1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

New Tab Opens in Firefox every now and then

Discussion in 'Virus & Other Malware Removal' started by Goose13, Apr 9, 2010.

Thread Status:
Not open for further replies.
  1. Goose13

    Goose13 Thread Starter

    Apr 9, 2010
    Hi all!
    To start, I take many risks. Still have not learned when I get the bad gut feeling.
    I seemed to have had a virus or malaware on my system a couple of days ago.
    I use the free version of Comodo Internet Security. My Antivirus software alerted me after I
    tried to install a app to convert avi to amv. It alerted of a dll32.exe in Program Files/HostServices.
    It flagged it as the following: [email protected]
    I noticed a process called Hgubia.exe (from Process Explorer - like Task Manager but more info).
    I killed the running process Hgubia.exe but Comodo kept popping up. I asked it to delete and it would go away and come right back. I noticed the file in the Program Files\HostServices\dll32.exe would go away and come back. I even deleted the HostServices directory and it would come back.
    I then ran Windows Doctor 2.0 and did a scan on my Registry and on my system. I seem to have cleared
    it off but it still shows the Hgubia.exe in running processes. I killed it. Rebooted in safe mode. Ran
    Comodo antivirus. Removed a couple of things I found. Booted up in normal mode and ran Comodo again. Removed some of the same tings and even a program I normally use to shutdown automatically at a certain time. It was flagged but I always used it. This time I just decided to get rid of everything flagged. All seems well. No more Hgubia.exe process and no more HostSrvices directory in program files and no more alerts from Comodo. However, every now and then while browsing, a new Tab opens with a site I have never visited. Never the same site. Does not happen often. I have been on for maybe 2 hours and only happened once. I feel that something is still here but I can not detect it. I ran CwShredder but it found nothing. I just don't feel right...
    Any assistance in looking at log and helping out is greatly appreciated. If I really need to I can load a
    a saved Ghost image on my machine but that would put me back a few programs and XP updates away.
    But hey, rather be safe than sorry!

    Following is my HJT log:

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 11:15:37 AM, on 4/9/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17023)
    Boot mode: Normal

    Running processes:
    C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\Program Files\Systernals Process Explorer\procexp.exe
    C:\Documents and Settings\Jose\Application Data\mjusbsp\magicJack.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.magicjack.com/
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Jose\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9B577BEE-3A0B-4FFD-B9B7-DA698FE6F07C}: NameServer =,
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =,
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =,
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    End of file - 4003 bytes
  2. Goose13

    Goose13 Thread Starter

    Apr 9, 2010
    I went ahead and loaded an older image of my machine. All well now.
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/915825

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice