Avast WEBforum
Other => Viruses and worms => Topic started by: Dave W on February 04, 2012, 08:47:40 PM
-
Hello,
I have Avast Free, running XP Pro-32 bit.
I am getting the same kinds of Avast Warning and Blocking messages that NickJHenderson reported in a previous thread on this Forum, on his newer Windows 7 - 64 bit system:
http://forum.avast.com/index.php?topic=92407.0
My last specific Avast pop-up reported the following information:
Infection Details
URL: hxxp://www.zoosexshow.com/?x (My added note: I changed the http to hxxp, for safety)
Process: file://C:\Program Files\Common Files\Com...
Infection: html:Iframe-inf
Note: In other previous pop-up warnings (nearly all of which seem to try to connect to animal sex porn sites), Avast has provided the complete Process pathway, being;
C:\Program Files\Common Files\ComObjects\update.exe
(Note: On my computer, the "update" file in this path has a Firefox logo beside it).
__________________________________________________
I have been working on this for a week. With an ISP Tech (who could not find or fix the problem), and with a Bleepingcomputer.com Virus/Malware Consultant (who could not find or fix the problem), we tried many approaches that included the following programs, to no avail:
Hijackthis
GMER
Tdsskiller
dds
aswMBR
Combofix
OTL
Kaspersky VTR
Revo Uninstaller
resetDMA
Some of these programs were run more than once in an effort to identify and/or fix the problem.
In addition, my regular scanners (Avast, Malwarebytes, and Spybot) all find no infections or problems.
However, these pop-ups keep occurring (sometimes by the dozen in a few minutes, and other times a day or two apart) - whether or not I have Firefox or any browser open.
The following additional measures did not fix the problem:
- Disabling all Firefox add-ons
- Updating older versions of programs (such as Adobe Reader)that had security vulnerability.
- Uninstalling and re-downloading and re-installing Avast.
- Running Avast, Malwarebytes and Spybot in Safe Mode.
If you would like to see more specifically what has been tried (including many scan results), the following link will take you directly to my ongoing (3 pg) thread at bleepingcomputer.com (On this forum, my username is Daveinsk):
http://www.bleepingcomputer.com/forums/topic440353.html
On that forum, we ran out of things to try, so I am hoping that the Avast Folks may have some experience or familiarity with this problem.
Do you have any knowledge of this infection, or suggestions?
As I typed this post, I rec'd my monthly Avast security report, which reported that 54 web and network objects were infected and blocked, but that 0 files were infected and cleaned by scans.
Note: While I was typing this message, Avast gave warnings and blocked approx 20 more attempts to connect to an array of animal sex porn sites (which I have never visited). Please help if you can.
Thank-you for your considerations, and any responses provided.
Dave W
-
Read carefully and follow this guide>>http://forum.avast.com/index.php?topic=53253.msg451454#msg451454, while the programs may look familiar and lead you to think "here we go again", they need to be run first to try and diagnose. ;)
-
Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0
-
This is coming from "C:\Program Files\Common Files\ComObjects\update.exe"?
You can try uploading the suspect file to VirusTotal (https://www.virustotal.com) to have it scanned by 40+ antiviruses to see if any others detect it.
Alternatives to VirusTotal:
Jotti (http://virusscan.jotti.org)
VirSCAN (http://virscan.org)
Metascan (http://www.metascan-online.com/)
I use Firefox and don't have a "ComObjects" folder. ???
Also
The pop-up happened to occur right after I enabled an add-on called QuickJS ( h[X]tps://addons.mozilla.org/en-US/firefox/addon/quickjs/?src=search ). Since I had first installed this add-on only a couple of weeks ago (unlike most of my other add-ons - that I have had for months to years), I was very suspicious that it may have been the source of the pop-up problem. So I went into the Firefox add-ons and removed it completely. But the warning pop-up occurred again after it was removed.
Looks like a relatively new add-on. What prompted you to install it? Just out of curiosity? Or was it something in the past that provoked you?
-
I see Gringo is assisting - he is good
But sometimes a fresh set of eyes helps
-
Hello, and thank-you for all of the responses.
This is my attempt to fulfill the requests in the first response after my post:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.04.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: DELL1 [administrator]
2/4/2012 4:26:17 PM
mbam-log-2012-02-04 (16-26-17).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 165900
Time elapsed: 5 minute(s), 8 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
____________________________________________
Re OTL Scan
The Following OTL scan did not open two different scan results in Notepad as the instructions said that it would, but rather, only one. I ran the program twice in case it was just a glitch, but both times, only one Notepad window opened with one OTL report. That report is attached, as instructed.
