Another..."Threat has been detected" message in every google search

Hi Guys,

Just like gdavid1055, I am having the exact same issue, with a threat being detected every time I use Google in Firefox or Chrome (it is not affecting IE).

Example URL that flags up…

URL: hxxp://88.208.7.204/slog/index2.php?v3&sys=google&key=bob&restype=0&resitems=0

Infection: URL:Mal

Attached are the logs required, so hopefully someone can assist.

Thanks in advance for your help :slight_smile:

Robbo

I’m experiencing this as well with every google search. The URI pattern is identical to what you are seeing.

I’ve been poking around my FW logs and I have yet to find a successful connection out to that host. In fact I have no requests going out to that netblock before yesterday afternoon…but in the past 18 hours I have seen a request to this one host for every google search I have made.

I haven’t made any changes to my system…that’s not to say I didn’t catch a drive-by somewhere.

Hi,

An update, of sorts.

So this morning, when searching in google, I have not had any of the previous notifications from Avast. So, re-run Avast to see if it had cleared, buut now getting the following threat:

html:fblistener-a

Removed, rebooted, and rescanned, and it is still present on my system.

Any help would be gratefully received,

Thanks!

Hi guys,

Started seeing the same thing a few days ago and it’s been bugging me. After digging around it seems to be related (at least in my case) to the AS Magic Player browser extension, which comes with the Ace Stream software. I’ve had to delete the Chrome extension altogether for the alerts to stop.

Check your browser for this extension and let me know how you get on.

@paul.robson80 Hi,

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


HKU\S-1-5-21-3729994215-325241207-151601611-1001\...\Run: [AceStream] => C:\Users\Paul Robson\AppData\Roaming\ACEStream\engine\ace_engine.exe [27904 2014-09-13] ()
C:\Users\Paul Robson\AppData\Roaming\ACEStream\engine\ace_engine.exe
FF Plugin HKCU: @acestream.net/acestreamplugin,version=2.3.0-next -> C:\Users\Paul Robson\AppData\Roaming\ACEStream\player\npace_plugin.dll (Innovative Digital Technologies)
C:\Users\Paul Robson\AppData\Roaming\ACEStream\player\npace_plugin.dll
FF Extension: AS Magic Player - C:\Users\Paul Robson\AppData\Roaming\Mozilla\Firefox\Profiles\4orzrcsw.default\Extensions\magicplayer@acestream.org 
C:\Users\Paul Robson\AppData\Roaming\Mozilla\Firefox\Profiles\4orzrcsw.default\Extensions\magicplayer@acestream.org 
C:\Users\Paul Robson\AppData\Roaming\.ACEStream
C:\Users\Paul Robson\AppData\Roaming\ACEStream
C:\_acestream_cache_
C:\Users\Paul Robson\AppData\Roaming\ACEStream\updater\ace_update.exe
HKU\S-1-5-21-3729994215-325241207-151601611-1001\...\MountPoints2: D - D:\setup.exe
HKU\S-1-5-21-3729994215-325241207-151601611-1001\...\MountPoints2: {4e381f7d-2b38-11e2-b5a4-0090f5d00348} - G:\MotorolaDeviceManagerSetup.exe -a
Emtytemp:

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Hi,

Thanks for the response Argus, please find attached log as requested.

I await further instructions.

Robbo

How is the situation now?

Hi,

No warnings whilst browsing websites, however Avast is still picking up a threat located here:

C:\Users\Paul Robson\AppData\Local\Mozilla\Firefox\Profiles\4orzrcsw.default\cache2\entries\0C4ABCA568BD37E3049F0AC3B072CD7941CFD69F

Threat: HTML:FBListener-A [Trj]

Avast moves to chest, but as soon as I reboot then use firefox again, it reappears.

Any thoughts?

Thank you

Please download Zoek tool by Smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool. Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:


filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

Hi,

See attached log as requested. No reboot was required.

Thanks

Re-run zoek and run this script:

emptyalltemp;
autoclean;
emptyclsid;
emptyfolderscheck;delete 

Do you have Comodo firewall?

Hi,

Sorry for the delay, took a little while to run.

See attached log, and yes I use Comodo firewall.

I await your next instruction

Cheers

Robbo

Do you still detection?

Hi,

Rescanned using Avast, no threats found. So it looks ok… however, the same folder location where the threat was located is still in existence:

C:\Users\Paul Robson\AppData\Local\Mozilla\Firefox\Profiles\4orzrcsw.default\cache2\entries

Unsure if that still means there is an issue?

No other signs (warning from Avast) suggesting I am infected.

Thanks again for your assistance.

This worked for me - thanks

There is no threat. This folder must exist, but malware is deleted.

C:\Users\Paul Robson\AppData\Local\Mozilla\Firefox\Profiles\4orzrcsw.default\cache2\entries[b]0C4ABCA568BD37E3049F0AC3B072CD7941CFD69F[/b]

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

You’re my hero! Finally got rid of it now. :slight_smile:

Hi,

Run the tool as requested.

I’m still a little concerned with the following file directory,

C:\Users\Paul Robson\AppData\Local\Mozilla\Firefox\Profiles\4orzrcsw.default\thumbnails

As it seems to be taking screenshots of the webpages I am browsing, and recording them as .png files. Unsure if this is a usual feature of firefox, as I have never checked that location before?

Everything else seems to be running fine, running MBAM and Avast is showing I am clean.

Any further thoughts?

Otherwise thanks again for your help.

Robbo

Haha You don’t have to worry

C:\Users[b]argus[/b]\AppData\Local\Mozilla\Firefox\Profiles\8ezb4b98.default\thumbnails