Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exploit Neosploit, "Threat Detected"


  • This topic is locked This topic is locked
21 replies to this topic

#1 BAPM

BAPM

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Location:TX
  • Local time:04:28 AM

Posted 29 July 2009 - 01:34 AM

Hello, here is my quandry. I'd appreciate any help on this subject you can give me.

I keep getting a "Threat Detected" pop-up from my antivirus software every time I search "Rachel Car" through Google. Since it keeps happening, it concerns me that something may be on my machine.

I am using Windows Vista Home Premium on a Toshiba Satellite M305-S4910.
This happens only with Firefox and not with IE.
I have uninstalled and reinstalled Firefox twice.
This has occurred with both avast and AVG anti-virus software.

I was searching google for "Rachel Car" last week. One of the first hits was (presumably) her domain. It never loaded so I have no idea if it's her's for certain but I was able to play a music sample from it. When I tried to visit the index of the domain, I got some wonky errors. I wish I could remember if there were any pop-ups or not but I do recall it took forever to load and froze. I don't recall exactly what I did next, but I think I shut the browser and then reopened it and resumed surfing. I try going back and when I google her again, I get a warning about a trojan horse through avast. I tried searching her again through Google over the course of the next couple of days to see if it continued to happen and it did.

avast didn't really give me any info and I couldn't tell if I was actually infected with something or not. Not seeing a solution, I decided to try another antivirus software. I uninstalled avast and installed AVG. Anytime I google "Rachel Car", this warning pops up on Google similarly as it did with avast.

Posted Image

I haven't been to rachelcar.com at all since that one time when the page froze. Even though the warning has rachelcar.com, this is purely happening through merely searching her name through Google using the search box in the top right corner of Firefox. I searched her the other day through IE and didn't get this error.

I installed Malwarebytes' Anti-Malware and Spybot Search and Destroy. AM didn't appear to find anything related but Spybot had some results and I cleaned them. I uninstalled and reinstalled Firefox once before running Anti-Malware and Spybot and once after installing and before re-installing to see if this would change anything. However, every time I search her through Google using "Rachel Car", I get the "Threat Detected" pop-up.

I looked up the threat name but I can't tell if my machine is actually compromised or not.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:28 AM

Posted 29 July 2009 - 09:53 AM

Hello ,what course of action is being given after detection? Quarantine,fix,remove,delete etc...

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 BAPM

BAPM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Location:TX
  • Local time:04:28 AM

Posted 29 July 2009 - 02:33 PM

Scan Log results:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/29/2009 at 02:10 PM

Application Version : 4.27.1000

Core Rules Database Version : 4025
Trace Rules Database Version: 1965

Scan type : Complete Scan
Total Scan Time : 01:19:13

Memory items scanned : 134
Memory threats detected : 0
Registry items scanned : 6394
Registry threats detected : 0
File items scanned : 157072
File threats detected : 2

Adware.Tracking Cookie
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.bridgetrack[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@videoegg.adbureau[2].txt

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:28 AM

Posted 29 July 2009 - 03:21 PM

Hi looks good here. What course of action is being given after detection? Quarantine,fix,remove,delete etc...
Are you having any malware sysmptoms?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 BAPM

BAPM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Location:TX
  • Local time:04:28 AM

Posted 29 July 2009 - 05:40 PM

As far my anti-virus software goes, I'm not being offered any course of action. The pop-up merely says that the threat's been detected and does nothing else. This occurred with both avast and AVG.

Malwarebytes' Anti-Malware quarantined the following: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties)

Spybot S&D found a few items related to Firefox and I cleaned those.

I tried googling "Rachel Car" in Firefox to see if it's still happening and got the pop-up again. However, I noticed that this time it seemed like another pop-up appeared and disappeared rapidly after I closed the first one, which I don't recall occurring before.


I'm not having any other malware symptoms. All other functions appear to be working normally. However, I find the Threat Detected pop-up occurring when searching in Google to be suspicious. I've only been to rachelcar.com once, but even when searching the name in Google, I keep getting a Threat Detected pop-up concerning that website.

