Author Topic: Malware warning in Firefox  (Read 3905 times)

Offline michael266

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Malware warning in Firefox
« on: July 24, 2012, 02:38:43 PM »
A couple of days ago I started getting a malware warning whenever I use Firefox. The info refers to different files (e.g. C:\Program File\Mozilla Firefox\firefox.exe or C:\Programs\Google\GO333@~1\GoogleDesktopNetwork3.dll) but a common theme is http://23.feedclickonline.com/feed?type 

I scanned with Avast and Malwarebytes - nothing. I tried removing the Google dll but this doesn't help. I'm using Vista - another computer in the office using Windows 7 doesn't have this problem as far as I can tell.

Any help with this will be apprciated.

Offline mikaelrask

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1303
  • Gender: Male
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #1 on: July 24, 2012, 02:46:51 PM »
hey follow this guide and attach your logs.

http://forum.avast.com/index.php?topic=53253.0

welcome to the forum.
new computer
windows 8 Intel core I-3 64 bit
6 gb ram 500 gb hardrive. avast 9 MBAM

Offline michael266

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #2 on: July 25, 2012, 02:23:42 AM »
I followed the instructions as you suggested. The aswMBR scan found a corrupted file ...AppData\Roaming\necmac.dll  which contained the Trojan Win32:Medfos.

The aswMBR program gave a dire warning against using it to write a new Master Boot Record so I did not click on "fix".  The Avast alert warning still comes up after reboot when I open Firefox.

I have now scheduled a Boot-Level Avast scan to operate after I shut down tonight. This is one reason I respect Avast, because this scan mode has found virus infections that have sneaked past the regular Avast screens, and eluded  other antimalware programs.

We'll see how things look in the morning.

Offline SafeSurf

  • avast! Evangelist
  • Ultra Poster
  • ***
  • Posts: 4931
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #3 on: July 25, 2012, 09:29:56 AM »
You forgot to attach your MBAM log.   Please post it so we can see any quarantined files.  Thank you.

It also looks like you had McAfee at some point with drivers still in your system.  You need to uninstall McAfee again:  http://singularlabs.com/uninstallers/security-software/.

I also noticed that you are using ASC (by iobit).  Does the product you are using also contain an AV, as some of theirs do?  Having 2 AV's on your machine can create all kinds of havoc.  Please check and let us know.

I am going to refer you to our Certified Malware specialist, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine now that you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Essexboy or another malware specialist instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices.

Let us know if you have any questions.  Thank you.

iMac (Mavericks)/Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Prem)/ Avast Mobile Security with MBAM Pro/ iPad 4th gen.

Offline michael266

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #4 on: July 25, 2012, 12:34:22 PM »
Thanks for your detailed reply.

(1) As I mentioned in last night's note, I scheduled a Boot-level scan when I shut down. This morning, the scan showed these infections:  Win 32:Medfos (Trj), Win 32: Ransom-LJ (Trj), Java:Downloader-GD (Trj), Win32-InstallCore-AM (PUP) and Win32:Evo-Gen (Susp). All were moved to the Chest, then Deleted.

(2) This morning, the Firefox warnings still appear.

(3) I did not see a MBAM log  - just the three that I sent. How is this generated?

(4) Advanced System Care v. 5.2 (Free version) does not, as far as I can tell, include an antivirus component. It appears to scan and clean only. The last time I did a scan using it was back in April.

I do, however, have Windows Defender installed - I just checked, and this program deleted two Trojans on 7/23 during its scheduled daily scan - Win32:Karagang I and Win32:Siref.P  Defender did not notify me of these deletions.

(5) Since I had already made changes to the system, I will await instructions from Essexboy and do what he suggests.

(6) There is one other computer in my office, using the same wireless router. We don't interact. It shows no behavior similar to what I've described. I will run a boot-level scan on this one.
 
I will avoid using this machine as much as possible until I hear from your specialist. If necessary I can run through the entire process again (sigh).  Thanks again!

