Author Topic: URL:MAL  (Read 40849 times)

0 Members and 1 Guest are viewing this topic.

keith075

  • Guest
URL:MAL
« on: June 12, 2010, 05:51:02 PM »
My web shield is popping up about every three hours detecting three malicious websites, but it does not give me enough information to determine where the program is in my computer that's making it try to connect.  I've scanned with Avast, Malwarebites, visually inspected and deleted internet cookies/objects, searched MSconfig and add/remove programs...but I can't seem to find the culprit.

I realize that the URL's are blocked so I'm not in immediate danger, but at the same time there has to be a virus on my cpu (or at least some kind of script) that's making this connection attempt occur.  How do I figure out where it is...because this one is not in the usual places.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: URL:MAL
« Reply #1 on: June 12, 2010, 06:25:25 PM »
Post the information from the logs, e.g. from the avastUI, Real-Time Shields, File System Shield or Web Shield or Network Shield, Show report file.

Change any reported URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:MAL
« Reply #2 on: June 12, 2010, 10:39:31 PM »
Hi keith075,

What were the url's involved, give them like wxw or htxp and we can see what script is making avast shield disconnect?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

keith075

  • Guest
Re: URL:MAL
« Reply #3 on: June 14, 2010, 05:19:02 PM »
(88.80.7.152/cgi/pfkpu.php?tjzo=6733616<x044453x4x4x4x=2x) was the last one...I've been searching for logs or indicators of what is causing my computer to try to connect to these websites and I can't find it.

Is there a way to find the logs of the network shield?  The popup only remains on the screen for 10 or so seconds and it's not enough time to type each page before they disappear.
« Last Edit: June 14, 2010, 06:16:35 PM by keith075 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: URL:MAL
« Reply #4 on: June 14, 2010, 06:25:46 PM »
Easy to find really open the avastUI, Real-Time Shields, Network Shield and click the 'Show report file.'
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

keith075

  • Guest
Re: URL:MAL
« Reply #5 on: June 14, 2010, 08:44:57 PM »
All it shows is-
 avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, June 14, 2010 10:59:02 AM
*

It doesn't actually show the websites, but I did figure out that when the threat block pops up I can pin it in place.....I'll update in about an hour and a half when the next attempt happens.

keith075

  • Guest
Re: URL:MAL
« Reply #6 on: June 14, 2010, 09:57:40 PM »
Okay, I finally had another popup and pinned the page so I can give all three links-

media9s.com/cgi/crhwmrxg.php?gggg=6733616
nopagency.com/cgi/kpudd.php?ddddd=6733616
88.80.7.152/cgi/oejo.php?dsi=6733616

All three pages were launched (well, attempted to launch) using Internet Explorer, but for the life of me I can't find the process requesting the attempts.  All of them ending in the same number sequence tells me that my computer is being tracked as an indivisual, which worries me.  From my last post you can estimate how often it is trying to connect to the internet...and this happens twenty-four hours a day.

Any help would be greatly appreciated.

keith075

  • Guest
Re: URL:MAL
« Reply #7 on: June 14, 2010, 10:01:20 PM »
All it shows is-
 avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, June 14, 2010 10:59:02 AM
*

It doesn't actually show the websites, but I did figure out that when the threat block pops up I can pin it in place.....I'll update in about an hour and a half when the next attempt happens.  This is the only log recording of the virus at work...the scanner and other virus/malware software doesn't detect anything.  I wish I had more to post, but it just doesn't give a bit of info.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: URL:MAL
« Reply #8 on: June 14, 2010, 10:14:35 PM »
The IP address for the last one is for prq.se a Swedish domain.
The media9s.com is also the same Swedish domain prg.se.

The nopagency.com domain has been suspended, presumably because of this type of attempt

Is IE open when this is going on ?
Have you tried using other browsers as your default, I suggest firefox, chrome or opera ?

As you say this is happening every three hours, are there any tasks in the windows Scheduled Tasks ?

What is your firewall ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: URL:MAL
« Reply #9 on: June 14, 2010, 10:33:03 PM »
Hi lets have a deeper look at the system - First though have you checked your proxy settings ?

David may well be right about a bad job in the task folder

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer


And for Firefox there are instructions on this page and you want the setting to be no proxy

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users
  • Under the Custom Scan box paste this in

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /180


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Attach  both logs

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:MAL
« Reply #10 on: June 14, 2010, 11:16:03 PM »
Hi keith057

media9s.com is a site that is classified as dangerous on several counts:
http://www.malwaredomainlist.com/mdl.php?search=media9s.com
Malware distributing site with drive-by-downloads/viruses
for nopagency.com see: http://www.malwaredomainlist.com/mdl.php?search=nopagency.com
same type of malware indicated....
the third site also: http://www.malwaredomainlist.com/mdl.php?search=88.80.7.152&colsearch=All&quantity=50
Could be this range of malware: http://www.threatexpert.com/reports.aspx?find=Monkif%20C%26C
About this Monkif C&C trojan on the media9s.com server read here: http://www.malwaredomainlist.com/forums/index.php?topic=4154.0
More information about this recently active malware from the Koobface family - Monkif C&C read:
http://research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html

Follow the instruction of malware eliminator, essexboy, to the dot and be safe and secure,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

inthefrey

  • Guest
Re: URL:MAL media9s.com
« Reply #11 on: June 15, 2010, 05:18:07 AM »
Hello all,


1st post!

I too started getting this "media9s.com/cgi" url warning about a week ago. I have tried everything above - still get the warning.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: URL:MAL
« Reply #12 on: June 15, 2010, 01:39:34 PM »
still get the warning.
Isn't it because the site is infected ???
The best things in life are free.

djDave

  • Guest
Re: URL:MAL
« Reply #13 on: June 15, 2010, 03:03:01 PM »
I had the same problem with:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
for about a week, I tried everything I had, full scans with Avast, Malwarebytes & SuperAntiSpyware and they did not find these. I turned off restore, dumped my temps. did a reboot, turned System Restore back on, updated Malwarebytes (always do this) and did a full scan (said clean), updated SuperAntiSpyware and it found these: (trojan.Dropper/Win-NVxxx(without the xs))
in that there were 2 -
(C:\WINDOWS\MSVIDEO.DLLxxx(without the xs))
I moved them to Quarantine yesterday and have not seen the blocked warning again ! I hope I'm done with them. and hope this might help someone...dave
« Last Edit: June 15, 2010, 03:11:26 PM by djDave »

keith075

  • Guest
Re: URL:MAL
« Reply #14 on: June 15, 2010, 07:22:58 PM »
To answer everyone's questions...I have uninstalled/reinstalled IE and it made no difference.  I do not have to have the browser launched for the warning to pop up, it does it on its own.

The proxy server option is not checked under internet settings.

The log file is attached from OLT; it did not give me an extras.txt file though.

Finally, I keep Windows, Advanced System Care, Malwarebites, and Avast updated...none of them show any problems with full scans.  I also downloaded and updated SuperAntiSpyware but it only found some tracking cookies.