Hi everyone!! Christmas greetings to you all.
Im your worst nightmare - a complete newbie at postin on forums so PLEASE be gentle with me and if ive done this wrong forgive me.
Im being plagued by the dreaded JS Downloader - only on firefox, not ie8 - everytime i google something avast gives me the trojan found and only the abort connection option. ive seen pages of instructions on here but need a bit of babystep guidance so i know what i have to produce to help you genuises help me!!
so far the info ive got is just what comes up on the pop up, ie:

FILE NAME: http://v1.adwarefeed.com/ffjs.php?u=3704183145-3943295479-4135195793- 3122908151a=303373&s=20&v=icv270109ff&e=google&q=bbb{gzip}

MALWARE NAME: JS:Downloader-DO [Trj]

MALWARE TYPE: Trojan Horse

VPS version: 091230-0, 30/12/2009

would be so very grateful if you could baby me through what i need to do

thanks in advance for your attention

xx

Hi MissT, welcome to the forum

First off, this is in the right place

The reason this only happens on Firefox would be it’s prefetch feature, which downloads some data from google searches to make your internet browsing quicker.

Does it happen on every search you make? Or just specific ones?

-Scott-

Hi Scott

thanks for the welcome hun

just tried half a dozen searches and it came up with all of them

Ok, first I would disable pre-fetch:

-Open a new tab
-type “about:config” into the address bar (without quotes) [you will have to click the box that says you’ll be careful]
-in the filter bar type: “network.prefetch-next” (without quotes)
-right click the entry and click toggle

Make sure you are careful within this config page, changing some values could prove troublesome

That will stop the pre-fetching.

I think your google searches may be being re-directed

If you search for avast, and click on the first link (NOT the sponsored link) you should be taken to avast.com is that where you are taken or is it somewhere else?

-Scott-

im just going to answer your question before i do the prefetch thingy - when i google avast i got the usual pop up so clicked abort connection, then when i clicked on the first entry i got taken to avast.com.

should i go ahead with the prefetch thing??

Yes, I think disabling the prefetch will help.

What was the alert?

Check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

sorry if i wasnt clear - it was the usual avast pop up tellin me a trojan was found blah blah.
ok im going to do the prefetch now but i dont think i understand about the notepad thingy - million apologies for being a dunce :-[

Ok for the notepad thing,

-Hold the windows button
http://dl.dropbox.com/u/3105891/Pics/Random%20gifs/Windows%20logo.gif
and press R

-In the little window that appears copy and paste: C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

This will open a notepad window, and right at the bottom is the entry you want.

When posting the URL, please modify it to disable it: change http to hxxp

-Scott-

thanks so much for the detail without laughing at me :-\

the very last entry is:

hxxp://v1.adwarefeed.com/ffjs.php?u=3704183145-3943295479-4135195793-3122908151a=303373&s=20&v=icv270109ff&e=google&q=avast{gzip}" file.

OK

The main thing is that the webshield detection, and subsequent ‘Abort Connection’ option protects your pc as it stops the malware before it reaches your browser and your pc, keeping it safe.

-Scott-

thats good news!
do you mean that i should try and ignore it (such a pain when im listening to music and the avast voice over comes booming out!!) - is it one of those things that are more trouble to remove than they are worth?
basically when ive got a lot of googling to do i just use internet explorer so i suppose my main concern was that it was going to get worse or infiltrate deeper etc but i will go by whatever you say

Are you getting any re-directs when you google things?

When you click on the links, are you taken to other places than it indicates?
And did the prefetch thing work?

just googled packard bell and the avast warning comes up soon as i click on enter so i click abort connection - then if i click on one of the sites, so far it has taken me to where its supposed to

did the prefetch thing and just rebooted before trying googling again - no difference im afraid

It seems as though this may help:
http://forums.maddoktor2.com/index.php?showtopic=21291

So:
(I’ve updated the instructions a bit, seeing as the program has been updated…)

Please download GooredFix, making sure that you save this file to your Desktop.

•Double-click GooredFix.exe on your Desktop (Note: If you are using Vista right-click GooredFix and select Run As Administrator…)
•A window will appear asking to continue, click yes
•When complete, a notepad window will appear, copy and paste the contents here.

here it is:

GooredFix by jpshortstuff (28.12.09.1)
Log created at 16:59 on 30/12/2009 (TRINH)
Firefox version 3.5.6 (en-GB)

========== GooredScan ==========

Deleting “C:\Program Files\Mozilla Firefox\extensions{13A8BEB1-D455-478E-86AE-8E55D2C43750}” → Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions
defaults [14:39 18/12/2008]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:50 14/10/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [23:36 17/10/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [16:47 11/11/2009]

D:\Documents and Settings\TRINH.TRINHS\Application Data\Mozilla\Firefox\Profiles\f1k67g9c.default\extensions
personas@christopher.beard [13:46 20/12/2009]
{20a82645-c095-46ed-80e3-08825760534b} [11:53 14/10/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
“{20a82645-c095-46ed-80e3-08825760534b}”="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [12:52 11/08/2009]
“jqs@sun.com”=“C:\Program Files\Java\jre6\lib\deploy\jqs\ff” [23:36 17/10/2009]

-=E.O.F=-

That looks promising

Are you still getting redirects after that?

Oh my goodness!!

i just tried googling couple of things are there was no sign of that at all - no warning from avast - nothing!!

i cant believe youve done it for me Scott - i cannot thank you enough, it was driving me round the twist and now its GONE!! Thank you so much from the bottom of my heart xxxxxx

Is there anything extra i should be running or doing to stop it happening again or am i ok? Im tempted to ask how that program (and you) fixed it but afraid it might be too technical for me to understand!

Again, THANK YOU SO MUCH for all the time and attention you gave to me.

:-*

Happy New Year to You and Yours!!

Im SO happy!!! xxxx

That’s very good to hear

Just to be on the safe side, I would run a scan with avast! and also take a look at MalwareBytes AntiMalware:

www.malwarebytes.org

Install it and then run a scan:

-Open MalwareBytes
-Click on the update tab
-‘Check for Updates’
-Scanner tab
-‘Perform quick scan’ and click ‘Scan’

hi Scott

well that was a bit weird ??? - i downloaded and ran malwarebytes - said it had found 44 infected files - i wanted to keep that window open while i asked you if you wanted to see the log and tell me which to delete etc etc, but my internet connection had gone and i couldnt get it back without rebooting about 3 times - think internet explorer had disappeared from my trusted sites, go figure!!

anyway - i saved a copy of the log - do you want me to post it??

Yes, that would be a good idea.