____________________________________________
Re aswMBR Scan
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-04 17:27:26
-----------------------------
17:27:26.578 OS Version: Windows 5.1.2600 Service Pack 3
17:27:26.578 Number of processors: 2 586 0x304
17:27:26.578 ComputerName: DELL1 UserName:
17:27:27.406 Initialize success
17:27:28.203 AVAST engine defs: 12020401
17:27:35.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
17:27:35.500 Disk 0 Vendor: HDS728040PLA320 PF1OA63A Size: 38146MB BusType: 3
17:27:35.515 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-22
17:27:35.515 Disk 1 Vendor: ST3120026AS 3.18 Size: 114473MB BusType: 3
17:27:35.531 Disk 0 MBR read successfully
17:27:35.531 Disk 0 MBR scan
17:27:35.593 Disk 0 Windows XP default MBR code
17:27:35.593 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 31580 MB offset 63
17:27:35.609 Disk 0 scanning sectors +64677690
17:27:35.687 Disk 0 scanning C:\WINDOWS\system32\drivers
17:27:48.078 Service scanning
17:27:49.093 Modules scanning
17:28:00.781 Disk 0 trace - called modules:
17:28:00.796 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
17:28:00.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bb4ab8]
17:28:00.812 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x89b7cd98]
17:28:01.281 AVAST engine scan C:\WINDOWS
17:28:06.484 AVAST engine scan C:\WINDOWS\system32
17:30:08.484 AVAST engine scan C:\WINDOWS\system32\drivers
17:30:22.875 AVAST engine scan C:\Documents and Settings\Administrator
17:33:10.703 AVAST engine scan C:\Documents and Settings\All Users
17:33:44.203 Scan finished successfully
18:13:35.125 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:13:35.125 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\12 02 04 aswMBR.txt"
___________________________________________________
Re Rogue Killer
I wasn't sure if I was supposed to run RogueKiller or not. The instruction page seemed to suggest that I run it if I fulfilled a condition - that did not seem to apply to me. However, I tried to run it anyway - just in case, but the link to download it did not work. If you still want me to run it, please let me know where I can get it.
___________________________________________________
Re Farbar Service Scanner
I did not run this scanner as the instruction page said; If you are having internet connection problems or firewall problems then do the following": Since I am not having these specific problems, I did not download or run the program. If you wish me to, please just let me know.
___________________________________________________
The above scans and reports were on the instruction page of the link provided in the first rewponse after my initial post.
I will now look at the second response after my initial post, and will try to fulfill all of the requests there, in my next post. In turn, I will try to fulfill every scan and report request that has been made - confidently hopeful that I am not just repeating 3 days of scanning and reporting - to no avail.
Thank-you for your considerations.
- Dave
-
Hello again,
The second response to my initial post (by Asyn) sent me to the same page of instructions as the first response (by Gargame) - to which I have already responded.
The third response (by Donavonsrb) suggested that the suspicious file (update.exe) that Avast identified as the possible source of the infection, could be inspected online by several programs. The results of those scans are as follows:
VirusTotal: on 2012-02-04 23:42:01. Detection ratio: 0/43
Metascan: Online Scan detected 0 possible threats.
VirScan: Scanners did not find Malware.
Jotti: 0 out of 20 scanners found Malware.
________________________________________________________
Thx again.
I await any further suggestions you may have.
- Dave
-
Donavonsrb,
Sorry, I missed answering your question in my previous post.
I downloaded QuickJS a couple weeks back, because I was sometimes running into pop-up windows that asked me if I was sure I wanted to leave a website when I closed a tab. In some cases, even if I said "yes", it would not let me leave. Every time I would click the pop-up window to leave - I noticed that (with the help of another add-on called Ghostery), another tracker would try to to add me to the list of those trying to track me. I presume that someone was somehow making money from this ploy. To stop this looping, I had to shut off Java (presumably stopping the script that kept repeating the loop). But the pop-up windows would often also prevent or delay my access to the normal Java check box (under Tools/options/Enable Java), making it difficult to shut off Java, so I could close and escape the site.
The plug-in you asked about (QuickJS) placed a small on/off icon on my lower task bar - allowing me to turn Java on and off much faster. That is why I downloaded it.
