Firefox opens Trojan websites in new tabs

last week my computer was infected with the XP Antimalware 2010.

the computer is running Windows XP service pack 3 version 2002

I have ran Avast, Malware Bytes - Antimalware, and SpyBot S&D to remove malware and viruses. I just ran the Avast Boot-time scan again and it found one infected file in the Windows folder. I placed that in the chest.

I am still having issues with FireFox opening new tabs with random websites and Avast pops up and says its a Trojan URL.

Any help would be greatly appreciated.

I have no idea how this rogue proceeds nor do I know how much you already removed from it…only tip I can give but that’s probably not enough to solve your problem: check if any extension got installed silently in Firefox.

how do I check if there were any extensions installed?

Go to Tools and click on Add Ons, then click on Extensions.

If there’s nothing in your Extensions, then it could be your HostsFile. Follow Essexboy’s instructions.

I believe this is the same rogue being discussed in another thread called AVE.exe.

Please check out this link and see if the description matches what you are experiencing.

http://www.malwarehelp.org/ave-exe-a-multiple-rogues-in-one-trojan-fakerean-2010.html

It explains how to remove the rogue and provides a little utility to do so.

here are the two OTL logs

I think it’s time to make a new hosts file.

Please Download HostsXpert 4.3 by FunkyToad and Extract it out of the zip folder.

Run HostsXpert and then click on Make Hosts File Writable?.

  • Click Restore Microsoft’s Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

thank you for the help so far. i have done all the things suggested so far and I am still having issues with FireFox loading websites and redirecting to different sites from Google searches.

Okay. Since you now have reset your hosts file, it’s time to remove OTL.

Run OTL and click on Cleanup. OTL will remove itself from your computer.

Next, clean up and defrag your disk drive with these programs.

CCleaner(Slim Version)

Defraggler (Slim Version)

Puran Defrag

Okay, you should uninstall FF and delete your profile >>> make a backup of your bookmarks and password database if you use it first and then reinstall. Again: it is important that you delete your profile for Firefox completely. If you use the default configuration it’s located in \documents and settings\your user name\application data\Mozilla\Firefox (for XP)

I am running Defraggler and Avast System Shield keeps popping up with a Threat

-C:Windows\System32\Drivers\PCI.sys
-Win 32: Aluron-FZ
-Moved to chest
-PID4

it has come up with 160+ threats while the Degraggler is running. Is this a false positive?

Usually not… as the system moves the files, it’s accessing them. Avast checks the files as they are accessed, and is reporting them correctly.

Sounds like a rootkit to me, if “PCI.sys” is infected.

Try this out: “TDS KILLER”

http://cid-f713962e2f5aa06d.skydrive.live.com/self.aspx/.Public/Programs/tdsskiller.zip?lc=1033

I ran the TDS Killer and it shows the Driver atapi.sys is infected.

memory 1 infected
file 1 infected and 1 cured at reboot

when the computer reboots and I run the TDS Killer again it comes up with the same thing.

from looking around it seesm that my system may be infected with the atapi.sys rootkit

what should I do next to resolve this?

thanks again for all the help

I suggest you use Hitman Pro (Cloud based Malware Scanner) for TDL3/TDSS removal. Hitman Pro will replace the patched atapi.sys with the original file. If it doesn’t work, we’ll try ComboFix.

Yeah, ComboFix should do the trick. It’s saved my customer’s computers a bunch of times.

I ran Hitman Pro and it found one malware item KeithArt.exe but it didn’t come up with anything for the atapi.sys rootkit.

should I run ComboFix?

Yes, let’s do that.

Download ComboFix by sUBs onto your Desktop.

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.

  • Read the Disclaimer of Warranty and click Yes to continue.
  • ComboFix will detect if the Windows Recovery Console is not installed. Click Yes to install. Once the Recovery Console is installed Click Yes to continue.
  • Once ComboFix has finished scanning, the CFix log onto your desktop. Please attach it in your next post or post the log in separate posts.

I ran combofix and it rebooted the computer. It had an error starting windows so I had to set it to run the last windows configuration that worked properly. Combofix did not create a log that I can attach.

Suggestions would be greatly appreciated.

Try renaming ComboFix as CFixcomic, then run it again.