Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: michael266 on July 24, 2012, 04:38:43 PM
-
A couple of days ago I started getting a malware warning whenever I use Firefox. The info refers to different files (e.g. C:\Program File\Mozilla Firefox\firefox.exe or C:\Programs\Google\GO333@~1\GoogleDesktopNetwork3.dll) but a common theme is http://23.feedclickonline.com/feed?type
I scanned with Avast and Malwarebytes - nothing. I tried removing the Google dll but this doesn't help. I'm using Vista - another computer in the office using Windows 7 doesn't have this problem as far as I can tell.
Any help with this will be apprciated.
-
hey follow this guide and attach your logs.
http://forum.avast.com/index.php?topic=53253.0
welcome to the forum.
-
I followed the instructions as you suggested. The aswMBR scan found a corrupted file ...AppData\Roaming\necmac.dll which contained the Trojan Win32:Medfos.
The aswMBR program gave a dire warning against using it to write a new Master Boot Record so I did not click on "fix". The Avast alert warning still comes up after reboot when I open Firefox.
I have now scheduled a Boot-Level Avast scan to operate after I shut down tonight. This is one reason I respect Avast, because this scan mode has found virus infections that have sneaked past the regular Avast screens, and eluded other antimalware programs.
We'll see how things look in the morning.
-
You forgot to attach your MBAM log. Please post it so we can see any quarantined files. Thank you.
It also looks like you had McAfee at some point with drivers still in your system. You need to uninstall McAfee again: http://singularlabs.com/uninstallers/security-software/ (http://singularlabs.com/uninstallers/security-software/).
I also noticed that you are using ASC (by iobit). Does the product you are using also contain an AV, as some of theirs do? Having 2 AV's on your machine can create all kinds of havoc. Please check and let us know.
I am going to refer you to our Certified Malware specialist, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.
Please do not make any further changes to your machine now that you have provided the logs.
IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy or another malware specialist instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices.
Let us know if you have any questions. Thank you.
-
Thanks for your detailed reply.
(1) As I mentioned in last night's note, I scheduled a Boot-level scan when I shut down. This morning, the scan showed these infections: Win 32:Medfos (Trj), Win 32: Ransom-LJ (Trj), Java:Downloader-GD (Trj), Win32-InstallCore-AM (PUP) and Win32:Evo-Gen (Susp). All were moved to the Chest, then Deleted.
(2) This morning, the Firefox warnings still appear.
(3) I did not see a MBAM log - just the three that I sent. How is this generated?
(4) Advanced System Care v. 5.2 (Free version) does not, as far as I can tell, include an antivirus component. It appears to scan and clean only. The last time I did a scan using it was back in April.
I do, however, have Windows Defender installed - I just checked, and this program deleted two Trojans on 7/23 during its scheduled daily scan - Win32:Karagang I and Win32:Siref.P Defender did not notify me of these deletions.
(5) Since I had already made changes to the system, I will await instructions from Essexboy and do what he suggests.
(6) There is one other computer in my office, using the same wireless router. We don't interact. It shows no behavior similar to what I've described. I will run a boot-level scan on this one.
I will avoid using this machine as much as possible until I hear from your specialist. If necessary I can run through the entire process again (sigh). Thanks again!
-
(3) I did not see a MBAM log - just the three that I sent. How is this generated?
http://forum.avast.com/index.php?topic=53253.0
(4) Advanced System Care v. 5.2 (Free version) does not, as far as I can tell, include an antivirus component. It appears to scan and clean only. The last time I did a scan using it was back in April
you may want to remove it after reading this
http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217
-
Here's the Malwarebytes log from 7-23, showing a virus deleted. Two scans I ran later show nothing.
-
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
[2012/01/14 13:56:02 | 000,000,000 | ---D | M] (StartNow Toolbar) -- C:\Users\Julie and Michael\AppData\Roaming\Mozilla\Firefox\Profiles\x3afj01f.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
O3 - HKU\S-1-5-21-2521668670-3971852189-2849730010-1000\..\Toolbar\WebBrowser: (no name) - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No CLSID value found.
O3 - HKU\S-1-5-21-2521668670-3971852189-2849730010-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
[2012/07/16 11:09:59 | 000,377,344 | ---- | C] (Midiman/M-Audio) -- C:\Users\Julie and Michael\AppData\Roaming\necmac.dll
[2012/07/16 11:09:08 | 000,151,040 | -HS- | C] (DT Soft Ltd) -- C:\Users\Julie and Michael\AppData\Roaming\drvse.dll
@Alternate Data Stream - 1324 bytes -> C:\Users\Julie and Michael\AppData\Local\Temp:MyRjuDt2rvkrybmG3jviB8i0rdGe87
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:0CFE8F97
@Alternate Data Stream - 108 bytes -> C:\Windows:�
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Essexboy: I followed your instructions (to the best of my knowledge). Unfortunately, even after two reboots, the malware alert still comes up when I use Firefox.
I removed Advanced System Care after reading about their database theft, even though this happened a couple of years ago and CNET has given the program a good review. Before running Combofix.exe from the desktop I disabled the following antivirus programs in my system: Avast, Malwarebytes, and Windows Defender. I believe I disabled Superantispyware, but am uncertain about WinPatrol.
The Combofix program seemed to run normally, through 50 or so stages, etc. etc.
As you requested I am attaching the OTL and Combofix logs.
I appreciate your persistence in this matter.
-
Superantispyware and Spybot Winpatrol are the free versions and only scan, not protect.
-
OK could you confirm it is only firefox and not IE, Chrome
Is it only firefox ?
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
(http://jpshortstuff.247fixes.com/GooredFix.exe)Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
- Ensure all Firefox windows are closed.
- To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
- When prompted to run the scan, click Yes.
- GooredFix will check for infections, and then a log will appear.
Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).[/list]
-
The problem was confined to Firefox. I could see no signs of it in IE or Chrome.
I ran GooredFix - the log is attached.
Clicking around in Firefox, I now get no Avast warnings :)
So - for the future. Avast apparently detects the Win32: Medfos virus and blocks it, but even a Bootlevel scan fails to detect/delete it. What's the best way to protect against reinfection?
Thanks for all your help.
-
Spoke too soon -- I left the system for a while, then went back into Firefox, and the warning reappeared. I couldn't tell from the GooredFix log I attached whether it was informational only or did something. I will await your further instructions. :-\
-
I unclicked Tools-Options-Enable Javascript. This appears have stopped the annoying warnings, at least.
-
OK it is one of the addons in Firefox.
The best way to approach this is to start FF in safemode and then enable the addons one at a time to determine the culprit
-
I disabled all the Firefox add-ons and the warnings continue. Unchecking the run Java option stops the warnings, but is impractical. I have seen other websites that suggest the use of Combofix - but this didn't seem to help.
I have saved all my Firefox Bookmarks and loaded them into Internet Explorer and am now using this as my default browser. Do you think that simply deleting Firefox and reinstalling it would get rid of the trojan, or is it hiding among files that will not be deleted?
-
I would recommend a full uninstall and then reinstall, there are so may areas where malware can hide within firefox
Follow the instructions here for a clean install http://kb.mozillazine.org/Uninstalling_firefox