________________________________________
However, in the same time period, I downloaded several other Java plug-ins, and several other add-ons, just to try them out. I only kept two. One blackened any web page - making the writing green (as my eyes are sensitive to light and cannot watch a bright white screen for long). This was called; "Blank your Monitor + Easy reading 1.9.7"
The other add-on that I kept placed a small blue arrow on a lower task bar, that could be pushed to download (and covert if desired) any YouTube video, or videos from other sites. This was called; "Flash Video Downloader YouTube Downloader 3.4.3"
Currently, all of my add-ons are disabled. However, the pop-ups are still occurring anyway.
A couple weeks ago, I also downloaded two different media players, just to try them out. They include the VLC Video Player, and the Media Player Classic (downloaded with the K-Lite codec pack). I scanned these downloads before and after installing them - with Avast, Malwarebytes and Spybot, and nothing was found by these scans.
Hope this helps!
- Dave
-
I'm very interested in this story. Since yesterday I'm experiencing exactly the same problems.
I do not use firefox, but had v.4.0 installed.
Suspicious activities I did yesterday include plugging in a suspect usb key, updating VLC to the latest version (1.1.11), installing DirectVobSub (VSFilter)
I'm suspecting DirectVobSub since it didn't seem to do anything when installed, but I'd rather wait and see how Dave fixes his problem (one thing we both did was update VLC!).
Avast also identified "firefox"'s update.exe trying to access pr0n sites. I killed the update.exe via process admin, but sysinternals process explorer showed it was still active, after I killed it there, I have not experienced additional rogue internet access (I'll keep checking). But obviously there is something wrong with our computers.
Avast and MaM complete scans yielded nothing, but I'll try to follow the complete recommended operations pointed out to Dave. Please do not think I'm trying to highjack this thread, I'm only trying to help Dave as the OP, since probably once he fixes his comp. I'll be able to do the same.
UPDATE: I uploaded the installers for VLC and DirectVobSub (VSFilter) to virustotal and both were identified as infected but only by one engine (1/40) in each case:
VSFilter: AntiVir -> HTML/ADODB.Exploit.Gen
VLC: Antiy-AVL -> Virus/Win32.Xpaj.gen
UPDATE2: I will open a separate thread for my problem, sorry if I created unwanted noise here.
-
RogueKiller link is fixed, a formating error on my part
OK lets look in the com folder and see what we have there
Run OTL and select all users
In the custom scans and fixes box copy/paste the following :
C:\Program Files\Common Files\ComObjects\*.* /s
Press run scan
Again there will only be one log
Attach said log
-
Hello Essexboy,
I have run and attached the OTL file, as per your instructions.
I did not run RogueKiller, as your last post did not seem to instruct me to, even though you did explain that the link was now operational. Just let me know if you would like me to run it.
_____________________________________
I found it interesting that Machinshin is experiencing the same problem. I could easily do without the (common suspect) VLC player - that I downloaded and he updated recently (as I virtually never use it), but I will wait to see if we can locate the source (which does not seem to be in a VLC file - at least, no scanner has found any such association to date on my system).
It may be worth mentioning, that I have two physical hard drives, and most of my (non-XP) programs are not on my primary Drive C, but rather on my Drive P (Programs) - which is on my second physical hard drive. Drive P is where my VLC player folder is located. I don't know if this has any significance.
_____________________________________
One other point, if I may?
On the attached OTL report, I noticed that some of the plug-ins were reported as enabled, even though my Firefox add-ons page shows them all as disabled (except Shockwave, which was installed and enabled when I downloaded a new version of Adobe Flash last night, as my Flash was not working - in retrospect - likely because I disabled all add-ons a couple days ago, to see if an active add-on may have been causing the problem).
One plug-in that particularly interests me, is Google Update. I don't recall ever downloading this update, and, right now, my Firefox add-ons page shows it to be disabled, while the attached OTL scan reports it to be enabled, with the following (copied) line:
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
Again, I don't know if this has any significance.
Thank-you again for your considerations. I await any further insights, instructions or suggestions.
- Dave
-
You have the same java dll - also Vlan has two folders in the C drive
You have a google update job in windows tasks. That goes there as soon as you get any google product and it is set to check for updates daily
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2012/01/06 09:09:04 | 000,044,032 | ---- | M] () -- C:\Program Files\Common Files\ComObjects\js3260.dll
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Hello Essexboy,
When I ran OTL, it prompted me to re-boot as it ended. Then, it automatically produced a report after the reboot.
Your instructions were to run a quick scan after the reboot - which I did.
I have attached both scan reports for your consideration.
