Problem with what seems to be Malware..

Hello there. Kind of getting desperate here.

For the past few days, everytime i do a search on google for example, NOD32 blocks a couple of pages from opening. I went to the logs and this is what i get:

13-04-2010 0:10:08 HTTP filter file DO NO OPEN THIS!!! -> ~Link removed~ <- DO NO OPEN THIS!!! a variant of Win32/Oficla.FX trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.

Well, i made a scan and deleted one or 2 things, including what appeared to be a Win32/Kryptik.DPU trojan variant.

The thing is, the problem persists, and even after using other tools (Malwarebytes, or even Spybot in safe mode which were unable to find anything) i can't seem to end this problem.

Would really use some help here

 

So, it works as it should and just saved you from possible infection? Stop downloading stuff from dubious sites, pretty much - that's your solution.

 

empty temp and browser cache folders.
try dedicated helpers from one of the sites listed if you think there is some malware running
https://www.wilderssecurity.com/showpost.php?p=1533481&postcount=3

 

He's NOT infected. He's complaining that NOD32 saved his ass by terminating connection to a malware infested site.

 

Well, let's see. First of all, i am not complaining about the product, so you can dispense the sarcasm. And secondly, if i stop downloading stuff from dubious sites (which i actually didn't do) will that solve my CURRENT problem? i guess not. Thanks for the useless comment.

If you had been more careful reading my post as you were being a jackass, you would have noticed that i mentioned that this happens when i search for something on GOOGLE. Dubious site huh?

Thank you for your help. Going to try it.

 

And you can certify that having checked the machine? Otherwise
"
Well, i made a scan and deleted one or 2 things, including what appeared to be a Win32/Kryptik.DPU trojan variant.
"

 

Maybe you could actually describe your problem better? So, you are trying to say that you do a search on Google and without opening any of the search results you get malware downloaded? Or what's exactly your problem?

 

Example: When i do a search on Firefox (using Google at the search bar) or even if i make a search using the actual site, as soon as i get the results, NOD32 blocks a series of pages. That makes me think that i have some kind of malware that interacts with my browser, namely when i seach stuff on google.

 

Did you try another browser? Does it happen there as well? Did you try to delete your FF profile? Still happens? And you are absolutely sure you are browsing real Google? (Like, ping www.google.com shows what?)

 

Same thing happens with Internet Explorer, didn't see any need in deleting the Firefox profile. And when i ping Google, the IP is normal (209.85.229.104).

 

Well, run Eset SysInspector, generate the log and let ESET have phun with that then. (Could try your luck w/ other tools meanwhile - SAS, Hitman Pro...)

 

Been there, done that (Spybot, SAS, Malwarebytes, Hitman Pro). I'm gonna try some help in another forum, if that doesn't work, i'll either contact ESET or just format the whole damn thing.

 

Hello toxein,

I think i have a problem similar to yours :\
My NOD32 is going crazy about this warnings:


HTTP filter file http://client1**.********.***/cache/undo1_2.exe a variant of Win32/Oficla.FX trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.

And go this one too like you said:

Startup scanner file C:\Windows\system32\certjava.dll a variant of Win32/Kryptik.DPU trojan cleaned by deleting (after the next restart) - quarantined

So far i have tried the following software:
Hijackthis;NOD32;AVG Rescue USB;Avira Antivirus;Malwarebytes;Seek&Destroy,Combifix

But no program was able to detect the problem.

If you got any news how to fix this, please share

thanks

 

So what's using svchost.exe to download it? Why don't you install some firewall which will watch the outbound traffic to see?

 

Hello jonymitra,

I had the same response plus no software was able to detect the problem.
What I noticed monitoring svchost.exe, is that periodically there's a new one generated in a Temp subfolder by undo1_2.

Waiting for further news...

Thank you all