Help! Some dodgy Virus coming through Firefox?

OnAndUp

After having the system tools virus a few weeks back I feel a bit paranoid now!!

Has anyone else had this I was searching for something on google and when I clicked on the link I got a blue message box something about Firefox has found critical errors?

I didn't know what to do didn't want to click "ok" so tried to close the tab, but then it showed a screen with a message that looked like other messages you sometimes get on firefox but with a "scanner" running that looked a bit like the system tools thing? I closed the webpage tab straight away.

Like this.
http://support.mozilla.com/media/uploads/images/Virus-alert.jpg

My AV never gave me any warnings and I wasn't aware that firefox did any sort of security scans?

I'm hoping that everything is ok but I am going to run malwarebytes now in safe mode in case??

Can someone confirm that it's dodgy - it's not a genuine firefox security thing is it? If it is a scam I'm sure loads of people would fall for this it looks so genuine with the firefox info?


TIA!

RussJK

Sounds like you did the right thing and yes it's dodgy. It shouldn't have installed anything if you didn't click on the 'get software' link according to GData (http://www.gdatasoftware.co.uk/security-labs/news/news-details/article/1338-firefox-security-alert-turns-o.html).

Still, do the usual Malwarebytes (update, quick scan).

Also I'd recommend installing Spybot: Search and Destroy (don't install SDHelper or teatime, Update it, run the Immunisations, don't worry about a scan)

Put in a Hijackthis! log for Rik.

In Firefox, install Adblock Plus if you don't already have it (https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/)
Then subscribe to Easylist.

Secondly, after Adblock Plus is installed also subscribe to the Malware domains block list at the bottom of this page: http://adblockplus.org/en/subscriptions

OnAndUp

Thanks RussJK! doing that now.

birkee

My Kasperki Internet Security blocks access to malicious sites. Guess you get what you pay for.

A.Penny.Saved

birkee wrote: »

My Kasperki Internet Security blocks access to malicious sites. Guess you get what you pay for.

Unknown zero day attack sites it doesn't, to those it's as vulnerable as any other:rotfl:

Malware creators can test against the security people use so they know how effective their Malware will be. When it reaches a point where it has little effect they just use different Malware on different sites.

Then there are Ad providers where Malware is injected into the Ad network. The web can be a dangerous place and no AV/Firewall is 100% effective.

Sandboxing your browser and only allowing defined applications to run in the sandbox defeats most all of it. Script blocking (noscript) and request blocking (requestpolicy) as another line of defence prevents a large majority of it and the Sandbox prevents anything that manages to get through due to allowing the wrong thing to not get onto the real system.

I never get my system infected.

JJ_Egan

Unknown zero day attack sites it doesn't, to those it's as vulnerable as any other

But it does have the advantage of a number of AV updates each day .

I never get my system infected. Likewise and i dont bother with a sandbox script blocking etc just use Kaspersky or Eset .Plus the all important factor of common sense .
No virus trojans or malware ever been a problem in 11 years .

jje

aliEnRIK

birkee wrote: »

My Kasperki Internet Security blocks access to malicious sites. Guess you get what you pay for.

Not all it doesnt

teleaddict

this sounds like the same thing which happened to me yesterday. The only problem is after I turned my pc off, I can't get it to boot up now

OnAndUp

Everything seems ok and Malwarebytes/Avast Scans didn't find anything.

Can you please have a look at this Rik? Thanks!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:21:31, on 27/03/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\CleanMem\mini_monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&prodOS=011&gwCountry=GB&language=en&PURCH_DT_MONTH=01&PURCH_DT_DAY=25&PURCH_DT_YEAR=2006&PROD_SERIAL_ID=CNN5430MXX&application=305&modelID=EL495AA&LF=red
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [CleanMem Mini Monitor] C:\Program Files\CleanMem\mini_monitor.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Maxtor Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290958185000
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Scheduler2 Service (MaxSch2Svc) - Maxtor - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe

--
End of file - 6941 bytes

OnAndUp

Also just out of curiosity?

Is this something that I could get rid of? Like the program you get when you first get your pc?

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebRe...EL495AA&LF=red

And what is this one about Proxy?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local

RussJK

Log looks fine to me. I can tell you've probably followed the Closed slow PC guide Don't worry about the R1s.

If you don't have an ipod, then you don't need these:
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

and I would remove this unless you use iTunes to burn CDs for some reason:
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

and this could go:
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

By the way, go into Avast and double check the version number in the 'About Avast' tab, make sure it's version 6. I don't know if it just keeps the old "avast 5" folder after it updates to version 6 (since I started at version 6), but I thought it worth checking.