Extra Windows opening without cause in Firefox

[Eddie_42]

Hello,

I am having some issues with a spyware/virus/malware something. The program doesn't spam pop-up continually, but if i open a new Firefox page or on occasion when loading a new page, a new window will open. The content of the windows varies, sometimes its a verizon page, or a dexonline page, some are for 'the best spyware available - click here now', sometimes its just blank.

I am using AVG 7.5 Pro for antivirus, it is updated daily. I have downloaded an run Ad-Aware 2008, spywareblaster, and MBAM, but have still to find the cause.

The AVG will occasionally find a trojan, named either generic8 or generic12. These are being found in the sys32 folder attached to a .dll. When i click heal, my computer restarts, its fun.

Logs are attached

 

[rf6647]

Good description. Did ths SAS scan come back clean?

Following the Guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions creates a common beginning for an initial assessment.

This tool performs a good cleaning & gives diagnostic information. Always restart the computer preceding HJT scan.

Uninstall Combofix

Simplified Instructions for ComboFix + link to download
How-to-use instructions - full version

Please see this for instructions:
Temporarily Disable Real Time Monitoring Programs:

• 1 Spybot S&D (Teatimer)
• 2 Ad-Aware Ad-Watch
• 3 Spywareguard
• 4 Windows Defender
• 5 TrojanHunter Guard
• 6 Disable SpySweeper
• 7 WinPatrol
• 8 CounterSpy
• 9 AVG Anti-Spyware (formerly ewido)
• 10 Spyware Doctor
• 11 Prevx
• 12 ProcessGuard
• 13 ZoneAlarm's OS Firewall
• 14 Ad-Aware 2007 Service

 

[Bobbye]

Rick, you might want to make note of this. The Castlecop elves seem to have deserted us for the North Pole- the site is down. So I found this to use when Teatimer is running:

To Disable Spybot's TeaTimer

* Run Spybot and click Mode in the top menu
* Select Advanced Mode.
* Then expand the Tools selection in the left pane by clicking on it.
* Now in the left pane Resident.
* Now in the right window pane, uncheck TeaTimer. Keep the Resident "SDHelper" option checked.
* Now quit Spybot and REBOOT your PC.

You might want to have Eddie remove this:
O20 - AppInit_DLLs: ldplcs.dll

 

[Eddie_42]

Hello,

I ran SAS yesterday. It found 8 things, but in the ad-aware program. On the 24th my AVG scan found 4 trojans and was able to clean them all. Since then i have not had a pop-up.

I do still have the O20 Appinit_DLL in my HJT log, if that is something to address. But i think for now, some combination of all the spyware/virus scans did their job.

 

[Bobbye]

Eddie, rj may be out with the elves, so in his absence:
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O20 - AppInit_DLLs: ldplcs.dll

This is not a legitimate process and is loaded from memory.
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode.

Right click on Start> explore> Windows> System 32> right click on ldplcs.dllfound on the right screen> delete.

Run one more HijackThis scan and attach log. If it's gone, good, if not, we'll do a regedit.

 

[Eddie_42]

I 'fixed' that process and now it no longer shows up. I did not however find the DLL in the sys32. I dont know where it is, but its not there.

New HJT attached

 

[Bobbye]

Okay, two things you need to be concerned with:

1. You are still using AVG v7. Have you been getting updates manually for this? I ask because the next version, v7.5 is losing support as of 12/31 and users will need to upgrade to v8. I think v7 already lost support but am not sure. If it did and you aren't manually updating, you are unprotected.

2. There are new, unidentifiable entries in the HijackThis log:

They will be malware, both from System 32 folder. This concerns me due to the large amount of malware your original Malwarebytes found.

Please run SDFix according to these instructions:
http://www.bleepingcomputer.com/forums/topic131299.html

Scroll down to this section: SDFix Instructions: There are screen shots to assist you. When you have finished, follow by new scan with HijackThis and attach both logs.

FYI, the new malware entries in the current log are:

O2 - BHO: (no name) - {0344A87D-0FF9-44D0-B129-08477C1CC44D} - C:\WINDOWS\system32\gEWnlLfF.dll (file missing)
O2 - BHO: {dcc98fa8-5a7a-f569-9994-28aa4b32ee9e} - {e9ee23b4-aa82-4999-965f-a7a58af89ccd} - C:\WINDOWS\system32\ldplcs.dll (file missing)

We will see if SDFix can get at the source. You can check these two entries in a HijackThis scan and then close all Windows except HijackThis and click on Fix Checked, reboot the computer..

My guess is that other entries may present if we can't find the source. As you will note, it says 'file missing', which may or may not actually be the case.

 

[Eddie_42]

Hi,

Im at work currently so it will be a few before i can follow up.

I am using AVG 7.5 Pro. I get daily updates when the computer boots. I was unaware that they were stopping support, no emails or other notifications. I also bought a 2 year license in June.

 

[Bobbye]

After leaving Computer Associates eTrust antivirus, I subscribed to the AVG v7.5 paid program. When it was time to renew, I went to the site-but when I got on the site, there was a notice on the right side, stating that although the renewal could be done, v7.5 would not be supported after 12/31/08 and I would need to upgrade to v8 before or by that time. You CAN resubscribe, but will be forced into the new version.

I did not renew because I didn't want v8. I went with Nod32 instead. So check that out. v8 has had a lot of problems, particularly with the updating. It also has a spyware/adware program bundled with the AV. I don't use 'bundles'- only free-standing