Avast WEBforum
Other => Viruses and worms => Topic started by: NickJHenderson on January 30, 2012, 01:32:21 PM
-
Hi everyone,
I've just got a new build PC running Windows 7 64-bit. I've only had it for a few days but Avast keeps coming up with a Malware blocked message:
Infection Details
URL: hxtp://allzoomovies.com/?x
Process: file://C:\Program Files (x86)\Common Files\ComObjects\update.exe
Infection: html:Iframe-inf
I have never been on the website quoted or anything similar but it comes up with this message almost every time I launch Firefox.
Going to the destination folder, the file has a Firefox logo and cannot be deleted (comes up with a message reading something like "Firefox is still using this file so it cannot be deleted" even when Firefox is not installed.
So far Avast is blocking it but I don't want this to escalate and ruin my nice new PC!
ANY help is greatly appreciated!
Nick
UPDATE: It's also calling the same file a Suspicious File now!
-
-http://allzoomovies.com/
Sucuri - http://sitecheck.sucuri.net/results/http://allzoomovies.com/
VirusTotal
https://www.virustotal.com/file/0409d3fae1729689c4813f2516d3559b6fecbb3f64b6a2180fe826a1fa93db4c/analysis/1327927242/
Process: file://C:\Program Files (x86)\Common Files\ComObjects\update.exe
upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the url in the address bar and post it here for us to see
alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
Metascan http://www.metascan-online.com/
-
Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
You might not have been on the web site in the alert, but something on your system is trying to connect to it "C:\Program Files (x86)\Common Files\ComObjects\update.exe"
Do you know what this ComObjects folder/application is about ?
It may be that it is legit but the site has been hacked.
-
Check for malware with this
Malwarebytes Anti-Malware http://filehippo.com/download_malwarebytes_anti_malware/
always click the update button before you start a scan
click on the remove selected button to quarantine anything found
post the scan log here
-
Norman lab
allzoomovies.com.htm : Processed - HTML/Redir.JN
-
Here's the result from the scan:
https://www.virustotal.com/file/fb9045b74615a339fcdc3016f899aec5b8afbdacde5421d94d777c709295c2fd/analysis/
-
Well it isn't update.exe that avast is alerting on as that is the process responsible for making the connection to the site, which avast considers malicious. So I wouldn't really have expected VT to find anything or avast may have been likely to have alerted on that file not the URL location. This isn't uncommon as this element would appear benign, it is just where it is trying to send you that would do the dirty deed were it not for avast blocking that.
I have done a search and find only one other instance of this C:\Program Files (x86)\Common Files\ComObjects\update.exe and it supports this ComObjects folder being highly suspect.
So download install MalwareBytes AntiMalware (MBAM) install, update, run and post the contents of the log file as asked by Pondus.
- This however may require further investigation:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and start your own new topic and attach the logs there, not in the LOGS topic.
You will already have made a head start by running MBAM as asked.
-
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.01.03
Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Nick & Liz :: TEST-PC [administrator]
01/02/2012 11:17:47
mbam-log-2012-02-01 (11-17-47).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 381310
Time elapsed: 34 minute(s), 8 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
Proceed with the other scans (OTL) and attach their logs.
-
Here you go!
-
Essexboy one of our malware removal specialists should take a look at it later on, he is normally on-line from 7pm UK time, currently 4:10pm in the UK.
-
Cheers, you guys are quite literally Gods of technology.
-
Hi I would like to look at the launch points next
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
@Alternate Data Stream - 1055 bytes -> C:\Users\Nick & Liz\AppData\Local\Temp:f7QDsmoZwpktY9wVf
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Then re-run OTL and copy/paste the following into the custom scans box and press run scan
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
-
Hi everyone,
I've just got a new build PC running Windows 7 64-bit. I've only had it for a few days but Avast keeps coming up with a Malware blocked message:
Infection Details
URL: hxtp://allzoomovies.com/?x
Process: file://C:\Program Files (x86)\Common Files\ComObjects\update.exe
Infection: html:Iframe-inf
I have never been on the website quoted or anything similar but it comes up with this message almost every time I launch Firefox.
Going to the destination folder, the file has a Firefox logo and cannot be deleted (comes up with a message reading something like "Firefox is still using this file so it cannot be deleted" even when Firefox is not installed.
So far Avast is blocking it but I don't want this to escalate and ruin my nice new PC!
ANY help is greatly appreciated!
Nick
UPDATE: It's also calling the same file a Suspicious File now!
just to clerify to the OP, based on the 256 ShA is goodware.
http://systemexplorer.net/filereviews.php?fid=873766 (http://systemexplorer.net/filereviews.php?fid=873766)
-
The problem being this has nothing to do with firefox.exe in the link that you posted.
Nor is firefox.exe mentioned in the quoted text, it is update.exe, the fact that that has a firefox icon just makes me more suspicious of it.
-
Cool, this is what was in the text document that opened after the FIX ran:
All processes killed
========== OTL ==========
ADS C:\Users\Nick & Liz\AppData\Local\Temp:f7QDsmoZwpktY9wVf deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Nick & Liz\Downloads\cmd.bat deleted successfully.
C:\Users\Nick & Liz\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56502 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Nick & Liz
->Temp folder emptied: 188943416 bytes
->Temporary Internet Files folder emptied: 40066395 bytes
->Java cache emptied: 388972 bytes
->FireFox cache emptied: 198005266 bytes
->Flash cache emptied: 59346 bytes
User: Public
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 436434 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 93931923 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50400 bytes
RecycleBin emptied: 1841 bytes
Total Files Cleaned = 498.00 mb
Restore point Set: OTL Restore Point
OTL by OldTimer - Version 3.2.31.0 log created on 02022012_190149
Files\Folders moved on Reboot...
C:\Users\Nick & Liz\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
The document that opened after the SCAN is annoyingly too large to be an attachment. Suggestions?
Many thanks again!
-
Could you upload to mediafire and post the sharing link http://www.mediafire.com/
Also are you still getting the alert
-
Here's the link:
http://www.mediafire.com/file/hnuk99862bxgfu1/OTL.Txt
Haven't had the alert recently, but will keep you posted if it appears.
-
If all is OK tomorrow I will remove my tools
-
The alert has just popped up again, lame. Could it be on an external hard-drive?
-
Had you just reconnected the external drive ?
-
No, but I have two external drives and they're both pretty old. It seems to only pop up when Firefox is running or starting up for the first time.
-
This may be the new one I have just come across
- Run OTL.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
data.js
/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U\*.* /s
C:\Program Files\Common Files\ComObjects\*.* /s
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
-
Please find attached the scan results. Avast popped up several times during the scan telling me it had blocked something.
-
On completion of this run you will get a popup warning about wsh - you can ignore that for now
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Common Files\ComObjects\data.js
C:\Program Files (x86)\Common Files\ComObjects\js3250.dll
C:\Program Files (x86)\Common Files\ComObjects\js3260.dll
C:\Program Files (x86)\Common Files\ComObjects\update.exe
:Commands
[purity]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:regfind
data.js
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-
Please find attached the log from the Quick Scan.
-
Please find attached the SystemLook log
-
This will clear the popup about wsh
Once done could you let me know what problems remain
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows]
"TaskMngr"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMngr"=-
[HKEY_USERS\S-1-5-21-2643207613-119737853-3303127672-1003\Software\Microsoft\Windows]
"TaskMngr"=-
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Please find attached the latest Quick Scan.
-
How is the computer behaving now ?
-
I haven't had any alerts pop up for a while now so it seems to be fixed; I can't thank you guys enough! I'll post in a couple of days with an update.
-
Let me know when you are happy and I will tidy up