Mod Edit: moved from WIN 7 to the Am I Infected forum ~~ boopme
I recieved an E-mail from my ISP - Comcast - a few days ago that one of the computers on my network is showing signs of possible bot activity. I scan my computer regularly with Avast, MalwareBytes, Spybot S&D, I also run Comodo and Peerblock, as well as many security extensions. I recieved the same email again last night (which I read this morning). I have scanned the whole PC and found nothing (well I found a few things, but they were just bad cookies). Then this morning I opened my browser and was prompted that a program on my computer wanted to install an extention called "Total Browser Security 1.0.7" . I saw the owner as Mozilla and it seemed legit so I let it install. Then I immediately got a bad feeling because I recall reading that it's easy to fake a signature, so I went to disable it. I could disable it, but I couldn't remove it from the browser, and when I went through Mozilla's safemode/manual uninstall, but the folder for the extension didn't even exist (at least not where it should have been) so it's sitting in my browser disabled. I ran some quick Google searches and there were only 2 pages with someone having the issue, one was unresolved and the other simply said it would be best to get help here on BleepingComputer (original poster said it was called Total Browser Security 8.1.5), also stated he/she believed the culprit program was a game called Robort Unicorn they had downloaded (likely from a bogus site) and that every time the game was run, the extension would reinstall (how the heck did he/she uninstalled it originally i don't know). Both posts were from 2012 so it's sort of dated.
It's obviously fake and I feel totally unsafe with it on my PC. I have no idea what program I had downloaded that would have installed bogus extensions for Firefox, as the only thing I downloaded yesterday was 'Simple Shutdown Timer" which I've used in the past and I downloaded from Cnet (direct download, not through the downloader bullsh**, because that has all kinds of thrid party bogus). I'm not sure if maybe theres been something on my computer for a long time that just now decided to add the extension (considering for a week Comcast has said my internet activity shows signs of bot activity (which could also be the other computer on my wifi, as it's used by children who know nothing of safe browsing practices)). Or if my computer is badly infected with something, since none of my scans have shown anything. Either way I'm frankly scared for my internet safety right now, and I'm running another full scan with Avast and a program I downloaded today called Ad-Aware, and another called SuperAntiSpyware(which found a bunch of cookies and that was all). I also have things like hijkackthis and can provide logs and things, Im just not sure what information you guys need from me.
Simply put I want to get this extension removed, or least find the program that added the extension. I've attached a screenshot of the extensions page in the addons manager which shows its by Mozilla (which it totally is not). Sorry if there is a lack of explaination I'll be checking back every minute so I can reply with more information promptly. Thanks!
Additionally I just noticed when i took the screenshot that it stateds it was updated on the 2nd of June, whereas it installed this morning, the 3rd. Odd.
UPDATE: Avast found something this time! Win32:Adware-Gen, in a microsoftupdate.dll. Deleted and rebooted. Fake extension still in Mozilla though!
UPDATE: The other computer on my home wifi also has 'Total Browser Security' in it's extensions. My father says he allowed it a few days ago thinking it was legit. I'm connected to modem via ethernet, the other computer is on Wifi. the computers aren't on a shared network or anything so I'm really not sure how both computers were infected within days of eachother AND the fact that Comcast thinks we have a bot. This seriously looks bad.
Edited by Aaes, 03 June 2014 - 01:27 PM.