Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter · #1 ·
Hi my firefox is getiing connections to strange sites .
I have firefox 1.0.6 and the start page is www.google.pt but when I open my
firefox, go to www.google.pt and pagead2.googlesyndication.com , newsrss.bbc.co.uk and others sites.
I have outpost firewalll , peergardian kaspersky anti -virus personal

This is me hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:49:10, on 08-09-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Messenger\msmsgs.exe
C:\Programas\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\NET ****ER\Ambiente de trabalho\HijackThis-1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Programas\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Programas\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126140806417
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\AGNITUM\OUTPOS~1\wl_hook.dll
O23 - Service: kavsvc - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\AGNITUM\OUTPOS~1\outpost.exe

Can u help me ????????? :4-dontkno :4-dontkno
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
I suspect that you may have a problem with your Firefox extensions. Try this...

Go to Start > Programs > Mozilla FireFox - launch Mozilla FireFox (Safe Mode)
Do you still get re-directed to these strange sites?

Let me know how it went
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #3 ·
Same thing were

Hey I do was u told me but a get the same sites, but this time when I run
firefox in safe mode my outpost popup a window saying that a hiden process is requesting a network connection I click no and firefox is block by the firewall.
I close firefox and open in safe mode again and this time no popup windows and I go to www.google.pt and the strage sites.

:4-dontkno :4-dontkno
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #4 ·
one more thing

I have csrss.exe file consuming some times 50% to 99% of the processor, is this is normal what the fck is doing??????? Hi check and he is file from MicroSoft with 6.00kb can it be compromised !!!!!! and funny thing is that on taskmanager shows that he was renamed for csrss.exe to CSRSS.EXE "with caps""(in the file properties the internal name is CSRSS.Exe "with caps" ) and the same thing happened to all the *exe's. I'm geting paranoid or this is ok ????? :rolleyes: :rolleyes:


its is a log off all modules loaded by firefox:


nssckbi.dll C:\Programas\Mozilla Firefox\ Netscape Communications Corporation
ADVAPI32.dll C:\WINDOWS\system32\ Microsoft Corporation
CLBCATQ.DLL C:\WINDOWS\system32\ Microsoft Corporation
COMCTL32.dll C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\ Microsoft Corporation
comdlg32.dll C:\WINDOWS\system32\ Microsoft Corporation
COMRes.dll C:\WINDOWS\system32\ Microsoft Corporation
DNSAPI.dll C:\WINDOWS\system32\ Microsoft Corporation
GDI32.dll C:\WINDOWS\system32\ Microsoft Corporation
hnetcfg.dll C:\WINDOWS\system32\ Microsoft Corporation
IMM32.DLL C:\WINDOWS\system32\ Microsoft Corporation
jar50.dll C:\Programas\Mozilla Firefox\components\
js3250.dll C:\Programas\Mozilla Firefox\ Netscape Communications Corporation
kernel32.dll C:\WINDOWS\system32\ Microsoft Corporation
LPK.DLL C:\WINDOWS\system32\ Microsoft Corporation
MSCTF.dll C:\WINDOWS\System32\ Microsoft Corporation
msctfime.ime C:\WINDOWS\system32\
msimg32.dll C:\WINDOWS\system32\ Microsoft Corporation
msimtf.dll C:\WINDOWS\System32\ Microsoft Corporation
msvcrt.dll C:\WINDOWS\system32\ Microsoft Corporation
mswsock.dll C:\WINDOWS\system32\ Microsoft Corporation
npnul32.dll C:\Programas\Mozilla Firefox\plugins\ mozilla.org
nspr4.dll C:\Programas\Mozilla Firefox\ Netscape Communications Corporation
nss3.dll C:\Programas\Mozilla Firefox\ Netscape Communications Corporation
ntdll.dll C:\WINDOWS\system32\ Microsoft Corporation
ole32.dll C:\WINDOWS\system32\ Microsoft Corporation
OLEAUT32.dll C:\WINDOWS\system32\ Microsoft Corporation
plc4.dll C:\Programas\Mozilla Firefox\ Netscape Communications Corporation
plds4.dll C:\Programas\Mozilla Firefox\ Netscape Communications Corporation
rasadhlp.dll C:\WINDOWS\system32\ Microsoft Corporation
RPCRT4.dll C:\WINDOWS\system32\ Microsoft Corporation
SETUPAPI.dll C:\WINDOWS\system32\ Microsoft Corporation
SHELL32.dll C:\WINDOWS\system32\ Microsoft Corporation
SHLWAPI.dll C:\WINDOWS\system32\ Microsoft Corporation
smime3.dll C:\Programas\Mozilla Firefox\ Netscape Communications Corporation
softokn3.dll C:\Programas\Mozilla Firefox\ Netscape Communications Corporation
ssl3.dll C:\Programas\Mozilla Firefox\ Netscape Communications Corporation
USER32.dll C:\WINDOWS\system32\ Microsoft Corporation
USP10.dll C:\WINDOWS\system32\ Microsoft Corporation
uxtheme.dll C:\WINDOWS\system32\ Microsoft Corporation
VERSION.dll C:\WINDOWS\system32\ Microsoft Corporation
winrnr.dll C:\WINDOWS\System32\ Microsoft Corporation
WINSPOOL.DRV C:\WINDOWS\system32\ Microsoft Corporation
WLDAP32.dll C:\WINDOWS\system32\ Microsoft Corporation
WS2_32.dll C:\WINDOWS\system32\ Microsoft Corporation
WS2HELP.dll C:\WINDOWS\system32\ Microsoft Corporation
wshtcpip.dll C:\WINDOWS\System32\ Microsoft Corporation
WSOCK32.dll C:\WINDOWS\system32\ Microsoft Corporation
xpcom.dll C:\Programas\Mozilla Firefox\
xpcom_compat.dll C:\Programas\Mozilla Firefox\
xpsp2res.dll C:\WINDOWS\system32\ Microsoft Corporation
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #5 ·
kaspersky does not detect any virus (AV is update) I just got some mru files on the ad-aware SE


Then I run micoworld antivirus spyware tool kit and this is the log:


Object "Cydoor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "RedV Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\System32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cfg". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".GHO". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".old". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".p2p". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".properties". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rdf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ref". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\System32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\msbackupfile\shell\open\command" refers to invalid object "%SystemRoot%\system32\ntbackup.exe". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\ppifile\shell\open\command" refers to invalid object "%SystemRoot%\System32\msppcnfg.exe /Config %1". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
If you feel uncomfortable about the csrss.exe file, you can send it to this website - [B]http://virusscan.jotti.org[/B]
Submit the file for a comprehensive scan & then post the results back here.

I dont see any malware from your logs & Kaspersky couldnt find anything.

It may well be a problem with FireFox's tabbed browsing extensions. I always have problems whenever I update FireFox to a new version. Kept having to uninstall all the extensions & relocating new ones for them.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top