Avast WEBforum
Other => Viruses and worms => Topic started by: keith075 on June 12, 2010, 05:51:02 PM
-
My web shield is popping up about every three hours detecting three malicious websites, but it does not give me enough information to determine where the program is in my computer that's making it try to connect. I've scanned with Avast, Malwarebites, visually inspected and deleted internet cookies/objects, searched MSconfig and add/remove programs...but I can't seem to find the culprit.
I realize that the URL's are blocked so I'm not in immediate danger, but at the same time there has to be a virus on my cpu (or at least some kind of script) that's making this connection attempt occur. How do I figure out where it is...because this one is not in the usual places.
-
Post the information from the logs, e.g. from the avastUI, Real-Time Shields, File System Shield or Web Shield or Network Shield, Show report file.
Change any reported URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
-
Hi keith075,
What were the url's involved, give them like wxw or htxp and we can see what script is making avast shield disconnect?
polonus
-
(88.80.7.152/cgi/pfkpu.php?tjzo=6733616<x044453x4x4x4x=2x) was the last one...I've been searching for logs or indicators of what is causing my computer to try to connect to these websites and I can't find it.
Is there a way to find the logs of the network shield? The popup only remains on the screen for 10 or so seconds and it's not enough time to type each page before they disappear.
-
Easy to find really open the avastUI, Real-Time Shields, Network Shield and click the 'Show report file.'
-
All it shows is-
avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, June 14, 2010 10:59:02 AM
*
It doesn't actually show the websites, but I did figure out that when the threat block pops up I can pin it in place.....I'll update in about an hour and a half when the next attempt happens.
-
Okay, I finally had another popup and pinned the page so I can give all three links-
media9s.com/cgi/crhwmrxg.php?gggg=6733616
nopagency.com/cgi/kpudd.php?ddddd=6733616
88.80.7.152/cgi/oejo.php?dsi=6733616
All three pages were launched (well, attempted to launch) using Internet Explorer, but for the life of me I can't find the process requesting the attempts. All of them ending in the same number sequence tells me that my computer is being tracked as an indivisual, which worries me. From my last post you can estimate how often it is trying to connect to the internet...and this happens twenty-four hours a day.
Any help would be greatly appreciated.
-
All it shows is-
avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, June 14, 2010 10:59:02 AM
*
It doesn't actually show the websites, but I did figure out that when the threat block pops up I can pin it in place.....I'll update in about an hour and a half when the next attempt happens. This is the only log recording of the virus at work...the scanner and other virus/malware software doesn't detect anything. I wish I had more to post, but it just doesn't give a bit of info.
-
The IP address for the last one is for prq.se a Swedish domain.
The media9s.com is also the same Swedish domain prg.se.
The nopagency.com domain has been suspended, presumably because of this type of attempt
Is IE open when this is going on ?
Have you tried using other browsers as your default, I suggest firefox, chrome or opera ?
As you say this is happening every three hours, are there any tasks in the windows Scheduled Tasks ?
What is your firewall ?
-
Hi lets have a deeper look at the system - First though have you checked your proxy settings ?
David may well be right about a bad job in the task folder
Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer
And for Firefox there are instructions on this page (http://davidtse916.wordpress.com/2008/07/05/university-of-otago-firefoxs-proxy-auto-detection-problem-in-vista/)and you want the setting to be no proxy
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Check the box that says Scan All Users
- Under the Custom Scan box paste this in
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /180
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs
-
Hi keith057
media9s.com is a site that is classified as dangerous on several counts:
http://www.malwaredomainlist.com/mdl.php?search=media9s.com
Malware distributing site with drive-by-downloads/viruses
for nopagency.com see: http://www.malwaredomainlist.com/mdl.php?search=nopagency.com
same type of malware indicated....
the third site also: http://www.malwaredomainlist.com/mdl.php?search=88.80.7.152&colsearch=All&quantity=50
Could be this range of malware: http://www.threatexpert.com/reports.aspx?find=Monkif%20C%26C
About this Monkif C&C trojan on the media9s.com server read here: http://www.malwaredomainlist.com/forums/index.php?topic=4154.0
More information about this recently active malware from the Koobface family - Monkif C&C read:
http://research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html
Follow the instruction of malware eliminator, essexboy, to the dot and be safe and secure,
polonus
-
Hello all,
1st post!
