Firefox problem

[joker12578]

I uninstalled firefox and this went away, after reinstalling came back. So I know it's a firefox problem. Must have started about a week or two ago, some auto update or something because I have never had this problem.

Firefox now boots in the background with the OS, memory usage starts at 3624k. When I open the browser there are two running, when I close the browser it closes the one that doesn't boot with the OS. If I end task on the one that boots it goes away intil next boot, it doesn't reopen when I open firefox.

Problems with this is that it's causing problem with my mouse. Double clicking problems, when I click twice to open something up it's doing three clicks. This is strange but I have tested it out, happens about 60% of the time when the background agent is running and never after I end task on it. There has also been freeze up in the last couple week I haven't had before.

Anyone know why this is booting up? Anyone have firefox running in the background? Is this some kind of update that they did?
thx

[jman01pa]

Do you have any extensions installed for Firefox? I remember one that loads firefox in the background to increase the speed that firefox loads.

If you do have any extensions loaded, try removing them all.

[joker12578]

something called talkback, I will remove it and see what happens

Ok, uninstalled and restarted the computer, it didn't work.

[jman01pa]

Here is a site I found. I hope it helps

http://kb.mozillazine.org/Standard_d..._%28Firefox%29

You removed Firefox but did you remove your installation directory? What about your firefox profile?

Backup your bookmarks, uninstall firefox, and delete the contents of C:\Documents and Settings\<username>\Application Data\Mozilla and C:\Program Files\Mozila Firefox. The Application Folder is hidden so you will have to uncheck the "hide hidden files" box in the Folder Options dialog box. Now you can reinstall for a completely fresh copy.

[joker12578]

None of that worked, I don't even know where it's loading from or how. I don't see it in the registry/msconfig or even services. Is there anyway userinit could be loading it, it doesn't start before it? Here's a hijack log right after bootup before starting the browser.


Logfile of HijackThis v1.97.7
Scan saved at 8:49:31 PM, on 1/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spam Inspector Outlook Express\Spam Inspector Outlook Express Edition\piiserviceOE.exe
C:\Program Files\MSI\PC Alert III\alert.exe
D:\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 62.171.219.24:80
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O4 - HKLM\..\Run: [piiserviceOE] "C:\Program Files\Spam Inspector Outlook Express\Spam Inspector Outlook Express Edition\piiserviceOE.exe"
O4 - Global Startup: PC Alert III.lnk = C:\Program Files\MSI\PC Alert III\alert.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

[jman01pa]

Have you tried scanning your system for spyware or trojans that may be loading it

[joker12578]

use kaspersky haven't had a problem with it before. I uninstalled firefox and restarted the computer when I did this the agent in the background didn't load. If it was anytype of spyware or virus I would think that it would have loaded without firefox being installed on the computer.
Thanks for your help, any more ideas?

[SeanC]

Make sure the FireFox directory is deleted. Then go into the registry (BACK IT UP FIRST!!!)

and (HAVE YOU DONE THAT BACKUP YET?), then search for any references to FireFox or Mozilla.

(IS THE REGISTRY BACKUP DONE?) Delete the references you find to either of those. Note: If you have Mozilla Thunderbird installed, make sure the registry references are actually for FireFox and not Thunderbird. If you're not sure, leave it.

[joker12578]

I will give this a try then post what happens. As for the backing up the registry I will do that first but let face it if the OS crashes and I can't login to windows the backup is little good.

Okay done that, also deleted everything on the computer that had either names in them. Then restarted and reinstalled, going to restart now and see if it worked. I have done this before to remove spyware but never to remove firefox.

EDIT: installing trojan hunter now going to scan with this. I believe it's part of firefox, is anyone else using firefox 1.5 and have the lastest SP1 updates from mircosoft? I did just update the OS about the time this started.

[joker12578]

Didn't work once again it loaded right after userinit closed.

Here's a list of files that open before firefox and then close after the computer has loaded the few things it has too.

imapi.exe
userinit.exe
dmdlgs.exe
(strange this one loads under user but it's in the system dir which I would think would make it a system file.)

These three open and close right before firefox opens, when booting up.

[joker12578]

I didn't find anything, pretty nice porgram anyways. Here's a print out from trojanhunter showing the programs running. Have to click on the image to zoom it.

http://img92.imageshack.us/my.php?image=5454214tn.jpg

[sickroachman]

You have a virus, this is not a bad FireFox installation. I got this same thing and searched and searched for ways to remove it but couldn't find any. No anti-virus will detect it right now. I got it from a pirated copy of poker indicator. You should try and figure out where you got yours from.

I have been looking into this virus and have a post about it on security-forums.com You can see everything that I have found out about it.

http://security-forums.com/forum/vie...b81147a#219286

Deleting dmdlgs.exe will stop it from loading, but I do not know if this completely removes the virus. Check out the link for more information.

[joker12578]

thanks

[sickroachman]

I did some more research and found out it is a variation of this virus Backdoor.Win32.Bifrose.ee

You can see information about the virus here:

http://www.f-secure.com/v-descs/bifrose_ee.shtml


However, there are some things that are different. In order to completely remove this virus you will have to delete the dmdlgs.exe and the following registry keys.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wset]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9F81D88C-C298-9935-C5D1-40AA4DB91155}]


Also I would probally uninstall FireFox completely and reinstall it. I don't know for sure, but I think it messes with the FireFox code. Maybe even Internet Explorers.

After the installation, Bifrose tries to locate a running web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the server part using specially crafted HTTP queries. The server can instruct the backdoor to execute the following actions:

Basic file operations (copy, delete, rename, find, execute)
Download/upload files
Process operations (list, kill)
Registry operations (create/delete keys/values)
Create screenshots of the desktop