Thanks,
- Dave
-
Hi Dave W,
The results of those scans are as follows:
VirusTotal: on 2012-02-04 23:42:01. Detection ratio: 0/43
Metascan: Online Scan detected 0 possible threats.
VirScan: Scanners did not find Malware.
Jotti: 0 out of 20 scanners found Malware.
The update.exe seems legit then. The dll file that Essexboy mentions has something to do with telling the update.exe to execute these sites.
This dll file appears new, see:
http://systemexplorer.net/db/js3260.dll.html
I'm not so sure about this new malware, so let essex take care of the rest.
-
Hello,
I have something strange new phenomenon occurring here, which I suspect is related to my primary problem, and/or Essexboy's last OTL customized script.
First off, I notice a split second image of a black page with white writing as Windows boots up, that was not there before today (or perhaps yesterday). It is on screen too briefly to read. This is not a problem, but it is a recent change, so I mentioned it.
More importantly, when I boot up my computer now, there is a minimized application button on my task bar at the bottom of my screen. On it, there is a Firefox logo, and the words; "about:memory - Mozilla Firefox"
The words on this button intermittently changes to different strange websites.
When I clicked on it - it would not open into a page or application.
When I checked the Windows Task Manager - it listed "about:memory - Mozilla Firefox" as a running application. When I right clicked on this application, a drop down menu appeared. One of the options was "Go to Process". When I clicked this option it took me to the Processes window in the Task Manager, and highlighted "update.exe"
I then went back to the Applications tab in the Windows Task Manager and right clicked on the "about:memory - Mozilla Firefox" running application again. This time, I selected "Maximize". (I hope this was not a mistake). A web page opened. It had the following headings, but no information;
Memory Usage
Overview
Memory mapped:
Memory in use:
Other Information
Description
I tried re-booting the computer to see if the task bar button appeared again. It did. When I maximized the button, I briefly saw a window that was titled; "Welcome Humans". When this window was open, the name on the task bar button was; “Gort! Klaatu barada nikto!”
Here is the website that I found when I did a web search for this name. This webpage shows the same window that I saw, titled; “Welcome Humans”
http://mozillalinks.org/2008/12/gort-klaatu-barada-nikto/
I don't know if this specific site has significance, but I wonder if a "Mozilla Links" application may be implicated?
___________________________________________
Then, I noticed a Firefox minimized application button on my task bar called “Download”. However,
- There were no downloads showing on my Firefox Download list.
- Clicking on it did nothing.
- When the button was visible, it was shown in Windows Task Manager – Applications, with the Process path (also) leading to update.exe
- Then, a few mins later, the “about:memory” button/application kept changing to the names of different porn sites (unknown to me), but now Firefox web pages also opened – with a new tab opening each time the tab name/application changed. Two of the websites that opened were “iphone porn and Android porn” and “Hole Movies”.
Avast has made no attempt to block any of these sites, but they are not the animal sex porn sites that Avast had been blocking before.
Could I have opened the door to these connections being able to open Firefox web pages when I maximized the “about:memory” button, or the “Download” button, using the Windows Task Manager?
As I typed this post, I noticed that additional (usually porn) websites were opening with other names. Eventually, Avast gave the same old familiar warning and blocked a connection to an animal sex porn site (as per the usual problem).
Here are a few other things I noticed:
- After I would “End Task” in the applications window of the Windows Task manager (to get rid of the button, and close the website), the first spontaneous re-appearance of the application (with a corresponding opening web page)was usually the about:memory button.
- If the button/application changes and other actual web pages begin to open, it is usually either the Gortu page, or, a porn page that is not animal sex porn (and that Avast does not block), but if I do not “end task” for the application, I presume it may only be a matter of time until the application tries to connect to a malicious animal sex site - which Avast blocks from opening.
- One of the names of the porn sites in the Applications window of Windows Task manager is “Yes Porn - Mozilla Firefox”, even when an Avast pop-up calls the site a different name (such as one of the typical animal sex porn sites).
- Sometimes the task bar button name & web pages change quite quickly. Other times, the about:memory button stays the same for significant periods. Sometimes, a porn site name appears, and then the button name changes back to “about:memory - Mozilla Firefox”, all by itself. I have no idea what dictates the frequency or order of the changes.
- Seemingly related, my entire screen now “blinks” quite periodically. This is also quite new within the last day or two. It was not doing this before, even when I was getting Avast pop-up warnings and site blocks.
