JS:Iframe-AYK Trojan picked up in bookmarkbackups when firefox closes

[insound]

Hi

Since this morning, a few moments after whenever I close firefox, Avast gives me a warning that a trojan has been detected in AppData\Roaming\Mozilla\Firefox\Profiles\ecckv26j.default\bookmarkbackups. And moved to the virus chest.

Original file name: bookmarks-2012-04-12.json
Virus Description: JS:Iframe-AYK [Trj]

I have done a bit of reading about the problem, and as far as I can make out this is a problem that arises from visiting sites with malicious code hidden in them somewhere. But for me, this is happening every time I close firefox (and only once I close firefox), even if the only page visited is the homepage Google. And as far as I can recall I haven't visited any weird or wonderful websites recently, just Google, BBC, youtube etc... so I am left a bit confused.

I figured it might be a firefox extension, so I tried disabling them all, but there was no difference.

Since the problem appears to be in bookmark backups, could it be malicious code in one of the sites in my bookmarks? Despite the fact I haven't visited any of them recently? It seems unlikely to me, but I don't know.

Can anyone shed some light on things? Is this a mistake from somewhere? Or could there be an underlying element running in firefox causing this problem?

As far as I can tell everything is working fine, aside from the trojan alert.

Thanks for any help in advance.

[Pondus]

attach a OTL diagnostic log, then Essexboy will have a look

http://forum.avast.com/index.php?topic=53253.0

[insound]

Thanks.

As far as I could see I didn't get an 'Extras.txt', just an 'OTL.txt', is that right?

Also, I should mention I previously ran Malwarebytes and it came up clean.

I haven't tried the other tools on that page, AdwCleaner or aswMBR though; I'll run them if you suggest so.

[Pondus]

it is only created at first run.... have you run OTL before?
anyway that log is usually not needed, as the name say just extra tech info... OTL.txt is the important one

essexboy should be online soon..

[insound]

it is only created at first run.... have you run OTL before?
anyway that log is usually not needed, as the name say just extra tech info... OTL.txt is the important one

essexboy should be online soon..

I don't recall, its possible I ran it before a long time ago, I had an unrelated problem with this computer maybe a year ago, but it turned out to be nothing major.

Thanks for your help.

[essexboy]

It might be worth deleting your current bookmark backup and create a fresh one

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
FF - prefs.js..network.proxy.autoconfig_url: "data:text/javascript,function%20FindProxyForURL(url%2C%20host)%20%7Bif%20(host%20%3D%3D%20'www.pandora.com'%20%7C%7C%20url.indexOf('discoverymedia.com')%20!%3D%20-1%20%7C%7C%20url.indexOf('play.google.com')%20!%3D%20-1%20%7C%7C%20(url.indexOf('proxmate%3Dactive')%20!%3D%20-1%20%26%26%20url.indexOf('amazonaws.com')%20%3D%3D%20-1)%20%7C%7C%20(url.indexOf('proxmate%3Dus')%20!%3D%20-1)%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.mtv.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fmedia.mtvnservices.com*')%20%7C%7C%20(url.indexOf('turntable.fm')%20!%3D%20-1%20%26%26%20url.indexOf('static.turntable.fm')%20%3D%3D%20-1%20%26%26%20url.indexOf('s3.amazonaws.com')%20%3D%3D%20-1%20%26%26%20url.indexOf('ping.chartbeat.net')%20%3D%3D%20-1)%20%7C%7C%20url.indexOf('vevo.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.iheart.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fgrooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fretro.grooveshark.com*')%20%7C%7C%20host%20%3D%3D%20's.hulu.com'%20%7C%7C%20url.indexOf('southparkstudios.com')%20!%3D%20-1)%20%7B%20return%20'PROXY%20ab-us06.personalitycores.com%3A8000%3B%20PROXY%20ab-us04.personalitycores.com%3A8000%3B%20PROXY%20ab-us13.personalitycores.com%3A8000%3B%20PROXY%20ab-us09.personalitycores.com%3A8000%3B%20PROXY%20ab-us07.personalitycores.com%3A8000%3B%20PROXY%20ab-us03.personalitycores.com%3A8000%3B%20PROXY%20ab-us02.personalitycores.com%3A8000%3B%20PROXY%20ab-us01.personalitycores.com%3A8000%3B%20PROXY%20ab-us12.personalitycores.com%3A8000%3B%20PROXY%20ab-us10.personalitycores.com%3A8000%3B%20PROXY%20ab-us08.personalitycores.com%3A8000%3B%20PROXY%20ab-us11.personalitycores.com%3A8000'%3B%7D%20%20else%20%7B%20return%20'DIRECT'%3B%20%7D%7D"


:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[insound]

I deleted the bookmark backup, but it didn't help. The folder only had backups up to yesterday - the file causing the problem, the one dated today, wasn't in there, presumably because avast had quarantined it. But it was worth a try.

But it was only the bookmarks backup I deleted, not the actual bookmarks themselves. Do you think deleting them all might sort it?

Also, I got two text documents, one on restart, and one after doing the quickscan (just named OTL.txt). I'm attaching both.

And of course I should mention the problem still persists.

Thanks a lot for your help!

[essexboy]

Could you uninstall the bookmark backup totally and then see if Avast still alerts

[insound]

I'm not sure I know what you mean by uninstall - I navigated to the bookmarkbackups folder in AppData\Roaming\Mozilla\Firefox\Profiles\ecckv26j.default\bookmarkbackups and then just deleted the entire folder. Firefox then created the folder again on start up, but empty, obviously. Is that what you meant by uninstalling, or is there a more proper way to do it?

And I tried it a few times, didn't fix anything. It seems as if it is trying to create an automatic back up of bookmarks upon being shut down, but that that file is infected somehow, and so even with the rest of the folder empty the problem still persists, because firefox will try to create the file automatically each time it closes.

I might look for a way to turn off the automatic bookmark backup, but that would be treating the symptoms not the cause. Do you think this could really be caused by one of the actual links in my bookmarks? Is that possible? Should I open them one by one and try to find one that avast doesn't like? Is that safe?

[essexboy]

To me it does sound as though one of the bookmarks is the problem

I will have a quick scout around to see what I can find out

[insound]

I have fixed the problem (I think!), I'm just reporting back in for the sake of anyone with a similar problem finding this thread in the future.

It was indeed as we earlier guessed, that a website in my bookmarks had become compromised. And so even though I had not visited the website in a long time, definitely not since it had been hacked, it still was flagged up in Avast when firefox closes - this is I guess because when firefox closes it creates a backup of all your bookmarks automatically, and within that file is the name of the bad website, which must be blacklisted in some way, and so causes the alert.

I fixed it by going through each site in my bookmarks one by one, waiting for Avast to send up the same flag - when it did I simply deleted the bookmark and the problem was solved. I assume visiting the sites in this manner is safe, since avast will stop the threat before it can do any damage, but I am not 100% sure - at the end of the day you are still playing Russian Roulette trying to find a site with a virus hidden in it, so it might be a little dodgy. But it worked for me - Avast flagged it like it should and there were no problems.

I do have a question for Essexboy or anyone else in the know -

Is it possible, had I not had any virus protection, that this Trojan could have done me harm just through 'bookmark backups'? Remember, I didn't visit the infected site; it was simply that my bookmarks were being backed up upon firefox closing, and a bad site was in among the bunch. It seems unlikely to me that anything could have happened, since the site is not being visited, but I just wondered if it is theoretically possible?

Thanks for your help everyone.

[essexboy]

Possibly not, until such time as you accessed that web site where without webshield you would be wide open

Run OTL and press cleanup to remove the programme and associated files