If I search for anything in Firefox using Google, the screen stalls, shows "waiting for triplexfeed" and then takes me to a new page saying I have a Windows Security Alert. However, it is a fake screen of the My Computer, not my real My Computer. The address bar shows "http://mywoobbvlo.com/in.cgi?7¶meter=" and then whatever search term I have just entered in Google - followed by "1&HTTP_REFERER=33852"
The fake Windows Security Alert window shows detected spyware and adware on my computer, listing "Admess.Trojan, zserv.Transponder.Trojan, Wstart.TrojanDownloader" - and when I try to scroll down this fake windows alert pop-up, a new pop-up shows "Opening install.exe", apparently a Binary File from http://security-pc2016.org. It won't close. I shut the browser with Windows Task Manager, tried again and got a similar pop-up, this time saying "The page at http://security-pc2016.org says The PC remains infected by spyware. They can seriously harm your private data or files, and should be healed immediately. Return to Cyber Security and download it secure to your PC" (the grammar faults are theirs!)
I ran a McAfee scan and it detected 3 objects which it deleted. I shut down, re-booted and have the same problem. A repeat scan has not detected anything. McAfee shows the firewall is not installed although when I checked at the security center, it shows it is installed. I cannot get McAfee to switch on the Firewall, so I have switched on the standard Windows Firewall instead - presumably too late now.
I am running Total Protection Standard Service 2 Year Subscription which was purchased on 6th January 2010, soon after I bought the PC and whilst the trial version that was pre-installed was still operating. All updates have been installed automatically.
I hope someone can tell me what I need to do please?
I guess the first thing to do here is to try & run our fakealert stinger -
Hopefully, this will eridcate the broswer modification & the presence of this fake AV program. If it doesn't then we'll have to arrange for you guys to submit suspicious files to our support group for further analysis.
Additionally, it may be worth running the stinger in safe mode.
In case the attachment doesn't open here is the detail of the report:
Elapsed time: 53:35
Scan engine version: 5301.4018
DAT file version: 5881.0000
Last update: November 21, 2009 (although I often click update now, this date hasn't changed?)
Completion status: Scan completed
Files scanned: 273944
File threats detected: 4
Files cleaned: 0
Files deleted: 4
Registry threats detected: 0
Registry threats cleaned: 0
Cookie threats detected: 0
Cookie threats cleaned: 0
In Type Object Threat Status
File Trojan C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\ Artemis!842DE988A5E5 Deleted
(This is repeated again, but in lower case)
File Trojan C:\WINDOWS\SYSTEM32\6A.TMP Generic PWS.y!bvz Deleted
File Trojan C:\WINDOWS\system32\6A.tmp Generic PWS.y!bvz Deleted
Hope someone can offer a suggestion as I am stuck! I have re-run the stinger in Safe Mode too, but no difference.
If I hit Internet Explorer icon several times, I eventually get a pop-up box referring to DEP - Data Execution Prevention, indicating that Windows is protecting memory by preventing executables running from protected memory locations. Great - but shouldn't Firefox do this too? DEP merely indicates the Trojan is still there.
Message was edited by: Marlin on 03/02/10 18:45:01 CSTMessage was edited by: Marlin on 03/02/10 18:47:28 CST