B-20F2D4028AA0}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Alcohol Virtual Drive Auto-mount Service (AxAutoMntSrv) - Alcohol Soft Development Team - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe
O23 - Service: NVIDIA Network Service (NvNetworkService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
O23 - Service: NVIDIA Streamer Service (NvStreamSvc) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Stardock Start8 (Start8) - Stardock Software, Inc - C:\Program Files (x86)\Stardock\Start8\Start8Srv.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10261 bytes


Any thoughts at all? Thank you all very much.

Edit: Also, I'm starting to think I never should have stopped using Kapersky Internet Security...


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Fri Jan 17, 2014 12:40 am 
Team Member Top 500
Team Member Top 500
User avatar

Joined: Sun Nov 12, 2006 12:16 am
Posts: 1242
These three sites popped up within two minutes of me heading to Yahoo, then to MaximumPC after freshly launching Firefox:

Image
Image
Image

In the time it took me to post this, another one about Scarlett Johansson's voice came up as well. Any ideas? This is making me wonder just WTF is up and very frustrating! Thanks again guys, I know it's late/early. Appreciate all help.


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Fri Jan 17, 2014 6:07 am 
[Team Member]
[Team Member]

Joined: Sat Jun 26, 2004 4:31 am
Posts: 11102
Location: Home Sweet Home
When you formatted the drive did you also fix the MBR. Sometimes a virus will be written to install itself there and after formatting the drive and installing windows it rewrites itself to windows and you have the very same virus again in the same place.

Nasty


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Fri Jan 17, 2014 9:42 am 
Smithfield
Smithfield

Joined: Sun Jun 18, 2006 7:37 pm
Posts: 5394
Does this only happen with Firefox? If it only happens to Firefox, uninstall it and delete the %APPSDATA%/Roaming/Mozilla and %APPSDATA%/Local/Mozilla folders. Make sure you're getting Firefox straight from the source and reinstall it. Don't add any extensions and see what happens.

If it happens with any browser you use, we could take some drastic measures here. I would look into getting a live Linux distro with some hard drive tools. I would suggest PartedMagic, but the started asking for money ($15 or so, but it used to be free). Either way, if you want to absolutely positively make sure you've wiped it clean, make sure you're not connected to the internet when you boot into the live distro and do a secure erase on all of the drives in that computer.

And as a random tidbit, if you get the Pro version of Malwarebytes, it blacklists a bunch of IPs to prevent your computer from making a connection to it.


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Fri Jan 17, 2014 10:29 am 
Team Member Top 500
Team Member Top 500
User avatar

Joined: Sun Nov 12, 2006 12:16 am
Posts: 1242
Nastyman: Sure did.

LatiosXT: I thought I had, but apparently not. I just ran MBRCheck and it says it's found a non-standard or infected MBR. I have the option to Restore the MBR with Standard Boot Code. Think I should?


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Fri Jan 17, 2014 10:32 am 
Smithfield
Smithfield

Joined: Sun Jun 18, 2006 7:37 pm
Posts: 5394
I'd rather just nuke it with extreme prejudice. If possible >:3

Though in seriousness I'm just paranoid so I'd rather wipe the entire drive clean if I'm not worried about the data on it. The Windows install will just make a new MBR.


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Fri Jan 17, 2014 10:51 am 
Team Member Top 500
Team Member Top 500
User avatar

Joined: Sun Nov 12, 2006 12:16 am
Posts: 1242
See, that's what I thought I had done the first time. I reformatted all partitions on the disk (my SSD). Then formatted that. Then installed Windows on it and I just used a Windows 8.1 disk to replace the MBR (yes, replace it, not repair it). Fired up Firefox, went to Yahoo, and immediately one of the tabs opened.

This is infuriating/frustrating.

I even just used MBRCheck to replace the MBR as well.

You know, I bet it's one of the damn Extensions.


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Fri Jan 17, 2014 11:11 am 
Thunderbird
Thunderbird
User avatar

Joined: Sun Dec 30, 2007 6:17 pm
Posts: 884
Location: Phoenix, AZ
Sounds like your popup manager has been disabled. It has been years since I have seen this kind of behavior on a browser and I think that is what tamed it.

I would consider backing up with MozBackup and then uninstalling and reinstalling either 26 or 27(beta).

However, one help site poster claims it is caused by a rootkit and that Kaspersky's TDSSKiller cures it. Couldn't hurt. This would have to have been acquired AGAIN after your clean install.


Last edited by FascistNation on Fri Jan 17, 2014 11:32 am, edited 1 time in total.

Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Fri Jan 17, 2014 11:15 am 
Team Member Top 500
Team Member Top 500
User avatar

Joined: Sun Nov 12, 2006 12:16 am
Posts: 1242
I know...that's part of what's so infuriating. We take for granted browsers have this built in now, as do security suites like NIS2014 and both of these seem to have been circumvented and NONE of today's tools are finding anything.

I uninstalled all of my extensions, then reinstalled them all except DownThemAll AntiContainer. Guess what? No suspicious behavior *knock wood* at this time. I have to head to work but we'll see what we see and if anything creeps up you know I'll be back.

Thanks a lot guys.


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Sat Jan 18, 2014 9:23 pm 
Team Member Top 500
Team Member Top 500
User avatar

Joined: Sun Nov 12, 2006 12:16 am
Posts: 1242
It was, definitively, narrowed down to the QuickDrag Extension. Thought you all might like to know in case anyone else has a problem that exhibits this behavior.


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Mon Jan 20, 2014 7:01 am 
Team Member Top 500
Team Member Top 500
User avatar

Joined: Thu Dec 23, 2004 2:34 pm
Posts: 3977
Location: Building my 4-8-9
Sounds like Chrome isn't the only one. Shady individuals or entities buy extensions, then when they silently auto-update, BAM--malware!


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Mon Jan 20, 2014 9:47 am 
Smithfield
Smithfield

Joined: Sun Jun 18, 2006 7:37 pm
Posts: 5394
Oh, Maggard, I just realized it looks like you're running Windows 8. Windows 8 uses GPT instead of MBR when formatting drives, so anything regarding the MBR scan is unreliable unless the scanner can work with GPT formatted drives.

Just random a tidbit. :D


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Mon Jan 20, 2014 10:43 am 
Team Member Top 500
Team Member Top 500
User avatar

Joined: Sun Nov 12, 2006 12:16 am
Posts: 1242
Appreciate it LatiosXT, but both scanners in fact could, one being the Windows 8.1 disk itself.

Wow, Sovereign. Looks like a new load of bullcrap is coming our way, and I am not a fan at all of this new vector of attack.


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Mon Jan 20, 2014 1:47 pm 
Team Member Top 500
Team Member Top 500
User avatar

Joined: Thu Dec 23, 2004 2:34 pm
Posts: 3977
Location: Building my 4-8-9
At least Google ultimately did something about it.

Still, A/V (anti-spyware too) are gonna have an interesting time if they try to detect these new attacks.


Top
  Profile  
 
 Post subject: Re: Spam Tabs Opening in Firefox on Relative Fresh Reformat?
PostPosted: Mon Jan 20, 2014 2:02 pm 
Smithfield
Smithfield

Joined: Sun Jun 18, 2006 7:37 pm
Posts: 5394
The trouble AV programs will face is what do they do if they find suspicious behavior? Flag the executable? That'll freak out a lot of people. They don't know that you're running a program that takes in extensions.

Currently I like Malwarebyte's approach to things in the Pro version of their software: just block ISPs known to be of dubious addresses.


Top
  Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

© 2014 Future US, Inc. All rights reserved.