Firefox update Malware?

Hello,

I have Avast Free, running XP Pro-32 bit.

I am getting the same kinds of Avast Warning and Blocking messages that NickJHenderson reported in a previous thread on this Forum, on his newer Windows 7 - 64 bit system:

http://forum.avast.com/index.php?topic=92407.0

My last specific Avast pop-up reported the following information:

Infection Details

URL: hxxp://www.zoosexshow.com/?x (My added note: I changed the http to hxxp, for safety)
Process: file://C:\Program Files\Common Files\Com…
Infection: html:Iframe-inf

Note: In other previous pop-up warnings (nearly all of which seem to try to connect to animal sex porn sites), Avast has provided the complete Process pathway, being;

C:\Program Files\Common Files\ComObjects\update.exe

(Note: On my computer, the “update” file in this path has a Firefox logo beside it).


I have been working on this for a week. With an ISP Tech (who could not find or fix the problem), and with a Bleepingcomputer.com Virus/Malware Consultant (who could not find or fix the problem), we tried many approaches that included the following programs, to no avail:

Hijackthis
GMER
Tdsskiller
dds
aswMBR
Combofix
OTL
Kaspersky VTR
Revo Uninstaller
resetDMA

Some of these programs were run more than once in an effort to identify and/or fix the problem.

In addition, my regular scanners (Avast, Malwarebytes, and Spybot) all find no infections or problems.

However, these pop-ups keep occurring (sometimes by the dozen in a few minutes, and other times a day or two apart) - whether or not I have Firefox or any browser open.

The following additional measures did not fix the problem:

  • Disabling all Firefox add-ons
  • Updating older versions of programs (such as Adobe Reader)that had security vulnerability.
  • Uninstalling and re-downloading and re-installing Avast.
  • Running Avast, Malwarebytes and Spybot in Safe Mode.

If you would like to see more specifically what has been tried (including many scan results), the following link will take you directly to my ongoing (3 pg) thread at bleepingcomputer.com (On this forum, my username is Daveinsk):

http://www.bleepingcomputer.com/forums/topic440353.html

On that forum, we ran out of things to try, so I am hoping that the Avast Folks may have some experience or familiarity with this problem.

Do you have any knowledge of this infection, or suggestions?

As I typed this post, I rec’d my monthly Avast security report, which reported that 54 web and network objects were infected and blocked, but that 0 files were infected and cleaned by scans.

Note: While I was typing this message, Avast gave warnings and blocked approx 20 more attempts to connect to an array of animal sex porn sites (which I have never visited). Please help if you can.

Thank-you for your considerations, and any responses provided.

Dave W

Read carefully and follow this guide>>http://forum.avast.com/index.php?topic=53253.msg451454#msg451454, while the programs may look familiar and lead you to think “here we go again”, they need to be run first to try and diagnose. :wink:

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

This is coming from “C:\Program Files\Common Files\ComObjects\update.exe”?

You can try uploading the suspect file to VirusTotal to have it scanned by 40+ antiviruses to see if any others detect it.

Alternatives to VirusTotal:
Jotti
VirSCAN
Metascan

I use Firefox and don’t have a “ComObjects” folder. ???

Also

The pop-up happened to occur right after I enabled an add-on called QuickJS ( h[b][X][/b]tps://addons.mozilla.org/en-US/firefox/addon/quickjs/?src=search ). Since I had first installed this add-on only a couple of weeks ago (unlike most of my other add-ons - that I have had for months to years), I was very suspicious that it may have been the source of the pop-up problem. So I went into the Firefox add-ons and removed it completely. But the warning pop-up occurred again after it was removed.
Looks like a relatively new add-on. What prompted you to install it? Just out of curiosity? Or was it something in the past that provoked you?

I see Gringo is assisting - he is good

But sometimes a fresh set of eyes helps

Hello, and thank-you for all of the responses.

This is my attempt to fulfill the requests in the first response after my post:

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.04.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: DELL1 [administrator]

2/4/2012 4:26:17 PM
mbam-log-2012-02-04 (16-26-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 165900
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Re OTL Scan

The Following OTL scan did not open two different scan results in Notepad as the instructions said that it would, but rather, only one. I ran the program twice in case it was just a glitch, but both times, only one Notepad window opened with one OTL report. That report is attached, as instructed.