I presume these new appearances may have something to do with Essexboy's script – which apparently has acted to make behind the scenes activity more visible, but I am just speculating here.
I am also speculating, that the same connections (as described above) may have been occurring since my problem started – but without the buttons on the task bar, and without the connections actually opening web pages. Thus, the only time I was aware that any such background connections were occurring, was when a connection was attempted to a malicious site - which Avast blocked and notified me of – with a pop-up.
This mechanism could seemingly explain the background connection mechanism to the Internet, but what is directing my computer to make these connections? And how or why are these particular websites (non-malicious, and malicious and blocked by Avast) being selected for connection?
And, what next?
Thank-you again.
- Dave
-
The comobjects folder has been updated so I may need another look in there I feel
I will run two quick fixes first and then see what the folder reveals
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Configuration Wizard.lnk = File not found
:Files
ipconfig /flushdns /c
C:\Program Files\Common Files\ComObjects\js3250.dll
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
THEN
Lets see if there is an update by JP
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
(http://jpshortstuff.247fixes.com/GooredFix.exe)Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
- Ensure all Firefox windows are closed.
- To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
- When prompted to run the scan, click Yes.
- GooredFix will check for infections, and then a log will appear.
Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).[/list]
FINALLY
Rerun OTL with this custom scan please
C:\Program Files\Common Files\ComObjects\*.* /s
-
Hello again,
Sorry for the delay. I didn't realize you had responded at the top of the 2nd page.
During the first OTL fix, the following message came up in a window:
Update.exe - Unable to Locate Component
This application has failed to start because js3250.dll was not found. Reinstalling the application may fix the problem.
______________________________________
The same message came up after the re-boot, and returned within few seconds every time I closed it (with either "X" or "OK"). I cannot get rid of this message window for more than a few seconds.
Attached is:
1) The OTL report that opened automatically after the reboot (called 12 02 06 Auto after boot).
2) The GooredFix report (called 12 02 06 Gooredfix).
3) The final OTL scan report (called 12 02 06 Last OTL Scan).
I have also cut and pasted the first two (shorter) reports below.
OTL Auto after boot
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 387626 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 59404901 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 593 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: LocalService
->Temp folder emptied: 66016 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66253 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 7736 bytes
Total Files Cleaned = 57.00 mb
Restore point Set: OTL Restore Point (0)
OTL by OldTimer - Version 3.2.31.0 log created on 02062012_185805
Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_190.dat moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_cec.dat not found!
Registry entries deleted on Reboot...
______________________________________
GooredFix by jpshortstuff (03.07.10.1)
Log created at 19:18 on 06/02/2012 (Administrator)
Firefox version 10.0 (en-US)
========== GooredScan ==========
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
(none)
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3nomuutp.default\extensions\
firefox@ghostery.com [15:37 24/01/2012]
superstart@enjoyfreeware.org [20:47 22/01/2012]
{7E7165E2-0767-448c-852F-5FA8714F2C37} [02:55 02/02/2012]
{ada4b710-8346-4b82-8199-5de2b400a6ae} [15:59 28/01/2012]
{EDA7B1D7-F793-4e03-B074-E6F303317FB0} [02:30 12/03/2011]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [19:36 04/07/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [22:05 01/02/2012]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [03:24 02/02/2012]
-=E.O.F=-
___________________________________________
I composed the last two posts at the end of page 1 of this thread. I hope that you saw both of them, as the second especially seemed to have pertinent information.
In an earlier post, Donavon had spoke of suspicious js3260.dll file. However, my update.exe file now seems to want to open, but cannot due to a missing js3250.dll file. I don't know if the closeness of these two files has any significance, but mentioned it just in case.
Thx again.
- Dave
-
Only one attachment got through on my last post. This is my attempt to send the other two.
-
From the other thread with this self same problem it appears to track down to one js file
I will quarantine that now - could you let me know the results
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2012/01/04 07:12:24 | 000,188,916 | ---- | M] () -- C:\Program Files\Common Files\ComObjects\data.js
:Commands
[emptyjava]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Essexboy,
The OTL scan that you requested is attached.
When I reboot, I now get the following message on my screen:
Windows Script Host
Can not find the file "C:\Program Files\Common Files\ComObjects\data.js"
____________________________________________
Does the above message indicate an ongoing problem, that needs to be addressed?
If not, can the message be prevented from opening every time the computer is booted?
____________________________________________
Also, one of the scans or repair programs used here (or perhaps on bleepingcomputers.com) has seemed to add a spit second view of a page with white text on a black background when the computer first boots up (just before the Window's logo page). This is not a major problem, but can it be removed?
