IE Popup Window while using Firefox (Detailed)

Status
Not open for further replies.
A

Aegir00

Hello,

I read the spyware/virus fix sticky thread completey.. and followed each and every step, downloading the utilities and programs listed, Tracking Cookies, several Trojans and such were removed. each program usually finding one on it's own. This removed several pop-up issues i've been having while using Firefox but others still remain.

My Problem is that while using Mozilla Firefox, IE will open itself and display windows, Usually something about Poker, or OnlineSchool. Also: I'm not sure if this is normal or not, but while reading even this forum and threads on it, some words will be underlined.. if you mouse over it, a mini IE window will appear over it (an ad) and float over it until you move the cursor away. Once you move it off the underlined word, -Two- IE Popup windows will automatically open on its own.

Here is a HJT log (Running the .Exe as "Analyze" as instructed.) after spending the past week trying everything to get rid of this insanely hard to get rid of issue.... IE Popups in Firefox. Never have I ever seen Spyware so hard to get rid of!! Thanks for any help in advance.

Oh, Also. the AVG Rootkit found no hidden items.


<Copy and Paste inc from HJT Results>

Okay, It's definately some form of Spyware thats altered my Firefox. After proof reading my post, I can see some words double underlined and I -know- I never added any URL's in the above post.

*Twitches!* How frustrating!



Edit: Here is a Snapshot of my desktop/firefox showing the links that make the ads appear.

http://i156.photobucket.com/albums/t20/Aegir25/firefox-iepopup.jpg

These cookies also keep coming back no matter how many times I delete them in whichever Spyware program also.

(Snip!)
 
Aegir00 said:
These cookies also keep coming back no matter how many times I delete them in whichever Spyware program also.

AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:23:10 PM 4/5/2007
+ Scan result:

:mozilla.44:C:\Documents and Settings\ML\Application Data\Mozilla\Firefox\Profiles\mp8jwpk7.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.
Click to expand...
Didn't you notice this config err? Go to preferences and make sure they get
deleted

Secondly, your IE windows are being created by stuff installed already OR
by the websites you are visiting -- I highly recommend installing
Spywareblaster. Install, update, and then immunize your system

Third, Install Spybot Search & Destroy,
update it,
immunize again
use the Mode->Advanced option
use the Tools->Host File and at the top, add Spybot Host list

Also use tools->ActiveX to view/delete any ActiveX components you do not
understand.

Likewise with the Winsock LSPs; they should ALL be marked with a green checkmark.
Download the LSPFixer before you remove any!
 
Didn't you notice this config err? Go to preferences and make sure they get
deleted
Click to expand...

Yes, I've deleted them over the past week to many times to remember. I just did the quick scan to post the log of what was actually there and being replaced each time I do delete them.



Secondly, your IE windows are being created by stuff installed already OR
by the websites you are visiting -- I highly recommend installing
Spywareblaster. Install, update, and then immunize your system

Third, Install Spybot Search & Destroy,
update it,
immunize again
Click to expand...


Already had the Spybot Search & Destroy installed, and Immunized. I downloaded the second one, Spywareblaster, and did as listed. Still same results though, the popups in Firefox remain.


use the Tools->Host File and at the top, add Spybot Host list
Click to expand...

Checked the empty box next to Host File in Spybot.

Also use tools->ActiveX to view/delete any ActiveX components you do not
understand.
Click to expand...

I dont see an ActiveX feature under the Tools even after going into Advanced mode in Spybot, Even so though. I'm not familiar with what would even need to be removed or remain.


Likewise with the Winsock LSPs; they should ALL be marked with a green checkmark.
Download the LSPFixer before you remove any!
Click to expand...

All entries here look to have green check marks by them.





Thank you for the reply, the problem persists, though. :(
 
Hello and welcome to Techspot.

Please do the following.

Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above. Also, please attach the Autoruns log. See HERE for instructions on how to attach your logfiles.

Regards Howard :wave: :wave:

This thread is for the use of Aegir00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Here you go~


I also included an extra one from the Combofix program, it mentioned quarantined files after being run.

Forgot HJT. Here it is.
 
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply.

Regards Howard :)

This thread is for the use of Aegir00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
No more popups!!!

You've done what I thought was the impossible and found the bug, Thanks a bunch ! May I ask what the name of the Virus or whatever it was causing the popups like crazy and eluded practically every spyware scanner out there, and Avast/Norton virus scanners?


The only thing that I can see thats left is the links to ads in the text of threads , but I think that might be normal and unique to these forums?



Edit: Oh, Remind me never to trust freeware programs again. I am 100% positive this mess started shortly after downloading a string of freeware programs that -supposedly- could retrieve the passwords from WinRaR Archieves that were lost.
 
I can`t give you any accurate info on the core.sys file. Suffice to say, it is some kind of unidentified trojan/worm.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

The only thing that I can see thats left is the links to ads in the text of threads , but I think that might be normal and unique to these forums?
Click to expand...

Yes, that`s perfectly normal for Techspot. We use what is called Intellitxt and it`s nothing to be alarmed about.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of Aegir00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

E
WhatsApp scores major legal victory over Pegasus spyware maker, forcing it to provide...
Replies
5
Views
195
BuckarooBonzaii
B
A
Mozilla apologizes for unskippable VPN ads shown in Firefox
Replies
6
Views
556
daffy duck
D
Daniel Sims
Do it while it's hot: Liquid metal damage successfully repaired on a GeForce RTX 3090
Replies
4
Views
124
godrilla
godrilla

Latest posts

Back