Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting firefox threats detected


  • Please log in to reply
3 replies to this topic

#1 grg.clny

grg.clny

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 09 April 2010 - 06:19 PM

I have XP with service pack 3. When I do a google search and click on the results I am redirected to a different site. My AVG detected two threats as follows:

File: sobakozgav.net/index.php
Infection: Exploit Javascript Obuscation
process name: iexplore.exe.

File: thecheckdomain.com/news/data.html?ID=20
Infection: Exploit Neosploit Toolkit (Type 779)
process name: firefox.exe

I have Dr. Web, Spybot Search and Destroy, Malwarebytes, Super antispyware, spyware blaster, and ATF Cleaner.
It looks like I am not the only one having this problem. Thank you.

BC AdBot (Login to Remove)

 


#2 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 10 April 2010 - 07:15 AM

Here is the latest with my computer.
I updated AVG this morning and in the middle of this I had all kinds of security alerts. Windows firewall was turned off. XP Smart security alert for all kinds of threats. The first thing I did was disconnect from the internet. I tried to turn on my firewall but could not. I ran Malwarebytes and here is the report:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3972

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/10/2010 6:42:55 AM
mbam-log-2010-04-10 (06-42-55).txt

Scan type: Quick scan
Objects scanned: 112884
Time elapsed: 9 minute(s), 45 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> No action taken.
C:\Documents and Settings\"my name"\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> No action taken.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> No action taken.
C:\Documents and Settings\"my name"\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> No action taken.


I clicked on the box to remove threats and restarted my computer. Firewall came back on. I ran malewarebytes again and got this:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3972

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/10/2010 6:56:10 AM
mbam-log-2010-04-10 (06-56-10).txt

Scan type: Quick scan
Objects scanned: 112602
Time elapsed: 9 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

My google searches are still being redirected. Thanks for the help. I am sure someone will figure out what is going on since I am not the only one.

Edited by grg.clny, 10 April 2010 - 11:19 AM.


#3 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 10 April 2010 - 11:25 AM

I ran Spybot Search & Destroy. Here are the results:


Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Microsoft.WindowsSecurityCenter.FirewallOverride: [SBI $0C94D702] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride

I clicked to fix both problems. I checked and some of my google searches are still getting redirected to other sites.

#4 grg.clny

grg.clny
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 11 April 2010 - 08:51 AM

Sorry I did not follow the Forum Guidelines. I did not know what to call my virus. So I did not know what to put in my post title. I was getting the XP Smart Firewall Allert window. It turns off my firewall and says I have many viruses. I think it is a fake? I ran spybot and Malwarebytes and was able to turn my Windows firewall back on. My google searches are still being redirected. I will stop posting and wait for a reply. I know the forum is very busy and I am grateful for any help I can get.
Thank you.

Edited by grg.clny, 11 April 2010 - 08:41 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users