____________________________________________
General Questions
Is the original problem presumed solved now? (Note: I have had no further Avast website block/pop-ups over the last day).
Was the source of the problem ever identified (such as where the bad file file came from?, and/or, what vulnerability permitted it to infect the system)?
Are there any further scans, programs or monitoring that you would suggest that I conduct?
Is there any problem with my turning my Firefox add-ons back on now?
Is there something I can do to protect from re-infection?, or, something I should do if I am re-infected (that would be less than the two weeks of time and hassle that it took to get rid of this infection)?
A gracious thank-you for all of your time, considerations and help.
Regards,
Dave W
-
I would like to see where the start point is for the js data
Please RIGHT-CLICK HERE (http://www.silentrunners.org/Silent%20Runners.vbs) and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
- Save it to the desktop.
- Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
- You will receive a prompt:
Do you want to skip supplementary searches?
click NO[/list]
- If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
- You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
- Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
[/list]
-
Hello Essexboy,
I tried running the program you suggested - following your directions, but it did not seem to act as you anticipated - so I don't think that I have made it run at all.
First off - I did not receive a prompt: Do you want to skip supplementary searches? So, I could not click "no".
Secondly, when I double clicked on the file to open it - it opened in Notepad with a LOT of information to start with - but even leaving it for 30 mins - there was no evidence that anything further was happening.
The last thing in the file was: '** Update Revision Number on line #15 **
No matter how long I left it, it never said; All Done (as you said it would).
This makes me doubt that the program has run, or run properly, but I don't know what to do to make it run. I tried re-running it several times, and even re-downloaded it again, and then tried running it several more times. The outcome was always the same.
I tried to copy and paste the text from Notepad into this post (for your consideration), but a preview said that it exceeded the maximum allowed length. Next, I tried sending it as an attachment, but the post was again denied - saying that it exceeded the maximum allowed length - so I could not show you what was in the Notepad file that opened when I double clicked on the file.
Can you please give further instructions on how I might make this program run properly?
With Thanks,
- Dave
-
Hi Dave,
The file is a Visual Basic Scripting file, or .VBS file.
Open the file in notepad > save as > all files > Silent Runners.vbs
Then, please re-run the newly saved file. A prompt should appear. Choose "No" as essexboy says, and the program will start searching for startup entries.
~Donovansrb10
-
Thank-you Donavon,
I think it ran correctly this time. However, the report was still too large to post as Essexboy had requested. Thus, I have sent the report as an attachment.
I await interpretation and further instructions.
Dave W
-
You probably did not use the right click save as - if not then it will save as a txt file
I was hoping that a comparison of the two silent runners files might throw some light on the subject but alas no
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2010/03/31 00:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Common Files\ComObjects\update.exe
[2012/01/26 09:07:26 | 000,189,107 | ---- | M] () -- C:\Program Files (x86)\Common Files\ComObjects\data.js
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Essexboy,
Again, after running the customized script in OTL as instructed, and rebooting, OTL opened automatically - prompting me to push "Run". When I did it produced a small report that I have attached (called 12 02 09 Auto run on boot).
I then re-opened OTL and performed another quick scan - as instructed. This scan is also attached (called 12 02 09 After boot scan OTL).
Hope this helps.
TY again for your considerations.
- Dave
-
Are you still getting the problem ?
I have a trace on it now and I am asking Machinshin for a registry export, to determine the reason why I cannot see it (yet)
So bear with me please - his solution should be yours
-
OK lets see if you have the same blighter
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:regfind
data.js- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-
Scan report, as requested;
SystemLook 30.07.11 by jpshortstuff
Log created at 15:05 on 10/02/2012 by Administrator
Administrator - Elevation successful
========== regfind ==========
Searching for "data.js"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMngr"="wscript.exe "C:\Program Files\Common Files\ComObjects\data.js""
-= EOF =-
________________________________________
I have not had any Avast pop-ups/malicious website blocks since (approx) Feb 6th (4 days).
However, I would like to reiterate the questions that I originally posed on Feb 7th:
I still get a message after each boot from the Windows Script Host; Can not find the file "C:\Program Files\Common Files\ComObjects\data.js"
Ques 1) Does the above message indicate an ongoing problem, that needs to be addressed?
Ques 2) If not, can this message be prevented from opening every time the computer is booted?
