covert Posted September 26, 2009 Posted September 26, 2009 I am not sure if this is in the right place but I thougth this was a good place to bring my concerns. Hi everyone Ok, I use Facebook on a daily basis, I had a serious infection from using that site a while ago, but thanks to this fabby site I am cured and well protected. Last night I was messing around and got a pop up from my Avira AntiVir saying Threat detected I should block and quarantine, which I did. The app by the way was to put stars on your photos and hearts on your photo's. I deleted anything to do with it and informed my friends. Today I went to use FarmTown app, and I was re directed by google. Said teh site had been reported for infections, something about hackers etc?? Too tech for me, and I was told nt to go on it, also said my virus software had detected this too and blocked it. Why would google redirect me like this? Is this normal for Google to do this? And what should I do about this? Thanks, sorry for the long type:) Quote It doesn't take much effort to be nice :)
chiaz Posted September 27, 2009 Posted September 27, 2009 Hi covert, As far as I know, Farmtown is a legitimate app. Sounds like your computer has been compromised. I see that in your previous thread with JB you had ran several tools. Can I have you update and post the log after a full scan with MalwareBytes, as well as a fresh HijackThis log? Quote
covert Posted September 27, 2009 Author Posted September 27, 2009 hi chiaz, yes Ill get on it straight away and get back to you. I did a virus scan after this last nite with Antivir and that came out clear, I also sent the quarranteened file from the app the other night off to them as requested by Avira. I have used Farm Town before a lot and had no problems until last nite, Be back soon :) Quote It doesn't take much effort to be nice :)
covert Posted September 27, 2009 Author Posted September 27, 2009 Hi chiaz, well goon news and bad news. The good first - The malwarebites is clear totally. - here's the result file - Malwarebytes' Anti-Malware 1.40 Database version: 2709 Windows 6.0.6002 Service Pack 2 27/09/2009 15:10:30 mbam-log-2009-09-27 (15-10-30).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 189565 Time elapsed: 1 hour(s), 16 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Quote It doesn't take much effort to be nice :)
covert Posted September 27, 2009 Author Posted September 27, 2009 Now for the bad news, I informed my friends last nite to be careful, and one farm town friend had the exact same problem when entering farm town. The they had a problem with a hack when logging on to Facebook. I also had a proble,, my antivir stopped a bug when I was going onto another app I play daily. Spp.com (super poke pets) Now I know these sites are safe usually, so this is a worry. Ok the report which I don't understand for the Hijack this result is as follows, this I worry won't be so good lol - Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:06:52, on 28/08/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v8.00 (8.00.6001.18813) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\System32\s3trayp.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = eBay - The UK's Online Marketplace R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MEDION International R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [s3Trayp] S3trayp.exe -chkautorun O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O13 - Gopher Prefix: O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- End of file - 8440 bytes Quote It doesn't take much effort to be nice :)
covert Posted September 27, 2009 Author Posted September 27, 2009 And a bit more info. The two files I have sent to quarantine through Avira advice, and uploaded to them as requested are - both say contains suspicious HTML/HEUR malware ? Not sure if this is relivent or even helps. Quote It doesn't take much effort to be nice :)
chiaz Posted September 28, 2009 Posted September 28, 2009 The two files I have sent to quarantine through Avira advice, and uploaded to them as requested are - both say contains suspicious HTML/HEUR malware ? Not sure if this is relivent or even helps. Can I know the full filepath of the 2 files? Quote
covert Posted September 28, 2009 Author Posted September 28, 2009 yep I will try my best, oh there are 3 in quarrantine now all from facebook. 1 - c:\users\(myprofilename)\AppsData\Local\Mozilla\Firefox\Profiles\oaw688gp.default\Cache\8C63E976d01 Quarantine object - 4aef7bdb.qua 2 - c:\users\(myprofilename)\AppsData\Local\Mozilla\Firefox\Profiles\oaw688gp.default\Cache\42EAEB76d01 Quarantine object - 4aef6b96.qua 3 - c:\users\(myprofilename)AppsData\Local\Mozilla\Firefox\Profiles\oaw688gp.default\Cache\4498941Ad01 Quarantine object - 4aed52e4.qua thanks, sorry lol I couldn't copy and paste it so had to do it type bit by bit flcking screens back n forth, my friend had had an attack from Farmville and FB also the same night I made this thread. I have omitted my profile name as I wasn't sure wether to give it or not. Thank you chiaz, and happy Birthday for yesterday :) Quote It doesn't take much effort to be nice :)
chiaz Posted September 29, 2009 Posted September 29, 2009 That doesn't look serious to me. You can safely remove them by clearing the cache in FireFox. I doubt that any problem, if existent, lies on your end. Your PC should be clean. :) Quote
covert Posted September 29, 2009 Author Posted September 29, 2009 yay great, I do keep getting these 'attacks' but thankfully it looks like, thanks to you all, I am well protected. I thought best to get it checked out as they kept poppig up. Thanks so much Chiaz Quote It doesn't take much effort to be nice :)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.