Re aswMBR Scan

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-04 17:27:26

17:27:26.578 OS Version: Windows 5.1.2600 Service Pack 3
17:27:26.578 Number of processors: 2 586 0x304
17:27:26.578 ComputerName: DELL1 UserName:
17:27:27.406 Initialize success
17:27:28.203 AVAST engine defs: 12020401
17:27:35.500 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-17
17:27:35.500 Disk 0 Vendor: HDS728040PLA320 PF1OA63A Size: 38146MB BusType: 3
17:27:35.515 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP2T0L0-22
17:27:35.515 Disk 1 Vendor: ST3120026AS 3.18 Size: 114473MB BusType: 3
17:27:35.531 Disk 0 MBR read successfully
17:27:35.531 Disk 0 MBR scan
17:27:35.593 Disk 0 Windows XP default MBR code
17:27:35.593 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 31580 MB offset 63
17:27:35.609 Disk 0 scanning sectors +64677690
17:27:35.687 Disk 0 scanning C:\WINDOWS\system32\drivers
17:27:48.078 Service scanning
17:27:49.093 Modules scanning
17:28:00.781 Disk 0 trace - called modules:
17:28:00.796 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
17:28:00.812 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x89bb4ab8]
17:28:00.812 3 CLASSPNP.SYS[f7637fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-17[0x89b7cd98]
17:28:01.281 AVAST engine scan C:\WINDOWS
17:28:06.484 AVAST engine scan C:\WINDOWS\system32
17:30:08.484 AVAST engine scan C:\WINDOWS\system32\drivers
17:30:22.875 AVAST engine scan C:\Documents and Settings\Administrator
17:33:10.703 AVAST engine scan C:\Documents and Settings\All Users
17:33:44.203 Scan finished successfully
18:13:35.125 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Administrator\Desktop\MBR.dat”
18:13:35.125 The log file has been saved successfully to “C:\Documents and Settings\Administrator\Desktop\12 02 04 aswMBR.txt”


Re Rogue Killer

I wasn’t sure if I was supposed to run RogueKiller or not. The instruction page seemed to suggest that I run it if I fulfilled a condition - that did not seem to apply to me. However, I tried to run it anyway - just in case, but the link to download it did not work. If you still want me to run it, please let me know where I can get it.



Re Farbar Service Scanner

I did not run this scanner as the instruction page said; If you are having internet connection problems or firewall problems then do the following": Since I am not having these specific problems, I did not download or run the program. If you wish me to, please just let me know.


The above scans and reports were on the instruction page of the link provided in the first rewponse after my initial post.

I will now look at the second response after my initial post, and will try to fulfill all of the requests there, in my next post. In turn, I will try to fulfill every scan and report request that has been made - confidently hopeful that I am not just repeating 3 days of scanning and reporting - to no avail.

Thank-you for your considerations.

  • Dave

Hello again,

The second response to my initial post (by Asyn) sent me to the same page of instructions as the first response (by Gargame) - to which I have already responded.

The third response (by Donavonsrb) suggested that the suspicious file (update.exe) that Avast identified as the possible source of the infection, could be inspected online by several programs. The results of those scans are as follows:

VirusTotal: on 2012-02-04 23:42:01. Detection ratio: 0/43

Metascan: Online Scan detected 0 possible threats.

VirScan: Scanners did not find Malware.

Jotti: 0 out of 20 scanners found Malware.


Thx again.

I await any further suggestions you may have.

  • Dave

Donavonsrb,

Sorry, I missed answering your question in my previous post.

I downloaded QuickJS a couple weeks back, because I was sometimes running into pop-up windows that asked me if I was sure I wanted to leave a website when I closed a tab. In some cases, even if I said “yes”, it would not let me leave. Every time I would click the pop-up window to leave - I noticed that (with the help of another add-on called Ghostery), another tracker would try to to add me to the list of those trying to track me. I presume that someone was somehow making money from this ploy. To stop this looping, I had to shut off Java (presumably stopping the script that kept repeating the loop). But the pop-up windows would often also prevent or delay my access to the normal Java check box (under Tools/options/Enable Java), making it difficult to shut off Java, so I could close and escape the site.

The plug-in you asked about (QuickJS) placed a small on/off icon on my lower task bar - allowing me to turn Java on and off much faster. That is why I downloaded it.


However, in the same time period, I downloaded several other Java plug-ins, and several other add-ons, just to try them out. I only kept two. One blackened any web page - making the writing green (as my eyes are sensitive to light and cannot watch a bright white screen for long). This was called; “Blank your Monitor + Easy reading 1.9.7”

The other add-on that I kept placed a small blue arrow on a lower task bar, that could be pushed to download (and covert if desired) any YouTube video, or videos from other sites. This was called; “Flash Video Downloader YouTube Downloader 3.4.3”

Currently, all of my add-ons are disabled. However, the pop-ups are still occurring anyway.

