Avast WEBforum

Other => Viruses and worms => Topic started by: RaginNoob on August 11, 2013, 09:56:30 PM

Title: this popup drops what im doing and opens webpage everyday
Post by: RaginNoob on August 11, 2013, 09:56:30 PM
DO NOT CLICK!!!http://web.tofushopnews.com/g/?ilmernzkvtazn=BCAEC5119C316547&pu=&s=D-firefox&nm=ilmernzkvtazn&t=(Not a link!!!!!)
This site engages my web browser every day. I suspect its a virus down load. But cant find a way to make it stop from opening my browser. No matter what im doing this happens. Can someone tell me how to block them? I have Malwarebytes as well as avast. I scanned after it happened a few times to make sure I was clean. And nothing showed up in scans.
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: essexboy on August 11, 2013, 10:08:59 PM
Could you follow the steps here http://forum.avast.com/index.php?topic=53253.0
And attach the generated logs in this thread
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: Pondus on August 11, 2013, 10:11:29 PM
report on that link.... click Picture in top right corner    http://urlquery.net/report.php?id=4500793
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: Secondmineboy on August 11, 2013, 10:36:24 PM
It has javascript malware on it: http://sitecheck.sucuri.net/results/web.tofushopnews.com/g/

The Hacker is detecting this on the downloaded file in Virustotal: JS/Feebs.gen@MM

Title: Re: this popup drops what im doing and opens webpage everyday
Post by: Secondmineboy on August 11, 2013, 10:47:27 PM
The Website is downloading two files called SetStretch.exe and SetStretch.cmd.

Virustotal: https://www.virustotal.com/en/file/a84b5e69527a9f91dae964ed40022a2a77c1fe45b7a381a335202ec3927d140b/analysis/1376253695/
                 https://www.virustotal.com/en/file/656912e6b3deb9fd4b6f223e9056350a77253fbda1b66df867aeda08956af342/analysis/

The files can be found in the Program (32-Bit) Folder of Windows.

I will sent them to Avast for analysis.
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: Secondmineboy on August 11, 2013, 11:19:31 PM
The cmd file opens the exe file (Screenshot)
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: Secondmineboy on August 14, 2013, 07:10:59 PM
The files look clean. 1/45 is detecting the exe file on Virustotal as Virut-Virus (Jiagnmin).

It was first submitted 2009.

Please follow the Steps from Essexboy until he gives you a clean sheet, or he gives up. ;D
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: kruegerb on August 15, 2013, 07:05:37 AM
I am also having the exact same problem.  Attached are my log files.  Malwarebytes didn't find anything.
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: essexboy on August 15, 2013, 07:45:47 PM
Does this occur only in firefox or is it in IE as well

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
[2013/05/29 18:34:21 | 000,003,723 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\safeguard-secure-search.xml
O2 - BHO: (no name) - {56E4076B-A42B-4745-BA35-34DA8AC4C2F2} - No CLSID value found.
O3 - HKU\S-1-5-21-894513301-464839021-2148896484-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)

:Commands
[resethosts]
[emptytemp]
[Reboot]
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: Spacy on August 15, 2013, 08:53:15 PM
I'm also having the same problem with Google Chrome, it happens every day.
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: essexboy on August 15, 2013, 09:47:06 PM
More to the point does it occur in IE as chrome and firefox share files
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: kruegerb on August 16, 2013, 04:16:01 AM
Received Microsoft windows message "OTL Stopped Working" during fix.  Rebooted and ran OTL quick scan.  Results attached.
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: essexboy on August 16, 2013, 01:51:47 PM
Are you still getting the same problem ?
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: kruegerb on August 16, 2013, 02:10:05 PM
So far it hasn't come up.  We will wait and see now.  THANKS for your help!
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: essexboy on August 16, 2013, 03:59:42 PM
Hmm the problem with firefox is that there are so many places for the malware to hide unseen

Could you run firefox in safe mode and see if the alerts restart https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: danny1120 on August 19, 2013, 06:11:18 PM
Hi, I generally use Chrome, but this same pop-up comes up on my computer maybe daily in an IE window.  Can I follow the same fix that outlined above that says it's system specific?
Title: Re: this popup drops what im doing and opens webpage everyday
Post by: essexboy on August 19, 2013, 08:01:58 PM
No as stated they are system specific, used on another computer may cause some unexpected results