Mozilla Firefox/Google trojan downloaders?

andygb

Over the past month, I have been "bothered with trojan downloaders. I an running Avast (free version), and run Malwarebytes at the start of every day.
Today has been the worst as far as I can remember.
I have been on EBay and MSE, plus a couple of other ordinary sites, and I keep getting, what I think is a false virus warning. I then close it via task manager and carry on. Every so often, I get a search via Google interrupting whatever I do.
Has anyone else had problems, following the downloading of the automatic Firefox upgrades?
Avast is telling me that I have a "Rootkit virus", but despite running full scans, I cannot get rid of it.
This is now driving me completely bonkers.
Please help.

RussJK

What does the google search try to find? What is the fake virus message? If it's anything like the one described here, then follow the instructions on that site and you'll likely soon be sorted.

If not, here are some things you can try.

1. First post a Hijack this log:
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

2. Similarly, if you have any Avast logs or Malwarebytes logs that show any infection, then post those too.

3. These are two programs designed to find rootkits, try one or both:
NoVirusThanks Anti-rootkit (requires install, wants registry entry)
http://www.novirusthanks.org/product/novirusthanks-anti-rootkit/

Sophos Anti-Rootkit scanner (requires install, run program as administrator)
https://secure.sophos.com/products/free-tools/sophos-anti-rootkit/eula/


(Here are some other scanners, similar to Malwarebytes you might like to try
Dr Web CureIt! (no install needed)
https://www.freedrweb.com/download+cureit/gr/?lng=en (direct link)

Microsoft Windows Malicious Software Removal Tool 32-bit (no install needed)
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Hitman Pro: Second Opinion Malware Scanner (very quick! no install needed)
http://www.surfright.nl/en/hitmanpro

Kapersky TDSSKiller (very quick! no install needed, for TDSS rootkit)
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

NoVirusThanks malware scanner (needs install, regular updates, nice program)
http://downloads.novirusthanks.org/files/nmr_setup.exe

Norman Malware Cleaner (no install needed, takes time)
http://www.softpedia.com/get/Antivirus/Norman-Malware-Cleaner.shtml

Kapersky Virus Removal Tool (needs install but uninstalls itself after use, slower)
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/

Spybot: Search & Destroy (requires install, worth it for the passive immunisations)
http://www.safer-networking.org/en/spybotsd/index.html)


Let us know how you get on.

esuhl

Once you've scanned for and removed any malware, have a look at the NoScript and Adblock Plus add-ons for Firefox (and subscribe to the Adblock anti-malware list) - they should put a stop to any driveby installations.

Spybot and SpywareBlaster might help block the malware you're getting too.

aliEnRIK

Please open malwarebytes, goto LOGS and post the WHOLE of the last log

reboot

Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)
If you get a message that you cant write to the hosts file then Press the SHIFT key, and whilst holding it RIGHT CLICK and select RUN AS (admin)


.........................................................................


Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)

andygb

aliEnRIK wrote: »

Please open malwarebytes, goto LOGS and post the WHOLE of the last log

reboot

Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)
If you get a message that you cant write to the hosts file then Press the SHIFT key, and whilst holding it RIGHT CLICK and select RUN AS (admin)


.........................................................................


Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)

Hi there. Thanks for the help and suggestions. I have downloaded Hijack this file (did this last week), but have been unable to shift/right click/run as admin, or in fact get it to work at all.
It does a scan, but will not let me copy it.

aliEnRIK

"Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds)"

Its the notepad logfile you copy, not hijack itself