I too started getting this "media9s.com/cgi" url warning about a week ago. I have tried everything above - still get the warning.
-
still get the warning.
Isn't it because the site is infected ???
-
I had the same problem with:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
for about a week, I tried everything I had, full scans with Avast, Malwarebytes & SuperAntiSpyware and they did not find these. I turned off restore, dumped my temps. did a reboot, turned System Restore back on, updated Malwarebytes (always do this) and did a full scan (said clean), updated SuperAntiSpyware and it found these: (trojan.Dropper/Win-NVxxx(without the xs))
in that there were 2 -
(C:\WINDOWS\MSVIDEO.DLLxxx(without the xs))
I moved them to Quarantine yesterday and have not seen the blocked warning again ! I hope I'm done with them. and hope this might help someone...dave
-
To answer everyone's questions...I have uninstalled/reinstalled IE and it made no difference. I do not have to have the browser launched for the warning to pop up, it does it on its own.
The proxy server option is not checked under internet settings.
The log file is attached from OLT; it did not give me an extras.txt file though.
Finally, I keep Windows, Advanced System Care, Malwarebites, and Avast updated...none of them show any problems with full scans. I also downloaded and updated SuperAntiSpyware but it only found some tracking cookies.
-
Let me know if it continues after this run please
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O2 - BHO: (WitBHO Class) - {75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F} - Reg Error: Value error. File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
For:
media9s.com/cgi/...
nopagency.com/cgi/...
88.80.7.152/cgi/...
See:
http://forum.avast.com/index.php?topic=60749.msg513053#msg513053
Don't know how - just know it worked.
Thanks djDave!
-
Since completing the above steps the popup seems to be gone....so evifentally it was generic malware that did not properly show up as a named threat. Thanks for everyone's help!
-
O2 - BHO: (WitBHO Class) - {75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F} - Reg Error: Value error. File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
These were the two elements that I believe caused it
or was it the removal of this ?
C:\WINDOWS\MSVIDEO.DLL
-
O2 - BHO: (WitBHO Class) - {75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F} - Reg Error: Value error. File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
These were the two elements that I believe caused it
or was it the removal of this ?
C:\WINDOWS\MSVIDEO.DLL
Removal of 2x trojan.Dropper/Win-NV in C:\WINDOWS\MSVIDEO.DLL
-
Ta will add that to my list of unknowns ;D
For info The file MSVIDEO.DLL was first observed on Jun 02 2010 as a malware file
-
avast blocks my downloads because of this message.. is there a way to fix this?
-
avast blocks my downloads because of this message.. is there a way to fix this?
It would entirely depend on a) what you are downloading and b) the site you are downloading it from ?
If avast considers it malicious then it will alert.
-
Attention to Google chrome user!I just realized that even you never type (http)you are still available to access the website.
-
Attention to Google chrome users,I just realized that even you never type(http), you still able to access these websites.Better not to try it to access these websites because it is very dangerous if avast! never block it.
-
Attention to Google chrome user!I just realized that even you never type (http)you are still available to access the website.
not new......write avast.com and hit the enter button in any browser and see what happens ;)
-
avast blocks my downloads because of this message.. is there a way to fix this?
It would entirely depend on a) what you are downloading and b) the site you are downloading it from ?
If avast considers it malicious then it will alert.
im 100% sure its not a malicious file plus its mediafire..
-
yay! thanks to the virus update i can finally download again...
but in a related manner reguarding JS script.. its still detecting it even though my ads are blocked
-
i have the same "type" in a laptop but it only lets me go to this forum/topic for some reason. i cant get rid of it? i hope this helps me. if not, any other ideas to get rid of it
-
I did the custom fix with OTC, however, internet explorer says I cannot go online because a firewall is blocking http and https. I disabled my firewall to see if that would work and it didn't. Any Suggestions?