My PC runs Vista HP SP1 with Windows firewall, Spybot and ESET NOD32. My antivirus has recently detected infection, displaying the following message:
This address has been blocked: e.busca.uol.com.br/404.html - IP address 22.214.171.124:80
This happens everytime Firefox is open and I place the mouse over the favorites list in the Google toolbar. So, I have already deleted some favorites which might be suspicious, uninstalled the bar, uninstalled firefox, deleted registry entries that might be related, scanned for viruses and malware, cleaned temp files and disabled system restore. I've done this at least three times, in safe mode and not, and in different order... all unsuccessful, as the message is still displayed when the cursor hovers over the google bar favorites list in firefox.
Strangelly enough, I have the exact favorites in my browsers (FF 3.6.13 and IE7), but the antivirus does not detect any activity when hovering the mouse over them or even over the list of the same favorites in the google toolbar in IE: it only happens with firefox. Also, I have opened every one favorite entry and checked: none has the address that is blocked as their URL.
I've searched for a way to get rid of this but could not find anything helpful on Google, so I gave up for a while and accepted that, if ESET says it's been blocked, it is preventing the pest from doing whatever it does.
However, Firefox started crashing two days ago and, yesterday, ESET started displaying a warning saying that the following objects are in quarantine:
Then, I assumed it had something to do with FF crashing and started the whole cleaning thing, disabling system restore, runing Vista under safe mode, cleaning all temp files and cache and all, checking the AppData folder (enabling view hidden files) for any suspect folders or files and stuff... scanned system and HD, excluded quarantined objects.
All useless. ESET is still displaying the blocked address when FF is open. Firefox is still crashing every now and then and ESET has just poped up a small quarantine window showing there's some plugtmp-8 in the temp folder quarantined again.
Can you please help? I work a lot at home and can't risk losing data or having trouble with my PC. I'm usually pretty careful when surfing the net or opening attached files and am not naive. Can't fathom where I got the pest. Unless it is a false positive, as I've found some evidence that ESET might be detecting possible threats which just are not.
Edited by Gusknust, 20 January 2011 - 10:52 PM.