Search engine query gives a hXXp://12.ppcclickfeed.com Malicious Threat

Any search engine query (Google, Yahoo, or Bing) returns the search results along with an Avast! “Threat has been detected” warning on an hXXp://12.ppcclickfeed.com Malicious URL. I’m running a Dell Optiplex GX-280, with XP Professional SP3, 2.8 GHz P4, 2.0 GB RAM, Avast! Free 7.0.1466, Virus definitions version 121012-2.

I have attached a screenshot of the Avast! popup plus scans from AdwCleaner, Malwarebytes, and OTL. Scans from aswMBR, TDSSKiller, and ComboFix will be attached in a follow-up posting.

Any help would be greatly appreciated. Thanks.

Follow-up Post with scans from aswMBR, TDSSKiller, and ComboFix.

Again, any help would be really appreciated.

This should remove the remnants … Let me know if it works

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O4 - HKLM..\Run: [isquPan] C:\WINDOWS\System32\isquPan.exe ()
O4 - HKLM..\Run: [ISW] File not found
[2009/11/24 00:07:54 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

:Files
C:\WINDOWS\Installer\{04de6e16-7f8f-f092-2a92-db5f6c8df8f2}
C:\Documents and Settings\Administrator\Local Settings\Application Data\{04de6e16-7f8f-f092-2a92-db5f6c8df8f2}

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

essexboy,

Thank you for the help. I followed your instructions but should say that when I ran OTL with the “Custom Scans / Fixes” and the QuickScan, I did not disable my anti-virus or my firewall. Also, I noticed I had not selected the “Scan All Users” button. In any event, I have attached the file that OTL created after the reboot (10132012_220801.log) and the file (OTL.Txt) that was the result of the Quick Scan.

The bad news is that I ran one Google Search and got the “Threat Detected” pop-up warning just as before. Bummer!

Between the time I first ran the 6 programs (AdwCleaner, Malwarebytes, OTL, aswMBR, TDSSKiller, and ComboFix) and posted their scans, I had used the computer some for email and Internet surfing. At first it seemed like running those programs had removed the problem but it came back on about the 3rd or 4th Internet search. I assume I may have re-infected the computer by doing this.

So, it looks like I still need help. Sorry.

OK time for the big boy, do you synch Firefox ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

essexboy,

As far as I can remember, I do not sync Firefox. I remember looking into that option at one time but I’m pretty sure I never set it up. My phone and other computers do NOT have the same bookmarks as this computer so I’m guessing I am not syncing Firefox.

I had run ComboFix before I made my first post so I deleted the ComboFix file on my desktop (and got a warning that it was a “Read Only” file) then downloaded a fresh copy. I then ran the new version of ComboFix and have attached the log file.

A couple of things I noticed after running ComboFix is that when I start Firefox, it says it is no longer my default browser. In answer to the question “Do you want to make Firefox your default browser”, I answered “No” this time (the last time I answered "Yes.) Also, I had for a long time been using a program called “tClockEX” to display both the date and time in the System Tray. It is not running now. I’m guessing ComboFix removed it. I opened a tab in Firefox (Version 17.0) while writing this reply and opened my Gmail account to search for the name of this program. And I opened Microsoft Word 97 to finally find the name of the program. Those are all the programs and/or web sites I used.

Then I opened another tab and selected the Bookmark for Google. I ran a search for “Romney vs Obama” and all was OK. I went back to Bookmarks and selected my Google bookmark a second time and ran a search for “time zone map”. This time I got the pop up “Threat has been detected.” This time the Malicious URL Avast! blocked was “hXXp://14.ppcclickfeed.com/…” - before it was “hXXp://12.ppcclickfeed.com” (12 instead of 14 in the URL.) See attached screen shot (Screen Shot 14ppcclickfeed.jpg) of the pop-up.

Is there an even “bigger” boy we can use now?

Thank you again for your time and effort. It is greatly appreciated.

OK it is somewhere within Firefox

Could you start firefox and disable all extensions
Do a search… Do you get the same warning ?
If not re-enable each addon doing a search in between to see if the alert returns
Once the addon is located could you let me know which one it is and run a fresh OTL scan

BINGO! essexboy,

 I looked at the Firefox Extensions and disabled the first 4 that were active:

avast! WebRep 7.0.1466
Easy YouTube Video Downloader 6.5
Garmin Communicator 4.0.3
Mozilla Safe Browsing 2.0.14

 Once that was done, I ran several searches using Google from the Bookmark, the Firefox Search Box and from the search box on a Google search page.  All ran CLEAN!  No pop-up warnings!

 I then enabled the four extensions in the above order, restarted Firefox each time, and ran at least 3 Google searches.  Here is the result:

avast! WebRep 7.0.1466 - CLEAN!
Easy YouTube Video Downloader 6.5 - CLEAN!
Garmin Communicator 4.0.3 - CLEAN!
Mozilla Safe Browsing 2.0.14 - THREAT DETECTED!!! On the first Google search!

 I then ran OTL and have attached the log file.

 I don't want to get too excited, but I think you nailed it!

Don’t know how I missed that as it is usually the first one I look for

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
[2012/08/17 16:58:23 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\{46A80111-E8AE-11E1-8270-B8AC6F996F26}

:Files
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\{46A80111-E8AE-11E1-8270-B8AC6F996F26}

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

essexboy,

 I ran OTL with the "Custom Scans/Fixes" you supplied.  When OTL completed, it created a log which I have attached (10142012_174049.log) then I ran a QuickScan and the log it created (OTL.Txt) is attached also.

 I looked in Firefox Extensions and the "Mozilla Safe Browsing 2.0.14" extension is no longer there.  I then ran 3 different Google searches and received no pop-up warnings.

 It looks like I'll sleep soundly tonight!

 Anything else I need to do?

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

essexboy,

 First, thank you so much for your help with this.  I REALLY appreciate your time and expertise.

 Secondly, I am out of town for most of the week and do not have access to the computer that had the problem.  I'll be back in a few days and give it a good work out to make sure it stays clean then I'll follow the rest of your instructions.  Once I do that, I'll post again and let you know how it went.

 Again, thanks SO much!

My pleasure ;D

essexboy,

 Sorry for the long delay but "life" got in the way of my continuing with your instructions.  I have however run the computer for "several" 24 hour periods with no recurrence of the problem.  I have followed your instructions to remove the tools and clean up the system.  And, I will read your "How did I get infected in the first place" guide to see what might have happened.

 I have had at least one personal computer since 1979 (Commodore PET 2001) and currently have 8 computers (including laptop, netbook and tablet) in my house (but not counting the "Smartphone.")  I have, until this time, NEVER had ANY computer virus on any of my computers - knock wood.  Maybe that was just blind luck but I have tried to practice "safe computing."  Anyway, I'll re-double my efforts to avoid any further problems.

 Finally, I can not thank you enough for your help.  Swift, accurate, and to the point.  You get one huge "ATTABOY" from me!

Best Regards,

DXHound

Keep safe and enjoy ;D