A couple weeks ago, I also downloaded two different media players, just to try them out. They include the VLC Video Player, and the Media Player Classic (downloaded with the K-Lite codec pack). I scanned these downloads before and after installing them - with Avast, Malwarebytes and Spybot, and nothing was found by these scans.

Hope this helps!

  • Dave

I’m very interested in this story. Since yesterday I’m experiencing exactly the same problems.
I do not use firefox, but had v.4.0 installed.
Suspicious activities I did yesterday include plugging in a suspect usb key, updating VLC to the latest version (1.1.11), installing DirectVobSub (VSFilter)
I’m suspecting DirectVobSub since it didn’t seem to do anything when installed, but I’d rather wait and see how Dave fixes his problem (one thing we both did was update VLC!).

Avast also identified “firefox”'s update.exe trying to access pr0n sites. I killed the update.exe via process admin, but sysinternals process explorer showed it was still active, after I killed it there, I have not experienced additional rogue internet access (I’ll keep checking). But obviously there is something wrong with our computers.

Avast and MaM complete scans yielded nothing, but I’ll try to follow the complete recommended operations pointed out to Dave. Please do not think I’m trying to highjack this thread, I’m only trying to help Dave as the OP, since probably once he fixes his comp. I’ll be able to do the same.

UPDATE: I uploaded the installers for VLC and DirectVobSub (VSFilter) to virustotal and both were identified as infected but only by one engine (1/40) in each case:
VSFilter: AntiVir → HTML/ADODB.Exploit.Gen
VLC: Antiy-AVL → Virus/Win32.Xpaj.gen

UPDATE2: I will open a separate thread for my problem, sorry if I created unwanted noise here.

RogueKiller link is fixed, a formating error on my part

OK lets look in the com folder and see what we have there

Run OTL and select all users
In the custom scans and fixes box copy/paste the following :

C:\Program Files\Common Files\ComObjects*.* /s

Press run scan
Again there will only be one log
Attach said log

Hello Essexboy,

I have run and attached the OTL file, as per your instructions.

I did not run RogueKiller, as your last post did not seem to instruct me to, even though you did explain that the link was now operational. Just let me know if you would like me to run it.


I found it interesting that Machinshin is experiencing the same problem. I could easily do without the (common suspect) VLC player - that I downloaded and he updated recently (as I virtually never use it), but I will wait to see if we can locate the source (which does not seem to be in a VLC file - at least, no scanner has found any such association to date on my system).

It may be worth mentioning, that I have two physical hard drives, and most of my (non-XP) programs are not on my primary Drive C, but rather on my Drive P (Programs) - which is on my second physical hard drive. Drive P is where my VLC player folder is located. I don’t know if this has any significance.


One other point, if I may?

On the attached OTL report, I noticed that some of the plug-ins were reported as enabled, even though my Firefox add-ons page shows them all as disabled (except Shockwave, which was installed and enabled when I downloaded a new version of Adobe Flash last night, as my Flash was not working - in retrospect - likely because I disabled all add-ons a couple days ago, to see if an active add-on may have been causing the problem).

One plug-in that particularly interests me, is Google Update. I don’t recall ever downloading this update, and, right now, my Firefox add-ons page shows it to be disabled, while the attached OTL scan reports it to be enabled, with the following (copied) line:

CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

Again, I don’t know if this has any significance.

Thank-you again for your considerations. I await any further insights, instructions or suggestions.

  • Dave

You have the same java dll - also Vlan has two folders in the C drive

You have a google update job in windows tasks. That goes there as soon as you get any google product and it is set to check for updates daily

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2012/01/06 09:09:04 | 000,044,032 | ---- | M] () -- C:\Program Files\Common Files\ComObjects\js3260.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hello Essexboy,

When I ran OTL, it prompted me to re-boot as it ended. Then, it automatically produced a report after the reboot.

Your instructions were to run a quick scan after the reboot - which I did.

I have attached both scan reports for your consideration.

Thanks,

  • Dave

Hi Dave W,

The update.exe seems legit then. The dll file that Essexboy mentions has something to do with telling the update.exe to execute these sites.

