The last few days out of nowhere I have been getting a pop-up window for the url “internet-outline.com/d/traf2.com”. Avast blocks it saying it just saved my computer from crashing. This pop-up comes out of nowhere whenever I am just doing some general surfing of my normal daily sites like Youtube, Google, Facebook. Sometimes if I just click a blank area on the screen, on a webpage(with no links or anything in that area) I’ll get the pop-up and the warning. I haven’t been able to find out anything about what this is other than what Avast tells me when it blocks it and its annoying the hell out of me!

I did a full scan but nothing was found. I’m using Firefox 13 and have checked all my add-ons and don’t see any problems with any of them, nor do I think it is any of them causing this. I’m running Windows 7 Ultimate 64-bit. Has anyone else seen this same thing? How can I make this go away permanently? Avast is doing great block it but it pops up and gets blocked like 30 times in one day! Again this just started happening in the last 2-3 days. I haven’t installed anything new at all or gone to any sites I’ve never visited before. I don’t have anywhere available to upload this to other than Dropbox, so here’s a ink to the pic showing the avast error and also what Firefox shows: https://dl.dropbox.com/u/63091802/avast.jpg

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.11.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Scott :: STORMSCOUT [administrator]

Protection: Enabled

6/11/2012 1:10:25 PM
mbam-log-2012-06-11 (13-10-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 260249
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

.

.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-11 13:41:03

13:41:03.454 OS Version: Windows x64 6.1.7601 Service Pack 1
13:41:03.454 Number of processors: 8 586 0x1A05
13:41:03.454 ComputerName: STORMSCOUT UserName: Scott
13:41:05.610 Initialize success
13:41:08.416 AVAST engine defs: 12061100
13:41:10.915 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP3T0L0-3
13:41:10.916 Disk 0 Vendor: WDC_WD3200AAJS-00B4A0 01.03A01 Size: 305245MB BusType: 3
13:41:10.934 Disk 0 MBR read successfully
13:41:10.936 Disk 0 MBR scan
13:41:10.938 Disk 0 Windows 7 default MBR code
13:41:10.940 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
13:41:10.952 Disk 0 scanning C:\Windows\system32\drivers
13:41:19.063 Service scanning
13:41:36.637 Modules scanning
13:41:36.641 Disk 0 trace - called modules:
13:41:36.649 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
13:41:36.651 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa800b395790]
13:41:36.655 3 CLASSPNP.SYS[fffff880019c943f] → nt!IofCallDriver → [0xfffffa800b15a580]
13:41:36.659 5 ACPI.sys[fffff88000f7f7a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP3T0L0-3[0xfffffa800b15c060]
13:41:38.483 AVAST engine scan C:\Windows
13:41:40.750 AVAST engine scan C:\Windows\system32
13:43:21.604 AVAST engine scan C:\Windows\system32\drivers
13:43:32.829 AVAST engine scan C:\Users\Scott
13:58:54.977 AVAST engine scan C:\ProgramData
14:05:32.760 Scan finished successfully
14:05:47.315 Disk 0 MBR has been saved successfully to “C:\Users\Scott\Desktop\MBR.dat”
14:05:47.319 The log file has been saved successfully to “C:\Users\Scott\Desktop\aswMBR.txt”

Hi there could you do a quick check with IE please to see if the problem is apparent there

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Is it only firefox ?

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Here’s the 2nd OTL log.

I do not have IE as I made sure to get rid of it as much as possible… lol HOWEVER I do have Chrome and tried that out for awhile. I did NOT seem to have this same issue while surfing with Chrome. So between the two it seems it is definitely Firefox related, although still not sure how.

No change it seems. Still getting the same Avast message.

GooredFix by jpshortstuff (03.07.10.1)
Log created at 15:11 on 11/06/2012 (Scott)
Firefox version 13.0 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:07 16/04/2011]

C:\Users\Scott\Application Data\Mozilla\Firefox\Profiles\3u8uj792.default\extensions
plugin@yontoo.com [20:06 01/06/2012]
{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash [21:35 18/11/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
“wrc@avast.com”=“C:\Program Files\Alwil Software\Avast5\WebRep\FF” [09:23 18/05/2011]

---------- Old Logs ----------
GooredFix[19.09.20_11-06-2012].txt

-=E.O.F=-

Getting rid of IE is a bad move as it is integral to windows and closes several security holes

Could you run Firefox in safe mode please to see if it still evident http://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode

Ok, I think I found the issue. I really did not think it was any FF add-ons as I have so few, but after the “problem” went away while trying FF in safe mode I went through each add-on. I enabled one add-on, closed FF, then restarted it and tested to see if the pop-up/error would occur. I did the same exact thing for each add-on and did not have the pop-up/error at all. I got to one add-on in particular and as soon as I began my test in FF the pop-up/error came. My test consisted of this;

Go to Facebook, click anywhere on the page or in any fields without logging in.

With all the add-ons enabled, doing this caused me to get the pop-up/error 100% of the time. After I got to the add-on in question I knew it was the one causing the problem and will be removing it. The add-on was “Flash Loader initial.rev64 by christiandavid (This add-on allows your browser to play online Flash content. Last Updated May 22, 2012)”

THANK YOU for helping me with this issue!!! Really appreciate the time and speed put into this for me!

That is the problem with Firefox (to my mind) any addon can be subverted and you will never know

Have you deleted that addon ?

To remove OTL just run it and hit the cleanup button ;D

Yup, that add-on has been removed. Thanks again