I was surfing on myspace a few weeks ago (I know, infection city), and this one thing kept popping up, all official looking, telling me my computer might not be safe, blah blah. I immediately closed firefox and opened it back up again, without clicking on the “ad”. Next day, same thing, only I got irritated that it kept happening, so I clicked on the X in the corner to make it go away. That was probably a mistake. Since then my Comodo Firewall isn’t recognizing Firefox and asks for permission every time I open Firefox and saying it has no information on Firefox. It’s also telling me that my Incredimail is being suspicious. I ran adaware and it’s coming back clean. Avast! a/v didn’t pick up on anything. I’m wondering if something somehow slipped through some cracks I shouldn’t have. Is there some way for you to look at my computer and tell me? Thanks so much! =)
I think this is some smitfraud/virtumonde infection…
Download superantispyware : http://downloads2.superantispyware.com/downloads/SUPERAntiSpyware.exe
install it and update.
Then reboot in safe mode (continously tapping F8 while booting and then choosing safe mode) and scan, remove any infections you might have…
Then reboot in safe mode and see if it finds anything with a quick check
Xan
Well I don’t know if this is good news or bad, but I did exactly as you said and it only came back with 46 or 48 cookies that I removed. The firewall is still alerting me that Incredimail might be used to hijack some other applications, and it still doesn’t recognize Firefox. I’m assuming I haven’t found the problem. Should I keep SUPERantisypware on my computer, or am I done with it now? What else can I do to find the problem? Thanks so much in advance! =)
Evening,
I would like to help,
Please run HiJack This
http://www.trendsecure.com/portal/en-US/_download/HiJackThis.zip
and post it here
CG
Well, I sujest you keep SAS as it’s one of the best antispywares there is 
As CGPMaster already stated, please give us a hijackthis loggie
- download hijackthis
2
Malwarebytes’ Anti-Malware is another good one.
Mainly SAS & MBAM should be the only on-demand malware scanners on your PC. 
They are both outstanding.
It’s almost critical to keep both programs on your PC. Make sure they are up-to-date and at least do full system scans once a month with good web browsing habits.
Josh
um, so I did the HJT and tried to paste it here and hit reply… it comes up and tells me that the last reply from my ip address was less than one second ago, please try again later. Should I be worried? I tried three times and gave it plenty of time to do its thing, but it still told me the same thing
I’ll be back on in a while and we can do the thing where you connect to my computer… you did send me that email, didn’t you C? Thanks!!
trying one more time…
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:59 PM, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [SSBkgdUpdate] “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
–
End of file - 6626 bytes
??? For some reason I can’t see anything unusual or I should have missed it ???. The only thing I can think of are 2 svchost’s I donno, why that could be strange 88)
Xan
Ok, that is odd. I know I said that my firewall is telling me that my incredimail is being suspicious, but let me elaborate. I have gotten warnings from my firewall for both incredimail and openoffice. If I am surfing on the internet and click on something on a page, every now and then the firewall will come up and tell me that either incredimail or openoffice is trying to connect to the internet and that it’s been used to hijack other programs and the security risk is all red. I cannot go forward with what I have clicked on until I either give access or deny access with the firewall. If I click to deny access, I can no longer proceed with anything in that firefox window, I have to close it out and open a new one. If I click to allow it, it’s fine and I can continue. If I exit out of incredimail and/or openoffice, I get no warnings, but only if I completely exit them out and shut the program down so it’s not running anywhere, not just X out of them. Hopefully this was of some little bit of help… Thanks for the help you’re trying to give, I really appreciate it! =)
Could you give me screenshots of the alerts ? It’s not that it’s red that it’s always malware…
Xan