Google search virus?

[George Romero]

Hi everyone.

Today, something really weird happened. I made a search on google and Avast warned me that a trojan JS:ScriptSH-inf [trj] is going to infect my pc. So, I aborted the connection and the problem persists everytime I do a search on google.
At first, I thought it was a Firefox addon bug and then I tried with IE and it's the same thing but worst because it crashes IE.

I scanned with hjt and here are the results (I didn't find anything wrong, I guess)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:46, on 10/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Archivos de programa\Orbitdownloader\orbitcth.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Archivos de programa\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Archivos de programa\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Archivos de programa\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Archivos de programa\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Archivos de programa\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220679334921
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDA149E2-FF96-45F4-AA8F-F6B066489D65}: NameServer = xxx.xxx.xxx.xxx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\AAWService.exe

I'd really appreciate your help because I'm going nuts with this.

Thanks in advance.

[polonus]

Hi

Besides that you apparently have no active software firewall running there, I cannot see anything obviously wrong inside your hjt logfile txt.
Survey of active tasks running

smss.exe   
System task

Session Manager Subsystem

winlogon.exe   
System task

Microsoft Windows Logon Process

services.exe   
System task

Windows Service Controller

lsass.exe   
System task

Local Security Authority Service

svchost.exe   
System task

Microsoft Service Host Process

svchost.exe   
System task

Microsoft Service Host Process

aswUpdSv.exe   
Virusscan

Avast Anti-Virus Component

ashServ.exe   
Virusscan

Avast

spoolsv.exe   
System task

Microsoft Printer Spooler Service

ashDisp.exe   
Virusscan

Avast AntiVirus

ctfmon.exe   
System task

Alternative User Input Services

RTHDCPL.EXE   
Driver

Realtek HD Audio Sound Effect Manager

AAWService.exe   
Anti Add/Spyware software

Ad-Aware 2007 Service

AAWTray.exe   
Backgroundtask

AAWTray Application

explorer.exe   
System task

Microsoft Windows Explorer

ashWebSv.exe   
Virusscan

avast! Web Scanner

firefox.exe   
Application

Mozilla Firefox

NOTEPAD.EXE   
Application

Windows Notepad

svchost.exe   
System task

Microsoft Service Host Process

NOTEPAD.EXE   
Application

Windows Notepad

HijackThis.exe   
Application

Hijackthis 2.02

polonus

[DavidR]

First what is the full text of the avast alert, e.g. the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

Do you have an active link scanner that would pre-scan the links returned in a google search as the act of checking out the site link co trigger an avast alert if there is malware at the site ?

It is possible that your searches are also being hijacked.

[CharleyO]

***

Welcome to the forums, George.   

This entry is a little unusual and could be a sign of infection.

O17 - HKLM\System\CCS\Services\Tcpip\..\{DDA149E2-FF96-45F4-AA8F-F6B066489D65}: NameServer = xxx.xxx.xxx.xxx

Usually, there are numbers where the x's are now. Did you change the numbers to x's while posting?
If you made the change, then it is OK. If you did not make the change, then I need to research to see if this is a sign of an infection.


***

[DavidR]

Unless of course if the OP changed the IP

[George Romero]

Hey, thanks for your replies,guys. 

Today, the problem dissapeared. I just restarted my pc and it's gone but I'm still wondering what was the reason of avast detecting a virus on Google search.
BTW, I'm using Windows firewall and as polonus suggested me I should have in mind another option. would you recomend me a reliable and light firewall program?

Thanks again

[DavidR]

I gave a possible reason, but you didn't answer any of the question I asked. That helps us to help you.

Light is not what we tebd to go with but something which provides adequate protection:
- There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.
Many forum users are using all of the above:
PC Tools Firewall seems to have the least user headaches as it doesn't seem to be constantly asking the user questions about this and that.
I think you can see by my comments on Zone Alarm free you have to be careful that you are not using the pro trial version.
Online Armor for the most parts fine but it has caused some users grief after avast program updates and that is something you have to watch out for.
Comodo is now a suite and you have to do a custom install so as not to install the antivirus element, of all the firewalls listed this seems to be the noisiest in asking questions, depending on settings and elements used, so it could be daunting for those not to familiar with firewalls or their systems.

[George Romero]

First what is the full text of the avast alert, e.g. the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

Do you have an active link scanner that would pre-scan the links returned in a google search as the act of checking out the site link co trigger an avast alert if there is malware at the site ?

It is possible that your searches are also being hijacked.

Sorry, if I didn't answer any of your questions before.

The text of Avast alert is: 10/04/2009   7:47:47   1239360467   SYSTEM   1460   Sign of "JS:ScriptSH-inf [trj]" has been found in "http://www.google.com.ar/search?hl=es&q=guitar+tabs&btnG=Buscar&meta=\{gzip}" file. 

I don't have an active link scanner but I use noscript addon on Firefox

[DavidR]

I tried to check out this google search string twice and no alerts by avast on either attempt.

So I really don't know what might have happened.

[!Donovan]

Found alot of java script coding on the site like window.google.jsrt_kill=1; but I don't think thats anything virus-type. Maybe its just trying to load a link that has a hidden script in it?