This dll file appears new, see:
http://systemexplorer.net/db/js3260.dll.html

I’m not so sure about this new malware, so let essex take care of the rest.

Hello,

I have something strange new phenomenon occurring here, which I suspect is related to my primary problem, and/or Essexboy’s last OTL customized script.

First off, I notice a split second image of a black page with white writing as Windows boots up, that was not there before today (or perhaps yesterday). It is on screen too briefly to read. This is not a problem, but it is a recent change, so I mentioned it.

More importantly, when I boot up my computer now, there is a minimized application button on my task bar at the bottom of my screen. On it, there is a Firefox logo, and the words; “about:memory - Mozilla Firefox”

The words on this button intermittently changes to different strange websites.

When I clicked on it - it would not open into a page or application.

When I checked the Windows Task Manager - it listed “about:memory - Mozilla Firefox” as a running application. When I right clicked on this application, a drop down menu appeared. One of the options was “Go to Process”. When I clicked this option it took me to the Processes window in the Task Manager, and highlighted “update.exe”

I then went back to the Applications tab in the Windows Task Manager and right clicked on the “about:memory - Mozilla Firefox” running application again. This time, I selected “Maximize”. (I hope this was not a mistake). A web page opened. It had the following headings, but no information;

Memory Usage

Overview
Memory mapped:
Memory in use:
Other Information
Description

I tried re-booting the computer to see if the task bar button appeared again. It did. When I maximized the button, I briefly saw a window that was titled; “Welcome Humans”. When this window was open, the name on the task bar button was; “Gort! Klaatu barada nikto!”

Here is the website that I found when I did a web search for this name. This webpage shows the same window that I saw, titled; “Welcome Humans”

http://mozillalinks.org/2008/12/gort-klaatu-barada-nikto/

I don’t know if this specific site has significance, but I wonder if a “Mozilla Links” application may be implicated?


Then, I noticed a Firefox minimized application button on my task bar called “Download”. However,

  • There were no downloads showing on my Firefox Download list.

  • Clicking on it did nothing.

  • When the button was visible, it was shown in Windows Task Manager – Applications, with the Process path (also) leading to update.exe

  • Then, a few mins later, the “about:memory” button/application kept changing to the names of different porn sites (unknown to me), but now Firefox web pages also opened – with a new tab opening each time the tab name/application changed. Two of the websites that opened were “iphone porn and Android porn” and “Hole Movies”.

Avast has made no attempt to block any of these sites, but they are not the animal sex porn sites that Avast had been blocking before.

Could I have opened the door to these connections being able to open Firefox web pages when I maximized the “about:memory” button, or the “Download” button, using the Windows Task Manager?

As I typed this post, I noticed that additional (usually porn) websites were opening with other names. Eventually, Avast gave the same old familiar warning and blocked a connection to an animal sex porn site (as per the usual problem).

Here are a few other things I noticed
:

  • After I would “End Task” in the applications window of the Windows Task manager (to get rid of the button, and close the website), the first spontaneous re-appearance of the application (with a corresponding opening web page)was usually the about:memory button.

  • If the button/application changes and other actual web pages begin to open, it is usually either the Gortu page, or, a porn page that is not animal sex porn (and that Avast does not block), but if I do not “end task” for the application, I presume it may only be a matter of time until the application tries to connect to a malicious animal sex site - which Avast blocks from opening.

  • One of the names of the porn sites in the Applications window of Windows Task manager is “Yes Porn - Mozilla Firefox”, even when an Avast pop-up calls the site a different name (such as one of the typical animal sex porn sites).

  • Sometimes the task bar button name & web pages change quite quickly. Other times, the about:memory button stays the same for significant periods. Sometimes, a porn site name appears, and then the button name changes back to “about:memory - Mozilla Firefox”, all by itself. I have no idea what dictates the frequency or order of the changes.

  • Seemingly related, my entire screen now “blinks” quite periodically. This is also quite new within the last day or two. It was not doing this before, even when I was getting Avast pop-up warnings and site blocks.

I presume these new appearances may have something to do with Essexboy’s script – which apparently has acted to make behind the scenes activity more visible, but I am just speculating here.

I am also speculating, that the same connections (as described above) may have been occurring since my problem started – but without the buttons on the task bar, and without the connections actually opening web pages. Thus, the only time I was aware that any such background connections were occurring, was when a connection was attempted to a malicious site - which Avast blocked and notified me of – with a pop-up.