____________________________________________
Ques 3) Also, one of the scans or repair programs used here (or perhaps on bleepingcomputers.com) has seemed to add a spit second view of a page with white text on a black background when the computer first boots up (just before the Window's logo page). It is on too briefly to be able to read. This is not a major problem, but can it be removed from the boot-up process?
____________________________________________
General Questions
Ques 4) Is the original problem presumed solved now? (Note: I have had no further Avast website block/pop-ups since approx Feb 6th).
Ques 5) Was the source of the problem ever identified (such as where the bad file file came from?, and/or, what vulnerability permitted it to infect my system)?
Ques 6) Are there any further scans, programs or monitoring that you would suggest that I conduct?
Ques 7) Is there any problem with my turning my Firefox add-ons back on now?
Ques 8) Is there something I can do to protect from re-infection?,
Ques 9) Is there something that I should do if the problem re-occurs (that would be less than the 2+ weeks of time and hassle that it took to get rid of this infection)?
A very appreciative thank-you for your response, as well as all of your gracious time, patience, considerations and help.
Regards,
Dave W
-
OK first we will stop the popup about data.js Q1 and 2 answered ;D
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMngr"=-
:Files
ipconfig /flushdns /c
:Commands
[CREATERESTOREPOINT]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
3. The boot start may be the recovery console installed by combofix.. We can remove that for you
4. Once this fix has run then yes
5. No it may well have been an update that you were tricked into installing
6. Probably not
7. Nope put 'em all back
8. Be suspicious of all updates that are not from programmers site
9. This was new.... But not now as we have traced the elements that need removal
-
Thank-you for answering my questions.
The requested scan is attached, along with the fix report that OTL generated before I rebooted and ran the quick scan.
If this all checks out, it seems that the only thing left may be removing the (Combofix?) boot screen (if it was not already removed with the last fix).
After running a lot of scans and attempted fixes with Gringo from bleepingcomputer.com (just before I came to this forum), my computer was slow, unresponsive and the mouse action was not smooth. Even sound was garbled for the first second or so, whenever any sound was played. In short, the computer was running terrible. He had me run a program called "resetdma" - which seemed to clean up all the problems and make everything run smooth and fast again. Do you have any problems with my running that program again now (to "clean up" - so to speak)?
I await any further instructions, explanations or suggestions you'd like to share.
- Dave
-
OK all we need to do is reset the boot logon screeen
Right click My Computer (either desktop icon or on the start menu)
Select Properties
Select the advanced tab
Select start up settings
Remove the tick from the time to display boot options (see screenshot)
Fixed
Could you now go to the following folder and locate then zip the following files
C:\_OTL\moved files (HHDDMM)\C:\Program Files (x86)\Common Files\ComObjects
And zip the following
data.js
update.exe
js3250.dll
Once zipped could you upload them to mediafire for me and post the sharing link, I will then forward to Avast for analysis
When you are happy let me know and I will remove my tools
Also could you let Gringo know that it is fixed please and post him the link to here
-
I think I need some additional instructions. I am running XP Pro. When I tried to follow your instructions to reset the boot logon screen, all of the instructions made sense (and worked), until I got to your instruction that said;
"Remove the tick from the time to display boot options (see screenshot)" .
I did not know where the screenshot was that you referred to, but I doubt that a screenshot would help, as my options are not the same as you stated.
I do not get a "Time to display boot options" check-box. I do get a "Time to display list of operating systems" checkbox, and a "Time to display recovery options when needed" checkbox. It seems the former may be the closer equivalent. It currently has a checkmark and is set to 2 seconds.
Ques 1) Is this the box that I should uncheck? If not, please give further instructions on how I should proceed.
Ques 2) And may I ask, will the above change remove the Combo-fix screen (or whatever else has been added to my boot-up) from my boot-up process, or will it just stop it from showing?
__________________________________________
With regards to the folder in "C:\_OTL\moved files (HHDDMM)\C:\Program Files (x86)\Common Files\ComObjects", I don't have one folder, I have six, but only three have the pathways that you described, with a file (of any name) in "ComObjects".
In one of these folders is a file called; "js3260.dll". This is not one of the files that you requested. Ques 3) Do you want it zipped and sent anyway?
In another folder is the file called; "js3250.dll". This is one of the files that you requested. NP here.
In a third folder, is a file that is just called; "data" (with a logo beside it). Under "properties", this file is described as a JScript Script File. Ques 4) May I assume that this is the js.data file that you requested? (and thus, I should zip and send it)?
