FF tab opens going to lpcloudsvr302.com uncommanded.

I have Firefox 26.0. Running XP SP3.

While browsing the webin FF a new tab will randomly open and go to lpcloudsvr302.com/… It wants me to download some video player.
I installed the add-on Block site 1.1.8 and now it intercepts this resulting in a “New Tab” being opened but not redirecting to the lpcloud302 site.

What is this and how do I get rid of it?

Jeff

follow instructions and run Malwarebytes and OTL then attach logs

http://forum.avast.com/index.php?topic=53253.0

Monitoring

MBAM log:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.30.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jeff :: JEFF-GAMEMACHIN [administrator]

Protection: Enabled

1/30/2014 7:19:52 PM
mbam-log-2014-01-30 (19-19-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 253201
Time elapsed: 22 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\ConduitSearchScopes (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Documents and Settings\Jeff\Local Settings\Temp\ct3288691 (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temp\ct3297861 (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.

Files Detected: 0
(No malicious items detected)

(end)

OTL logs:

Do I do anything with OTL.exe? “Run Fix” or “Cleanup”? Or just close?

Now MBAM is “Successfully blocking access to a potentially malicious website.” FF showed it was www.dllistsoft.com.

Hi,

I would remove all IObit products if I was you …


OTLFix


Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.


:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{2fa0b8a6-d75e-4f64-9bc9-d5f4103addc1}: "URL" = http://search.freecause.com/search?ourmark=1&p={searchTerms}&fr=freecause&type=51307&toggle=1&cop=mss&ei=UTF-8&src={referrer:source?}
IE - HKU\S-1-5-21-57989841-1897051121-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnetdaily.com/
IE - HKU\S-1-5-21-57989841-1897051121-839522115-1004\..\URLSearchHook:  - No CLSID value found
IE - HKU\S-1-5-21-57989841-1897051121-839522115-1004\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKU\S-1-5-21-57989841-1897051121-839522115-1004\..\SearchScopes\{2fa0b8a6-d75e-4f64-9bc9-d5f4103addc1}: "URL" = http://search.freecause.com/search?ourmark=1&p={searchTerms}&fr=freecause&type=51307&toggle=1&cop=mss&ei=UTF-8&src={referrer:source?}
IE - HKU\S-1-5-21-57989841-1897051121-839522115-1004\..\SearchScopes\{57C0FFF5-F4C6-430D-B841-E013A4668AAA}: "URL" = http://www.altavista.com/web/results?itag=ody&q={searchTerms}&kgs=0&kls=1
IE - HKU\S-1-5-21-57989841-1897051121-839522115-1004\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2559647
O2 - BHO: (AccelerateTab) - {48A789BF-F6D6-4930-9C8B-77855A63EDE1} - C:\Program Files\Secure Speed Dial\IE\SpeedDial.dll (Secure Speed Dial)
O3 - HKU\S-1-5-21-57989841-1897051121-839522115-1004\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-57989841-1897051121-839522115-1004\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O33 - MountPoints2\{018eb8d6-2dcf-11dd-bcb1-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{018eb8d6-2dcf-11dd-bcb1-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{018eb8d6-2dcf-11dd-bcb1-806d6172696f}\Shell\AutoRun\command - "" = D:\autorun\autorun.exe
O33 - MountPoints2\{1c10d668-cedb-11de-9681-001d92f119b7}\Shell - "" = AutoRun
O33 - MountPoints2\{1c10d668-cedb-11de-9681-001d92f119b7}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7166ceea-13a9-11e2-977d-005043010b3e}\Shell - "" = AutoRun
O33 - MountPoints2\{7166ceea-13a9-11e2-977d-005043010b3e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{81a35e92-7de2-11dd-8be5-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{81a35e92-7de2-11dd-8be5-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{81a35e92-7de2-11dd-8be5-806d6172696f}\Shell\AutoRun\command - "" = D:\Autorun.exe
O33 - MountPoints2\{b26316b2-7fb8-11dd-8365-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{b26316b2-7fb8-11dd-8365-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b26316b2-7fb8-11dd-8365-806d6172696f}\Shell\AutoRun\command - "" = D:\Autorun.exe
O33 - MountPoints2\{cb4a4085-7e0d-11e3-97c5-005043010b3e}\Shell - "" = AutoRun
O33 - MountPoints2\{cb4a4085-7e0d-11e3-97c5-005043010b3e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cb4a4085-7e0d-11e3-97c5-005043010b3e}\Shell\AutoRun\command - "" = "G:\WD Drive Unlock.exe" autoplay=true
O33 - MountPoints2\{d3833eb8-992c-11dd-95dd-001d92f119b7}\Shell\AutoRun\command - "" = E:\umenu.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = "G:\WD Drive Unlock.exe" autoplay=true
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Jeff\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Application Data\*.tmp -> ]
@Alternate Data Stream - 489 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 184 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DEF9BD6B
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:79DD4F33

