Author Topic: URL:MAL  (Read 27246 times)

Offline keith075

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
URL:MAL
« on: June 12, 2010, 03:51:02 PM »
My web shield is popping up about every three hours detecting three malicious websites, but it does not give me enough information to determine where the program is in my computer that's making it try to connect.  I've scanned with Avast, Malwarebites, visually inspected and deleted internet cookies/objects, searched MSconfig and add/remove programs...but I can't seem to find the culprit.

I realize that the URL's are blocked so I'm not in immediate danger, but at the same time there has to be a virus on my cpu (or at least some kind of script) that's making this connection attempt occur.  How do I figure out where it is...because this one is not in the usual places.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: URL:MAL
« Reply #1 on: June 12, 2010, 04:25:25 PM »
Post the information from the logs, e.g. from the avastUI, Real-Time Shields, File System Shield or Web Shield or Network Shield, Show report file.

Change any reported URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20121
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: URL:MAL
« Reply #2 on: June 12, 2010, 08:39:31 PM »
Hi keith075,

What were the url's involved, give them like wxw or htxp and we can see what script is making avast shield disconnect?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline keith075

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: URL:MAL
« Reply #3 on: June 14, 2010, 03:19:02 PM »
(88.80.7.152/cgi/pfkpu.php?tjzo=6733616<x044453x4x4x4x=2x) was the last one...I've been searching for logs or indicators of what is causing my computer to try to connect to these websites and I can't find it.

Is there a way to find the logs of the network shield?  The popup only remains on the screen for 10 or so seconds and it's not enough time to type each page before they disappear.
« Last Edit: June 14, 2010, 04:16:35 PM by keith075 »

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: URL:MAL
« Reply #4 on: June 14, 2010, 04:25:46 PM »
Easy to find really open the avastUI, Real-Time Shields, Network Shield and click the 'Show report file.'
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline keith075

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: URL:MAL
« Reply #5 on: June 14, 2010, 06:44:57 PM »
All it shows is-
 avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, June 14, 2010 10:59:02 AM
*

It doesn't actually show the websites, but I did figure out that when the threat block pops up I can pin it in place.....I'll update in about an hour and a half when the next attempt happens.

Offline keith075

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: URL:MAL
« Reply #6 on: June 14, 2010, 07:57:40 PM »
Okay, I finally had another popup and pinned the page so I can give all three links-

media9s.com/cgi/crhwmrxg.php?gggg=6733616
nopagency.com/cgi/kpudd.php?ddddd=6733616
88.80.7.152/cgi/oejo.php?dsi=6733616

All three pages were launched (well, attempted to launch) using Internet Explorer, but for the life of me I can't find the process requesting the attempts.  All of them ending in the same number sequence tells me that my computer is being tracked as an indivisual, which worries me.  From my last post you can estimate how often it is trying to connect to the internet...and this happens twenty-four hours a day.

Any help would be greatly appreciated.

Offline keith075

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: URL:MAL
« Reply #7 on: June 14, 2010, 08:01:20 PM »
All it shows is-
 avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, June 14, 2010 10:59:02 AM
*

It doesn't actually show the websites, but I did figure out that when the threat block pops up I can pin it in place.....I'll update in about an hour and a half when the next attempt happens.  This is the only log recording of the virus at work...the scanner and other virus/malware software doesn't detect anything.  I wish I had more to post, but it just doesn't give a bit of info.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: URL:MAL
« Reply #8 on: June 14, 2010, 08:14:35 PM »
The IP address for the last one is for prq.se a Swedish domain.
The media9s.com is also the same Swedish domain prg.se.

The nopagency.com domain has been suspended, presumably because of this type of attempt

Is IE open when this is going on ?
Have you tried using other browsers as your default, I suggest firefox, chrome or opera ?

As you say this is happening every three hours, are there any tasks in the windows Scheduled Tasks ?

What is your firewall ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28931
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: URL:MAL
« Reply #9 on: June 14, 2010, 08:33:03 PM »
Hi lets have a deeper look at the system - First though have you checked your proxy settings ?

David may well be right about a bad job in the task folder

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer


And for Firefox there are instructions on this page and you want the setting to be no proxy

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users
  • Under the Custom Scan box paste this in

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /180


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Attach  both logs

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20121
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: URL:MAL
« Reply #10 on: June 14, 2010, 09:16:03 PM »
Hi keith057

media9s.com is a site that is classified as dangerous on several counts:
http://www.malwaredomainlist.com/mdl.php?search=media9s.com
Malware distributing site with drive-by-downloads/viruses
for nopagency.com see: http://www.malwaredomainlist.com/mdl.php?search=nopagency.com
same type of malware indicated....
the third site also: http://www.malwaredomainlist.com/mdl.php?search=88.80.7.152&colsearch=All&quantity=50
Could be this range of malware: http://www.threatexpert.com/reports.aspx?find=Monkif%20C%26C
About this Monkif C&C trojan on the media9s.com server read here: http://www.malwaredomainlist.com/forums/index.php?topic=4154.0
More information about this recently active malware from the Koobface family - Monkif C&C read:
http://research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html

Follow the instruction of malware eliminator, essexboy, to the dot and be safe and secure,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline inthefrey

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
Re: URL:MAL media9s.com
« Reply #11 on: June 15, 2010, 03:18:07 AM »
Hello all,


1st post!

I too started getting this "media9s.com/cgi" url warning about a week ago. I have tried everything above - still get the warning.

Online Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64867
  • Gender: Male
    • Personal Message (Online)
Re: URL:MAL
« Reply #12 on: June 15, 2010, 11:39:34 AM »
still get the warning.
Isn't it because the site is infected ???
The best things in life are free.

Offline djDave

  • Jr. Member
  • **
  • Posts: 30
    • Personal Message (Offline)
Re: URL:MAL
« Reply #13 on: June 15, 2010, 01:03:01 PM »
I had the same problem with:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
for about a week, I tried everything I had, full scans with Avast, Malwarebytes & SuperAntiSpyware and they did not find these. I turned off restore, dumped my temps. did a reboot, turned System Restore back on, updated Malwarebytes (always do this) and did a full scan (said clean), updated SuperAntiSpyware and it found these: (trojan.Dropper/Win-NVxxx(without the xs))
in that there were 2 -
(C:\WINDOWS\MSVIDEO.DLLxxx(without the xs))
I moved them to Quarantine yesterday and have not seen the blocked warning again ! I hope I'm done with them. and hope this might help someone...dave
« Last Edit: June 15, 2010, 01:11:26 PM by djDave »

Offline keith075

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: URL:MAL
« Reply #14 on: June 15, 2010, 05:22:58 PM »
To answer everyone's questions...I have uninstalled/reinstalled IE and it made no difference.  I do not have to have the browser launched for the warning to pop up, it does it on its own.

The proxy server option is not checked under internet settings.

The log file is attached from OLT; it did not give me an extras.txt file though.

Finally, I keep Windows, Advanced System Care, Malwarebites, and Avast updated...none of them show any problems with full scans.  I also downloaded and updated SuperAntiSpyware but it only found some tracking cookies.



 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now