I can find no folder here, with the update.exe file in it (that you requested). However, the original "update" file still appears at the end of the path: C: Program Files\Common Files\ComObjects\update (with a Firefox logo beside the "update" file).
Ques 5) Do you want me to copy, zip and send this file? If no, please give alternative instructions on how I can fulfill your request for the update.exe file.
_________________________________________
Once it is clear to me exactly which files that you want sent, I will gladly zip and send them to you through the Mediafire uploader website, but I have never used this service before.
Ques 6) How do I send files specifically to you, through Mediafire?
_________________________________________
An unrelated question: Ques 7) Will all of my automatic updates (for various programs) still function properly and normally now?
TY for your response and further instructions.
-
Yes that is the box to untick, that will stop the recovery console from showing, but it will still be available for use if required
Yes zip all those files including the data and the update
when you get to mediafire it is fairly straightforward to upload. Once it has completed it will give you a sharing link. Just copy/paste that into the next reply
All update programmes should function correctly
-
Thank-you for the clarification.
The four zipped files that I uploaded to MediaFire should now be accessible with the following link:
http://www.mediafire.com/?216478hjusfbt72,9i5jjs246todzzt,zzwxossf5snn8cu,z2ags5pgtfg6gi2
__________________________________
I copied the four files from their respective locations to my desktop, and then zipped them, and then uploaded them to MediaFire.
Thus, the C:\_OTL\moved files ... all still exist. Ques 1) Should I just leave them, or should I delete the _OTL folder?
In addition, the update file that I copied and zipped from C: Program Files\Common Files\ComObjects\update (with a Firefox logo beside the "update" file) - still exists. Ques 2) Should this file be left alone as it is needed for some essential or desired functions? .
Ques 3) Previously, I had asked for your thoughts on my again running the resetdma program, that I ran before (as directed by Gringo) - to iron out the wrinkles from my system so it ran faster and smoother. Do you have any problem with my running that program again now?, and, whenever my system seems slow or choppy? If you are familiar with it, may I ask - Does it have a downside or significant risk involved with its use?
Is there anything else that I should do, or be made aware of?
-
Delete the update from the comobject folder (although this one looks legit)
As soon as you are happy I will remove all my tools cleanly so just let me know
resetdma should not need to be run again as it changed the way your hard drive was read, and it should not have reverted
-
Thank you - Uploaded to Avast
-
I deleted the "update" file from C: Program Files\Common Files\ComObjects\update (that had a Firefox logo beside it).
When I rebooted the computer afterwards, no message came up to say that the file was missing. I checked and the file had not been re-installed automatically with the reboot. I then opened Firefox, with no apparent problems, and then checked again, and the "update" file that I deleted had still not been re-installed.
Out of curiosity and a desire to understand, my questions are;
1a) If this file was not an essential, necessary or beneficial part of Firefox, or a legitimate update process for the Firefox program or its add-ons, or for any other updates (which would be functions that I would presumably want to retain) - Then, why was the file there in the first place?
and 1b) Why didn't we just delete it?
2a) Should I expect it to ever return? and 2b) If it does return, should I be concerned? and would that indicate re-infection?
___________________________________________
My computer seems to be working fine again - except that it will not be back to normal until after I re-enable my add-ons.
Unless you have further concerns, I think that we could proceed with uninstalling your tools now - although, I'm not sure what that means.
Is there a way that I can contact you directly, if I have further problems that involve this bug?
-
I have sent the files to Avast for analysis and maybe my thoughts that the update was just an innocent bystander was wrong... But I will wait to see what Avast says. Although no regeneration would indicate it was a culprit
It should not return now, this is a new type of infection so the initial analysis/removal was mainly by gut instinct and following the breadcrumb trail
When you re-enable the addons do them one at a time and check that all is OK before you restart the next. This way if one is the culprit we can add that to the removal list
If any further problems then either PM me or post back in this thread as it will be a few months before I cease monitoring it
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave:
-
My computer seems to be working very well again. <big smile>
A gracious thank-you to all who participated in identifying the source file and fix for this very stealthy new infection.
Special thanks to Essexboy. Your persistence, patience and skill stands out - even amongst the Virus Pros.
I have followed all of the instructions in your last post, and now have most of my add-ons re-enabled, with no problems so far.
I have also posted this thread on my recent thread on bleepingcomputer.com (where I first sought help), so both their Techs and other people with the same problem who may seek help there, might be helped in finding the source file and fix (which is now known here).
With regards and appreciation,
- Dave W
-
Glad all is well ;D