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21800
  • Gender: Male
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #5 on: July 25, 2012, 12:40:32 PM »
Quote
(3) I did not see a MBAM log  - just the three that I sent. How is this generated?
http://forum.avast.com/index.php?topic=53253.0



Quote
(4) Advanced System Care v. 5.2 (Free version) does not, as far as I can tell, include an antivirus component. It appears to scan and clean only. The last time I did a scan using it was back in April
you may want to remove it after reading this

http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217




Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline michael266

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #6 on: July 25, 2012, 01:31:03 PM »
Here's the Malwarebytes log from 7-23, showing a virus deleted. Two scans I ran later show nothing.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29082
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #7 on: July 25, 2012, 01:35:04 PM »
Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


    Quote
    :OTL
    [2012/01/14 13:56:02 | 000,000,000 | ---D | M] (StartNow Toolbar) -- C:\Users\Julie and Michael\AppData\Roaming\Mozilla\Firefox\Profiles\x3afj01f.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
    O3 - HKU\S-1-5-21-2521668670-3971852189-2849730010-1000\..\Toolbar\WebBrowser: (no name) - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No CLSID value found.
    O3 - HKU\S-1-5-21-2521668670-3971852189-2849730010-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    [2012/07/16 11:09:59 | 000,377,344 | ---- | C] (Midiman/M-Audio) -- C:\Users\Julie and Michael\AppData\Roaming\necmac.dll
    [2012/07/16 11:09:08 | 000,151,040 | -HS- | C] (DT Soft Ltd) -- C:\Users\Julie and Michael\AppData\Roaming\drvse.dll
    @Alternate Data Stream - 1324 bytes -> C:\Users\Julie and Michael\AppData\Local\Temp:MyRjuDt2rvkrybmG3jviB8i0rdGe87
    @Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:0CFE8F97
    @Alternate Data Stream - 108 bytes -> C:\Windows:

    :Files
    ipconfig /flushdns /c
     
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Offline michael266

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #8 on: July 26, 2012, 02:26:50 AM »
Essexboy: I followed your instructions (to the best of my knowledge). Unfortunately, even after two reboots, the malware alert still comes up when I use Firefox.

I removed Advanced System Care after reading about their database theft, even though this happened a couple of years ago and CNET has given the program a good review. Before running Combofix.exe from the desktop I disabled the following antivirus programs in my system:  Avast, Malwarebytes, and Windows Defender. I believe I disabled Superantispyware, but am uncertain about WinPatrol.

The Combofix program seemed to run normally, through 50 or so stages, etc. etc.   

As you requested I am attaching the OTL and Combofix logs.

I appreciate your persistence in this matter.

Offline michael266

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #9 on: July 26, 2012, 02:24:38 PM »
Superantispyware and Spybot Winpatrol are the free versions and only scan, not protect.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29082
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #10 on: July 26, 2012, 02:47:34 PM »
OK could you confirm it is only firefox and not IE, Chrome

Is it only firefox ?

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear.


Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).[/list]

Offline michael266

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #11 on: July 26, 2012, 03:41:09 PM »
The problem was confined to Firefox. I could see no signs of it in IE or Chrome.

I ran GooredFix - the log is attached.

Clicking around in Firefox, I now get no Avast warnings :)

So - for the future. Avast apparently detects the Win32: Medfos virus and blocks it, but even a Bootlevel scan fails to detect/delete it. What's the best way to protect against reinfection?

Thanks for all your help.

Offline michael266

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #12 on: July 26, 2012, 05:09:47 PM »
Spoke too soon -- I left the system for a while, then went back into Firefox, and the warning reappeared. I couldn't tell from the GooredFix log I attached whether it was informational only or did something. I will await your further instructions. :-\

Offline michael266

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #13 on: July 26, 2012, 05:24:27 PM »
I unclicked Tools-Options-Enable Javascript. This appears have stopped the annoying warnings, at least.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29082
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Malware warning in Firefox
« Reply #14 on: July 26, 2012, 05:47:43 PM »
OK it is one of the addons in Firefox.

The best way to approach this is to start FF in safemode and then enable the addons one at a time to determine the culprit



 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now