Hi
Today I started getting Avast warnings whenever I open a website in Firefox.
MBAM scan didn’t find anything.

Here’s the OTL logs:

On completion of this run could you let me know if the alerts cease

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL @Alternate Data Stream - 971 bytes -> C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BF1V4WG4H6PT4KGM8HTV4K6N636VFSVF7JB4VPJGF

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

The alerts didn’t stop.

OK time to dig deeper

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

THEN

Is it only firefox ?

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Yes it only happens in FFox.

OK the next area to check is that Firefox is not infected

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Well after I run CFix I couldn’t start any programs. Said something like " program is connected to registry entry targeted for removal" or similar.

Nevermind

A reboot should have cleared that ;D

Are the alerts still occuring as the combofix log now looks good

Yes

Is it possible that it is some stupid add ? When I click more info on the alert I get redirected to http://www.avast.com/pl-pl/lp-security-information-pp?utm_campaign=Virus_alert&utm_source=prg_ise_60_0&utm_medium=prg_systray&utm_content=pl-pl_virus-alert&p_vir=al&p_prc=file://C:\Program%20Files%20(x86)\Mozilla%20Firefox\firefox.exe&p_obj=http://83.23.58.33/&p_pro=2&p_vep=6&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=111&p_lng=pl&p_lid=pl-pl&p_elm=7&p_vbd=1289

Could you post a screenshot of the alert please

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

Download GMER Rootkit Scanner from here or here.

[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scan…click on NO.

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[] In the right panel, you will see several boxes that have been checked. Uncheck the following …
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[] Show All (don’t miss this one)

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.

[*]Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
[I]Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries

[i]-- If you encounter any problems, try running GMER in safe mode.
– If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning

http://imageshack.us/photo/my-images/11/123jnq.jpg

http://imageshack.us/photo/my-images/11/123jnq.jpg/

Gmer didnt find anything. Although some choices were greyed out and I couldnt select them.

Could I see a screenshot of the alert please

Also have you tried IE to see if you get the same alert

The screenshot is in my previous post. Also no I only get it in firefox. Also I only get it when starting FF. When its open I dont get it anymore untill next restart.

I would recommend totally uninstalling Firefox if this next fix does not work… Firefox has too many places for malware to hide

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Reinstalled firefox, still getting alerts. Although first alert on new firefox said it was in a different file.

What file is it alerting on ?

Is utorrent running when this occurs ?

Well it stoped today :P. Guess some magical faeries did something while I was sleeping. Also since any antivirus scanner shows nothing I will thank you for your help and time.

Could you monitor it, and if all is well tomorrow I will remove my tools