This mechanism could seemingly explain the background connection mechanism to the Internet, but what is directing my computer to make these connections? And how or why are these particular websites (non-malicious, and malicious and blocked by Avast) being selected for connection?

And, what next?

Thank-you again.

  • Dave

The comobjects folder has been updated so I may need another look in there I feel

I will run two quick fixes first and then see what the folder reveals

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Configuration Wizard.lnk = File not found

:Files
ipconfig /flushdns /c
C:\Program Files\Common Files\ComObjects\js3250.dll

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

THEN

Lets see if there is an update by JP

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

FINALLY

Rerun OTL with this custom scan please

C:\Program Files\Common Files\ComObjects*.* /s

Hello again,

Sorry for the delay. I didn’t realize you had responded at the top of the 2nd page.

During the first OTL fix, the following message came up in a window:

Update.exe - Unable to Locate Component

This application has failed to start because js3250.dll was not found. Reinstalling the application may fix the problem.


The same message came up after the re-boot, and returned within few seconds every time I closed it (with either “X” or “OK”). I cannot get rid of this message window for more than a few seconds.

Attached is:

  1. The OTL report that opened automatically after the reboot (called 12 02 06 Auto after boot).
  2. The GooredFix report (called 12 02 06 Gooredfix).
  3. The final OTL scan report (called 12 02 06 Last OTL Scan).

I have also cut and pasted the first two (shorter) reports below.

OTL Auto after boot

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 387626 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 59404901 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 593 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes

User: NetworkService
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66253 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 7736 bytes

Total Files Cleaned = 57.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 02062012_185805

Files\Folders moved on Reboot…
File move failed. C:\WINDOWS\temp_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_190.dat moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_cec.dat not found!

Registry entries deleted on Reboot…


GooredFix by jpshortstuff (03.07.10.1)
Log created at 19:18 on 06/02/2012 (Administrator)
Firefox version 10.0 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions
(none)

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3nomuutp.default\extensions
firefox@ghostery.com [15:37 24/01/2012]
superstart@enjoyfreeware.org [20:47 22/01/2012]
{7E7165E2-0767-448c-852F-5FA8714F2C37} [02:55 02/02/2012]
{ada4b710-8346-4b82-8199-5de2b400a6ae} [15:59 28/01/2012]
{EDA7B1D7-F793-4e03-B074-E6F303317FB0} [02:30 12/03/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
“{20a82645-c095-46ed-80e3-08825760534b}”="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [19:36 04/07/2009]
jqs@sun.com”=“C:\Program Files\Java\jre6\lib\deploy\jqs\ff” [22:05 01/02/2012]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [03:24 02/02/2012]

-=E.O.F=-


I composed the last two posts at the end of page 1 of this thread. I hope that you saw both of them, as the second especially seemed to have pertinent information.

In an earlier post, Donavon had spoke of suspicious js3260.dll file. However, my update.exe file now seems to want to open, but cannot due to a missing js3250.dll file. I don’t know if the closeness of these two files has any significance, but mentioned it just in case.

Thx again.

  • Dave

Only one attachment got through on my last post. This is my attempt to send the other two.

From the other thread with this self same problem it appears to track down to one js file

I will quarantine that now - could you let me know the results

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2012/01/04 07:12:24 | 000,188,916 | ---- | M] () -- C:\Program Files\Common Files\ComObjects\data.js

:Commands
[emptyjava]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Essexboy,

The OTL scan that you requested is attached.

When I reboot, I now get the following message on my screen:

Windows Script Host

Can not find the file “C:\Program Files\Common Files\ComObjects\data.js”


Does the above message indicate an ongoing problem, that needs to be addressed?

If not, can the message be prevented from opening every time the computer is booted?


Also, one of the scans or repair programs used here (or perhaps on bleepingcomputers.com) has seemed to add a spit second view of a page with white text on a black background when the computer first boots up (just before the Window’s logo page). This is not a major problem, but can it be removed?


General Questions

Is the original problem presumed solved now? (Note: I have had no further Avast website block/pop-ups over the last day).

Was the source of the problem ever identified (such as where the bad file file came from?, and/or, what vulnerability permitted it to infect the system)?

Are there any further scans, programs or monitoring that you would suggest that I conduct?

Is there any problem with my turning my Firefox add-ons back on now?

Is there something I can do to protect from re-infection?, or, something I should do if I am re-infected (that would be less than the two weeks of time and hassle that it took to get rid of this infection)?

A gracious thank-you for all of your time, considerations and help.

Regards,
Dave W