Edited by BAPM, 29 July 2009 - 05:40 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:28 AM

Posted 29 July 2009 - 08:52 PM

Let's just check for a Goored Infection.
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 BAPM

BAPM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Location:TX
  • Local time:04:28 AM

Posted 29 July 2009 - 09:32 PM

GooredFix by jpshortstuff (12.07.09)
Log created at 21:31 on 29/07/2009 (User)
Firefox version 3.5.1 (en-US)

========== GooredScan ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [14:14 01/05/2009]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files (x86)\AVG\AVG8\Firefox" [07:12 27/07/2009]
"avg@igeared"="C:\Program Files (x86)\AVG\AVG8\Toolbar\Firefox\avg@igeared" [07:13 27/07/2009]

-=E.O.F=-

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:28 AM

Posted 30 July 2009 - 03:32 PM

Ok,I am almost certain we have a false positive. Let's submit that file for a second opinion.
Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 BAPM

BAPM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Location:TX
  • Local time:04:28 AM

Posted 30 July 2009 - 07:30 PM

Thank you for all of your help so far. I'm afraid I'm a little confused as to what file I'm supposed to scan. What is the suspect file? Firefox.exe?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:28 AM

Posted 30 July 2009 - 08:13 PM

I was hoping the shield put the rachelcar file in it's quarantine or vault. Or you can find it's locatin via a file search.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 BAPM

BAPM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Location:TX
  • Local time:04:28 AM

Posted 30 July 2009 - 10:06 PM

I looked around and I don't seem to have any file by the name of rachelcar. I tried searching "Rachel Car" again in Google using Firefox and am still getting the same "threat detected" pop-up, however file name is now "rachelcar.com/" without the www part.

#12 Capn Easy

Capn Easy

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:05:28 AM

Posted 01 August 2009 - 09:13 PM

Hi, I'm not a staff member, just someone who has encountered a similar situation with Avast! and Firefox.*

When this happened to me I was also concerned. I did full scans with MBAM and Avast!, which came up clean. I then posted for assistance at the Avast! forum. It was explained to me that the "Web Shield" had spotted malware hidden in obfuscated Javascript and blocked it from before it got to my computer. This was supported by the fact that I had a copy of the alert in my "Warnings" log, but nothing in the "Virus Chest." (Note -- I don't have AVG, so I don't know if the AVG web shield works the same way that the Avast! web shield works.)

Question for BC staff: I don't know much about the internals of Firefox, but I do recall it being advertised as more efficient that IE. Does Firefox interact with the first hit(s) in a Google search page? Perhaps in the name of efficiency? [EDIT -- I think this might be prefetching.] If so, might this trip the Web Shield warning while still on the Search Results page if the first result was a web page with malware?

I hope I haven't hijacked or complicated anything.






* I'm also a member who found BC last December as the result of a very nasty virus attack -- boopme was one of several folks here who helped me clean my computer, and keep it clean. Thanks again, all.

Edited by Capn Easy, 01 August 2009 - 11:06 PM.


#13 Capn Easy

Capn Easy

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:05:28 AM

Posted 02 August 2009 - 04:27 AM

Well, sometimes the gears turn slowly. I also remembered that I'd asked sometime ago about pre-scanning a web page to see if it was safe. When I ran rachelcar.com through Linkscanner it found a problem, apparently involving obfuscated java script:

<HERE>

Edited by Capn Easy, 02 August 2009 - 04:33 AM.


#14 BAPM

BAPM
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Location:TX
  • Local time:04:28 AM

Posted 07 August 2009 - 05:31 PM

Thanks for the reply and the link, Capn Easy

There is still a nagging concern in the back of my mind about a possible infection, as I had entered rachelcar.com that one time. However, I used Malwarebytes Anti-Malware, Spybot, did everything boopme told me to do, and ran Dr. Web Cureit. As I said, aside from that one quirk with Firefox, everything has been running smoothly. I was thinking something similar to what you said about prefetching, but this is the first time this kind of thing has ever happened to me and I'm no expert on the subject, so I'm unsure.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:28 AM

Posted 07 August 2009 - 07:45 PM

Well it'll take a few days, but you can post an HJT log and have them make certain there is nothing hidden here.
To run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users