I started having a problem today, similar to some other posts I’ve seen here and on other sites.
Symptom 1:
Every few minutes I get a Network Shield warning that it blocked access to malicious site 78.110.175.21…
(only while firefox is running)
Symptom 2:
Searching for anything with google (via firefox) shows the usual titles and text for the search results but the links are to completely unrelated sites.
E.g. searching for “oblivion” in firefox / google gives a result:
The Elder Scrolls IV: Oblivion - Wikipedia, the free encyclopedia
The Elder Scrolls IV: Oblivion is a single-player role-playing video game developed by Bethesda Game Studios and published by Bethesda Softworks and the …
www. antivirus 2009-freescan .com - 268k - Cached - Similar pages
(^^^NOTE THE URL, edit now space-ified for safety)
This problem in firefox happens with all of these 3 methods:
Symptom 3:
I see a "Waiting for 7.7.7.0 " in the status bar of firefox (bottom left) when I start the search, before it starts displaying the results page.
I updated my avast virus defs today and did a full scan but nothing found.
Can anyone advise how I can find and fix this?
Thanks,
Wally
Firefox 3.0.5
(with Googlebar lite 4.6.8 )
Avast home 4.8 (virus defs version 081231-1)
Win XP Pro SP3
Exactly the same problem. I am infected by something and I cannot find it. I have used the usual suspects, HJT and SuperAntiSpyware but Avast is still warning me that it is blocking an attempted connection to 78.110.175.21, a known infected site. Any help would be appreciated to get rid of this, currently, annoying pop up.
Im also experiencing this issue and in the 15 yrs of IT and networking I have never been so hard pushed to try and clean something out.
HJT logs are clear, ran half a dozen other recommended proggies to kill this and still it keeps coming back.
PRocess explorer does not show a rogue process opening with firefox or IE.
3 rootkit detectors and still nothing.
Multiple packet captures did not help diagnose what is going on.
Reset all the TCP IP stack and now over 15 hrs later I am at the point where I am considering reinstalling windows.
I have to consider that this machine is compromised.
I removed the google search from firefox and things settled down for a few hours but as soon as I yahooed then I got whacked again.
I have blocked all Iframes, java script, removed java and still this thing is there.
I am brain dead on this one after the hours of scanning and registry scouring.
The time put into this would have been better spent reinstalling.
Avast has disappointed me with this one, the log files are not even loading up in log viewer and avast does not write the events to event log in windows.
I have to manually dig into the Avast home folder to read the logs.
I just dont know which way to go but whatever this bug is it is dug in like a tick.
I do not believe this is the Zlob trojan the symptoms are not quite the same and the registry values that Zlob changes are not present.
In fact my run once and run values are clean as a whistle and only contain legit values.
Unless there is a new variant and it is still in the wild.
Mind you avast should have picked it up I have scanning cranked to maximum on all levels.
Cheers
I read somewhere (can’t remember where now) that this issue is Javascript related.
So I turned off Javascript in firefox, and now my searches generally look correct.
E.g. The oblivion search now gives the correct URL, and it goes back to the bad one if I turn javascript back on before searching.
(Symptom 2)
With Javascript off, I also don’t see the “Waiting for 7.7.7.0” (Symptom 3)
But I still see avast’s alert “blocked access to malicious site 78.110.175.21”, when firefox starts and periodically after that.
(Homepage http://www. google .com/ig?hl=en)
Maybe there’s multiple problems here.
I also ran malwarebytes AM (quick scan only so far) and this found and removed a bunch of “Trojan.DNSChanger” infected files and registry keys.
(But afterwards, turning Javascript back on in firefox brings back the bogus google search links)
This is interesting, however I have a script blocker add on in firefox as well so I can allow and deny sites based on my risk assessment, if this is a java vulnerability then it is a major problem for all concerned.
The IP in question is owned by the Russian Business Network and they are not a very nice bunch, spammers and what not.
I have just marked google as being untrusted with noscript and that cleaned up the search links nicely.
I am going to update my Java installation with the latest version and see if that has any impact, but Iam not going to hold my breath.
I still expect to see the block showing up.
Cheers
Check to see if your java is up to date. Use javaRa (Download Windows Binary .zip file) to both delete the old versions and then search for the newest update.
Unfortunately updating the java runtimes does not resolve this issue.
I was skeptical that this would be the end of it anyway, this issue runs a lot deeper than just the Java, this malicious little bugger is going to get worse before it gets better for a lot of people I think.
I suspect that there are a lot of infected machines out there but they just dont know it yet.
Fortunatley Avast’s network scanner picks it up but after that the ball is dropped as Avast only identifies the browser exe files as the culprits trying to make the connection and does nothing more.
I am devoting one more hour of research to this then it is backup an reformat, I am not inclined to sit here working on a compromised machine.
I usually would go down that path straight away but decided to see if these new programs could do what they claimed but at the end of the day, 7 programs and many hours of scanning from safe mode and registry editing have to this point been disappointing, good learning exercise though.
Of course the cold war is over and the russians are our friends now BWAHAHAHAHAHA!
Now to determine which authority is the best to pass this info onto.
I suspect that the server that firefox and IE are trying to contact is some sort of command and control server and once that contact has been made then further malware and bots would be sent back to the host for nefarious purposes.
I think Auscert might be a good place to start.
Dude!!! your a legend, at this point hahahahaha!
I just renamed that file and then moved it to a quarantine folder.
Rebooted and have not had one attempted connection to the russian mafia homepage.
Google is behaving as well.
If I dont get any more errors in the next 24hrs if I ever meet you I will buy you a beverage.
The file in question according to MS is meant to be 80kb and lives in the drivers folder under system32, the one I found was 23kb, I ran a scan against it and found nothing.
Iam about to dissect that little bugger and have a good look at it in a dll editor and see if there is anything interesting inside.
Will post what I find if anything, I just hope it has no brothers and sisters floating around waiting for some event to trigger.
We shall see.
Deleting wdmaud.sys from the drivers folder didn’t fix my problem (exact symptoms as everybody else with 7.7.7.0 and 78.110.175.21) . BTW as soon as I delete the file, another one pops back up in that folder.
Anyone with a copy of this file should submit it to avast.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that. Send it from the User Files section of the chest (select the file, right click, email to Alwil Software).
This process has been modified in the latest version to make it easier, it doesn’t actually get emailed, but transferred when the next avast auto (or manual) update is done.
[quote author=DavidR link=topic=41423.msg347640#msg347640 date=1230825142]
Anyone with a copy of this file should submit it to avast.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there.
