Help

[inthefrey]

Just to bump this thread, my AVAST started flagging this same url about a week ago.

[Phobos]

"bump" (+ subject titled)

[Lisandro]

Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
Maybe you could contact its webmaster.

[Phobos]

i concur with djDave

cleaned / checked > open Google (whereas he is opening Yahoo) >  let it sit a few minutes > warning comes up

[Lisandro]

i concur with djDave

cleaned / checked > open Google (whereas he is opening Yahoo) >  let it sit a few minutes > warning comes up

http://forum.avast.com/index.php?topic=60716.msg512868#msg512868

[Phobos]

in other words, another thread on the subject:
http://forum.avast.com/index.php?topic=60716.msg512868#msg512868

[Pondus]

Or run OTL, post the log`s as attachments, and let Essexboy have a look....
http://forum.avast.com/index.php?topic=53253.0

[djDave]

I had the same problem as others are having with:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
for about a week, I tried everything I had, full scans with Avast, Malwarebytes & SuperAntiSpyware and they did not find these. I turned off restore, dumped my temps. did a reboot, turned System Restore back on, updated Malwarebytes (always do this) and did a full scan (said clean), updated SuperAntiSpyware and it found these: (trojan.Dropper/Win-NVxxx(without the xs))
in that there were 2 -
(C:\WINDOWS\MSVIDEO.DLLxxx(without the xs))
I moved them to Quarantine yesterday and have not seen the blocked warning again ! I hope I'm done with them...I hope this helps someone...dave

[DavidR]

Thanks for sharing.

You say you moved them to quarantine in SAS, it would be helpful if you can send a sample to avast.

Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

Unfortunately that would need you to first restore them from SAS quarantine, copy to the avast chest and then run an SAS scan again to remove it again...

[polonus]

Hi DavidR,

It is being reported elsewhere as well:
http://webcache.googleusercontent.com/search?q=cache:-5b0mbucuRoJ:www.garenaworld.com/archive/index.php/thread-427.html+&cd=3&hl=en&ct=clnk

http://jsunpack.jeek.org/dec/go?report=1a19a872d7a5a212d800d5f872291f3ed090dc27

cleansing proposal here: http://www.bleepingcomputer.com/forums/topic322608.html

It is a Monkif. C&C  site: http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-May/007476.html
http://www.malwaredomainlist.com/mdl.php?search=nopagency&colsearch=All&quantity=50

polonus

[djDave]

Hi DavidR, I hope the info from polonus is what you need, as I'm kinda chicken to move the problem back into my PC.. I do have logs from OTL that I saved while I had the problem, I could E_Mail them to you or to an Avast address of your choice if that would be of any help. Thanks again for all you and others do here..dave

[DavidR]

Not really, my concern is sending a sample to avast as they didn't detect it, so that they can hopefully add it to the virus definitions. The logs don't provide the sample which would be used to create a detection signature.

I understand not wanting to restore it.

[Phobos]

I had the same problem as others are having with:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
for about a week, I tried everything I had, full scans with Avast, Malwarebytes & SuperAntiSpyware and they did not find these. I turned off restore, dumped my temps. did a reboot, turned System Restore back on, updated Malwarebytes (always do this) and did a full scan (said clean), updated SuperAntiSpyware and it found these: (trojan.Dropper/Win-NVxxx(without the xs))
in that there were 2 -
(C:\WINDOWS\MSVIDEO.DLLxxx(without the xs))
I moved them to Quarantine yesterday and have not seen the blocked warning again ! I hope I'm done with them...I hope this helps someone...dave

Worked ... Thanks djDave!

[DavidR]

Before you did that, did you send a sample to avast as suggested earlier in Reply #23 before quarantining it ?

[djDave]

To David R, If someone else is working on this, could you explain how to find it in the PC, to send a sample to avast as SAS does not give much info about it once it's in SAS Quarantine ?

to: Phobos, I'm glad it worked for you, I forgot to say that after all seemed well again I went to System restore and created a new restore point.