Firefox tab pops

By hyperdrive ยท 68 replies
Jun 12, 2008
  1. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    > msvcrt.dll: _vsnwprintf, wcslen, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, __set_app_type, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
    > NDdeApi.dll: -, -, -, -
    > ntdll.dll: RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlSubAuthoritySid, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlCreateSecurityDescriptor, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtOpenDirectoryObject, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlInitString, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtSetInformationProcess
    > PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
    > PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
    > REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
    > RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
    > Secur32.dll: GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess, LsaCallAuthenticationPackage
    > SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
    > USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, KillTimer, GetMessageTime, SetLogonNotifyWindow, UnlockWindowStation, SetTimer, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, SetCursor, DefWindowProcW, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, RegisterClassW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
    > USERENV.dll: WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, GetUserProfileDirectoryW, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, -
    > VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
    > WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon, _WinStationNotifyLogoff
    > WINTRUST.dll: CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminEnumCatalogFromHash, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
    > WS2_32.dll: -, getaddrinfo, -

    ( 0 exports )
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, i guess it is fine.

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  3. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    sorry if it took a while. the kaspersky scan took hours.

    attached is the result. it was revealing.

    i guess i should delete the infected files right away, or no?
  4. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    i forgot the attachment
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That is the problem with downloading programs from undocumented, unsigned sources. However, it looks like it is just the installers that need removed. Instead of going through manually just do this.

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
  6. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    what if i already deleted the files and folders manually? sorry...
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Same thing!

    Can you post 1 more hijackthis for me to look through then we can clean up
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Also when you launch firefox click Tools -> options -> content tab -> make sure block popups is checked. Then you can always add exceptions when you need them
  9. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    so i don't need to do the cfscript thing anymore?

    here's the hijackthis i did just now.

    windows update is alerting me for new updates, i haven't downloaded and applied it yet thinking it might affect something. just tell me if it's safe to do so.

    also, my norton internet phising protection seems to be not working since combofix. can it be fixed?

    lastly, when i scan with spyware doctor it detects files associated with combofix (ifo or puf files or something), so far i haven't done anything about it coz i guess it is needed. i just thought to inform you.
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    The found updates is a good sign, but good thinking to wait on those by you.

    Norton should start working after we uninstall, as well as reset clock ect.

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.


    OTCleanit! by Oldtimer
    • Download OTCleanIt
    • Click the CleanUp! button.
      • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).
  11. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    i have rebooted already
  12. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    norton is still not working though.

    when i uninstalled the combofix. a popup appeared it says it didnt find "\blahblah\cmd.exe"
  13. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    also spyware doctor still found Application.NirCmd Info PUAs
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    perfect. I think that clears things up. Let me go back to the log I remember seeing some entries that were indirectly related.
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I want you to check your machine and make sure that SDFix and Smitfraudfix have been removed, let me know
  16. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    sdfix and smitfraud is not present in my desktop where i downloaded it to. i think it's gone.
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok please check C:\program files\ERUNT or C:\program files\ERDNT

    let me know if you see either of those
  18. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    its not there
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Let's have a look at the suggested registry key from NirCmd

    Open notepad and copy and paste next bold in it:

    regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\swearware"
    type peek1.txt >> look.txt
    del peek*.txt
    start notepad look.txt

    Save this as look.bat , choose to save as *all files and place it on your desktop.

    It should look like this on your desktop: [​IMG]

    Doubleclick look.bat
    Notepad will open with some txt in it. Copy and paste the contents in your next reply.
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That is just out of curiosity, I think it is a false positive.

    I also want to know if you have a current subscription with Norton

    I need you to manually delete the following folders
  21. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    ok im gonna email the loox.txt to you again, coz its large
  22. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    i do have a current subscription in norton. my norton is licensed and original, not cracked.

    i do not find the folders in C:\
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I think we should uninstall/re-install norton then.

    I am 99% sure that is a false positive by spyware doctor

    Do you still have the original problem with the popup in firefox?
  24. hyperdrive

    hyperdrive TS Rookie Topic Starter Posts: 37

    i'm already sending the email with look.txt
    i also found a file named Bug.txt in C:\, it might be nothing but i sent it in the email too.

    i will reinstall norton. and will update you when it's done.

    in spyware doctor, it said that:

    Application.NirCmd is a legitimate application,
    the threat level is Info_PUAs,
    description: A legitimate application.Under certain circumstances,howver,some people might find it undesirable.

    but i don't experience the firefox popups anymore... =D

    does this mean that everything went well? and how can i protect my comp from further infections etc.?

    thanx for everything
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I will post back in a little while with how we can tighten up security a bit.

    Just wanted to check a few more things in the logs
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...