Suspicious Pop-ups in Browser

[Marcus H.]

Hi, I think I might have stumbled upon something suspicious here.
My Mozilla Firefox v5.0 at times would have exactly 16 tabs open in a new window with the "Server not found" message after trying to access weird websites that starts with www. xn--*********.com or www. **unusual gibberish**.com or www. h.com. It would also open the folder containing My Documents.

Since I have no idea on what to do and I don't want to create a forum account just to ask about this, I've decided to ask here, hoping that someone else has encountered a similar problem.

Right now, I have downloaded HijackThis and MBAM, and is in the middle of a system scan using Avira AntiVir. And I have encountered the problem twice as of typing this post.

[Kotohono]

You definitely have some kind of virus or trojan on your computer for this to be happen.

You'll probably either need to run a virus scan in windows safe mode, or an on-boot virus scan especially if it's a trojan. Additionally if you have system restore enabled, you should probably disable temporally when running the scan.

To get any further help or advice, you have to find out what you're dealing with exactly.

[spikexp]

run malwarebytes in safe mode.

[synaesthetic]

Boot into safe mode with networking.
Go to housecall.trendmicro.com and run a scan.
Run HijackThis.
Run MBAM.
Should clear everything up.

Oh, and stop using Windows XP. With W7, UAC prevents most of this shit from happening. XP is insecure as hell especially since it grants your default user account administrator access and there isn't even a prompt or password request for making changes to system files.

[Marcus H.]

I can't. Buying a license would set me back several thousand bucks here.

Windows 7 Starter: Php 1,900 - Php 2,100
Windows 7 Home Basic: Php 4,500 - 4,700
Windows 7 Home Premium: Php 5,700 - Php 5,900
Windows 7 Professional: Php 7,800 - Php 8,000
Windows 7 Ultimate: Php 10,500 - Php 11,000

EDIT: Performed a scan using HouseCall, HijackThis and MBAM on Safe Mode with Networking, and all came up with nothing.

[Kotohono]

In that case you should try setting an on-boot scan with your anti-virus software; if your current one lacks the function to do so they I'd recommend Avast.

[synaesthetic]

There are plenty of free Linux distros out there.

[SeijiSensei]

Sounds possibly like a Javascript issue to me. Create a new user in Windows and see if you get the same results. Try a different browser. Same results?

To follow up on syn's recommendation, burn this to a CD, put it in your drive and reboot. Choose the Try option. Your Windows installation will be left untouched.

[sa547]

As a user of XP, Ubuntu and now Win7, let's get back to topic, shall we?

Quote:

Originally Posted by Marcus H.

Hi, I think I might have stumbled upon something suspicious here.
My Mozilla Firefox v5.0 at times would have exactly 16 tabs open in a new window with the "Server not found" message after trying to access weird websites that starts with www. xn--*********.com or www. **unusual gibberish**.com or www. h.com. It would also open the folder containing My Documents.

Since I have no idea on what to do and I don't want to create a forum account just to ask about this, I've decided to ask here, hoping that someone else has encountered a similar problem.

Right now, I have downloaded HijackThis and MBAM, and is in the middle of a system scan using Avira AntiVir. And I have encountered the problem twice as of typing this post.

First, reboot the PC, then before Windows comes up press F8. There should be a menu in which you then select Safe Mode. Go there and then once the desktop appears try to run the antivirus utility you have there, along with Malwarebytes and other recommended tools (if possible). Once done and the viruses rooted out, you can restart again.

Otherwise if you need further help I suggest you can check out TipidPC (we speak our language, btw).

[synaesthetic]

I love the Linux Live CD (or flash memory) option. It's so useful, I don't even need Backtrack actually installed on my laptop, just have it handy on an 8GB flash drive.

[Tiberium Wolf]

Strange that you can't find anything. Have tried uninstalling FF and then manual remove whatever profiles/folders are left (local and roaming, you gotta search? Maybe something hidden in there.

[-KarumA-]

First thing I would do when scanning is nick out the network cable, some viruses that cause problems online cannot be removed if you stay online while scanning.

Go into safe mode, scan with malwarebytes, which you probably did.
Clear out temp files etc. with CCleaner.. there was another which I lost the link of that was also good
Also scan with combofix: http://www.bleepingcomputer.com/comb...o-use-combofix

[Marcus H.]

I discover that there's so much margin of error for Combofix that I might make things worse by making mistakes.

Quote:

Originally Posted by ComboFix Guide

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Worst case is that I'm handling a rootkit problem here, since the browser appears to try to access My Documents from the browser.

Quote:

Originally Posted by SeijiSensei

To follow up on syn's recommendation, burn this to a CD, put it in your drive and reboot. Choose the Try option. Your Windows installation will be left untouched.

Do I really need to install an entire operating system? I'm not really a fan of using multiple operating systems, and I'd probably delete it immediately because it would just be excess luggage.

EDIT: HijackThis hangs on Safe Mode (not on Safe Mode with Networking).

[demonix]

Quote:

Originally Posted by Marcus H.

Do I really need to install an entire operating system? I'm not really a fan of using multiple operating systems, and I'd probably delete it immediately because it would just be excess luggage.

You seem to have missed the point as it only runs in memory and doesn't touch the hard drive so once the computer is switched off the OS will no longer be available unless you boot the disc again.

[Marcus H.]

So it does not add something to the hard drive? If so, then I might just try it out.

Spoiler for PS:

Admittingly, I felt a bit offended when someone told me to scrap Windows XP and go for either 7 or Linux. It stemmed from my constant exposure to people who go "Linux > Windows because we programmers can use Linux to hack into everything else" and flaunt their OS superiority complex. I hope that dissing what OS I use is left outside the topic.

Also, as of typing this post, I haven't experienced the suspicious pop-up problem.