:FILES
C:\Program Files\Secure Speed Dial

:COMMANDS
[CREATERESTOREPOINT]
[EMPTYTEMP]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log


AdwCleaner


Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.


ComboFix


  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

OTL log:

Tried to run AdwCleaner but it locks up then locks up my computer. Then I have to reset and reboot. AdwCleaner seems to lock up at “Remove Folders”.

Also, removed all IOBit programs. That’s too bad I just paid for Advanced System Care 7… (after using the free version for a year or two)

Hi,

When you run OTLFix, you need to press RunFix button and post me the resulting log …

Try to disable your security softwre and re-run fresh AdwCleaner.

Also, removed all IOBit programs. That's too bad I just paid for Advanced System Care 7... (after using the free version for a year or two)

I’m sorry you bought that. In that case, install it again if you will but first read this:
https://forums.malwarebytes.org/index.php?showtopic=29681

ComboFix ?

I am running a OTL Run Scan right now with nothing in the Custom Scan/Fix box.
Do you want me to Run Fix with nothing in the box?

Jeff82,

You have nicely instruction how to run OTL through his fix, and how to find and post here the resulting log.

You have not answered anything for AdwCleaner and now for the second time you did not say anything for ComboFix.

  1. RunFix via OTL
  2. Re-try AdwCleaner (safe mode will do …)
  3. ComboFix

Post here all resulting logs.

OTL is now locking up my computer. My computer clock has stopped running. What do you suggest I do now?

(I’m posting from my smartphone.)

Hi,

Sorry, I don’t follow.
OTL can’t “lock up” your computer. What do you actually mean by “locking up my computer”? Have you try to restart your computer? You gave me very little detail …

Let’s start from beginning …

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

My mouse can move but it won’t interact with anything. My computer clock stopped at the time I started OTL. I waited one hour but no change. I rebooted the computer.

FRST scan logs:

Please first answer my questions as I constantly working on blindly. Thank you …

Sorry, I added info to my post #14.

I am now waiting for your ok to “Fix” with FRST…

Step#1
First, restart your computer. Now notice: Do not attach USB while cleaning is in progress. We shall check all your USB’s later via MCShield


Step#2

Download FixList.txt from attachments …

FixList.txt must be in the same location where FRST.exe tool is!

Re-run FRST.exe as you did before …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt and will keep that log in the same folder where FRST.exe is.

Attach here fixlog.txt logreport.


Step#3

Now it’s time to run ComboFix. You have it on your Desktop, it’s time to run. Guide for running CF you have here on page 1 in this topic

Before running…

  1. Disable your AntiVirus
  2. Run Combofix and follow the prompts …

Step#3

Now it’s time to check all your USB using MCShield.

Download MCShield from one of the following links:

MyCity - Official download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.

  1. Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
  2. When all scanning is done, you need to attach a logreport that MCShield has created.

Start MCShield’s Control Center-> Logs → AllScans.txt → click on Save button and AllScans.txt shall be located on your Desktop.
Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.


Do not come back without: ;D

FixLog.txt created by FRST tool after running fix …
ComboFix.txt created by ComboFix tool
AllScans.txt created by MCShield

All logs:

Hi Jeff,

This looks very good. Now run zoek tool and after that tell me how’s the computer running now in general. We did a great job, your computer should be reborn, not just solved Firefox related problem.

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

FFDefaults;
AutoClean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log