[knowlengr]

Not sure how this is related, but it seems to be the same trojan ID.  This is the message I'm seeing:

JS:ScriptSH-inf [trj]

4/18/2009 8:00:09 PM   SYSTEM   1444   Sign of "JS:ScriptSH-inf [trj]" has been found in "httpx://www.ijoomla.com/ijoomla-magazine/ijoomla-magazine/overviewfavicon.ico" file. 
4/18/2009 8:02:04 PM   SYSTEM   1444   Sign of "JS:ScriptSH-inf [trj]" has been found in "httpx://www.ijoomla.com/ijoomla-magazine/ijoomla-magazine/overviewfavicon.ico" file. 

So far as I am aware, I hadn't intentionally visited ijoomla.com, though I later did in order to learn what file is being detected so that I could analyze this further. 

If could be in the browser cache somewhere, but since it's reporting it via the webshield, I'm assuming AVAST is seeing this at the external site, and offers to abort the transfer.

AVAST does launch two webshield alerts in succession if that helps.  It sometimes complains about the GIF, and sometimes about the ICO file.

In fact, it launched a pair of messages while I was writing this forum post. 

I too have seen this message appear during an ordinary Google search.

You might be able to reproduce it by visiting this site which I found by searching for the trojan name on Google:

httpx://www.frunchymama.com/community/index.php?action=tpmod;sa=shoutbox;shouts=50

[DavidR]

Please modify your post, change the http in the suspect URLs to hXXp so that they aren't clickable to avoid accidental exposure. Whilst in this case it doesn't appear to be an issue it isn't advisable to have direct links to malware which are active.

The malware name JS:ScriptSH-inf [trj] can be found in many different ways and in this case it would appear the site has been hacked and the overviewfavicon.ico file has been replaced with a malicious file. The Gif files too can be replaced by a malicious one thouge a proper .gif file can't be exploited in the same way as .jpg files.

However it looks like that file is no longer on the site, so they may have become aware of it and removed it.

[knowlengr]

Thanks for replying.

Changed the URLs to httpx.

I think the issue is different from as you describe it.  I'm not actually visiting the site ijoomla.com, yet I am still getting this error today. 

FYI - There is at least one other report of this problem with Avast on Yahoo Answers where the error is seemingly triggered from a Google search results page.

Perhaps the signature resembles some other JS that I use regularly, e.g., Yahoo email.  It's becoming a nuisance.

I have tried switching browsers and that doesn't seem to matter; it's something in the webshield script.

Mark

[DavidR]

It depends on your browser (not mentioned) and if you have any pre-scanning or pre-loading software/add-ons, etc. which could be loading stuff in the background whilst you browse an existing page. Just too many permutations.

If there was malware on your system trying to access this site using http on port 80 then the web shield would still detect that as it would be coming through your browser.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version.
• 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

-- GOOGLE.GOORED - Firefox popping up ads and or google search redirects.
Please download GooredFix and save it to your Desktop. - Double-click Goored.exe to run it. - Select 1. Find Goored (no fix) by typing 1 and pressing Enter. - A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). - Note: Do not run Option #2 yet.

[knowlengr]

As requested.  Nothing jumps out at me here. 
Browser is IE8 8.0.001.18762 Vista Ultimate x64

-Mark
________________________________________________________
Malwarebytes' Anti-Malware 1.36
Database version: 2013
Windows 6.0.6001 Service Pack 1

4/20/2009 7:50:12 PM
mbam-log-2009-04-20 (19-50-12).txt

Scan type: Quick Scan
Objects scanned: 108879
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

________________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/19/2009 at 10:44 PM

Application Version : 4.26.1000

Core Rules Database Version : 3852
Trace Rules Database Version: 1805

Scan type       : Complete Scan
Total Scan Time : 01:31:30

Memory items scanned      : 346
Memory threats detected   : 0
Registry items scanned    : 7939
Registry threats detected : 0
File items scanned        : 96206
File threats detected     : 26

Adware.Tracking Cookie
   C:\Users\knowlengr\AppData\Roaming\Microsoft\Windows\Cookies\Low\knowlengr@doubleclick[1].txt
   C:\Users\knowlengr\AppData\Roaming\Microsoft\Windows\Cookies\Low\knowlengr@msnportal.112.2o7[1].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@a1.interclick[1].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@ad.yieldmanager[1].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@adbureau[1].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@ads.pointroll[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@advertising[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@at.atwola[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@atdmt[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@c7.zedo[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@cdn4.specificclick[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@collective-media[1].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@cracked[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@doubleclick[1].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@eb.adbureau[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@interclick[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@kontera[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@revsci[1].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@specificclick[1].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@specificmedia[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@statcounter[1].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@stats.askmoses[1].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@stats.askmoses[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@statse.webtrendslive[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@tacoda[2].txt
   C:\Users\Mark Underwood\AppData\Roaming\Microsoft\Windows\Cookies\Low\mark_underwood@zedo[2].txt
______________________
GooredFix v1.92 by jpshortstuff
Log created at 11:33 on 19/04/2009 running Option #1 (Mark Underwood)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files (x86)\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files (x86)\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

It depends on your browser (not mentioned) and if you have any pre-scanning or pre-loading software/add-ons, etc. which could be loading stuff in the background whilst you browse an existing page. Just too many permutations.

If there was malware on your system trying to access this site using http on port 80 then the web shield would still detect that as it would be coming through your browser.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version.
• 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

-- GOOGLE.GOORED - Firefox popping up ads and or google search redirects.
Please download GooredFix and save it to your Desktop. - Double-click Goored.exe to run it. - Select 1. Find Goored (no fix) by typing 1 and pressing Enter. - A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). - Note: Do not run Option #2 yet.