Avast WEBforum
Other => Viruses and worms => Topic started by: mariner on December 31, 2008, 03:58:18 AM
-
I'm getting Network Sheild Alarms about every 4 minutes when my Internet Explorer window is open with the following message:
30.12.2008 21:35:55 Network Shield: blocked access to malicious site 78.110.175.21/cp/x/?u=0A1&i=0+260000493041722f03218a562928f5a693b2e5MILLAR-1++++++++Mozilla/5.0%20(Windows;%20U;%20Windows%20NT%205.1;%20en-US;%20rv:1.8.0.7)%20Gecko/20060909%20Firefox/1.5.0.7 [ C:\Program Files\Internet Explorer\iexplore.exe ]
Same thing over and over again. I've seen some posts talking about 78.110.175.21 and it not being a nice place, but I'm not sure where this is coming from.
Anti-virus isn't detecting anything and I've installed Ad-Aware and Spybot Search & Destroy and they don't see anything either.
Two other points that may help shed some info too...
First, when I do a google search, the first page of results have bogus URL's inserted in them...typically www.monstermarketplace.com or www.justclickdeals.com, freescan.antivirus.com, etc, etc...the Title of the page and the two-line description are accurate, but the URL that I'm sent to has nothing to do with the search result...this doesn't seem to occur when I do searches with yahoo.com or other non-google engines.
Lastly, I was doing some searches trying to figure out why this was happening and there was a post about a pop-up that would occur that looked like a normal flash-update message, but really wasn't...I can't find that page specifically to post the URL (unfortunately).
Any ideas/help would be appreciated.
Thanks
-
I suggest SuperAntiSpyware Free (http://www.superantispyware.com/) or MalwareByte's AntiMalware (http://www.malwarebytes.org/mbam.php).
Download HiJackThis (http://www.filehippo.com/download_hijackthis/) and post a log here.
-
Hi, I installed the Malware application but it didn't find anything on a full scan.
Also, I forgot to mention this before, but Microsoft Update won't work either...it presents a page saying that its only for the latest version of IE and presents a link to download and install the latest rev...I do that, but it still doesn't think I have the latest rev of the browser...I'm assuming something has hijacked the browser but not sure how to get rid of it...
Attached is the output from the HiJackThis log...thanks for the help
-
I have exactly the same issue.
Avast alert at the bottom of the screen saying it blocked.... 78.110.175.21 and I can't download the new Microsoft Security updates, as it goes to a website and I can't then do the usual Windows Update thingy... I also get Google searches that aren't related to what I'm looking for but are searchclick.com or the like!
Anyway that can help ???
Miss L.
-
Looks like it maybe a new variant of Win32:Zlob. 78.110.175.21 is a Russian IP address.
I suggest an online scan through
Dr. Web CureIt (http://www.freedrweb.com/)
Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/us/kavwebscan.html)
Trend Micro Housecall (http://housecall.trendmicro.com/)
-
***
Welcome to the forums, mariner. :)
The IP address 78.110.175.21 is assigned to LIMIT SureHost located in Moscow, Russia.
From your HJT log :
The below entry is related to Windows Live Messenger.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
This next one does not look necessary to me but I hope someone will confirm this for me.
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&lan guage=en&product=SymNRT&version=2008.0.2.17&build=Symantec&a=00000082.00000001.0 0000001&b=00000082.0000000f.0000001b&c=00000082.0000001e.0000004a&d=00000082.000 00020.0000004c&e=00000082.00000049.000000b9
To be fixed if the entry '' is unknown. Do you know of or use ByteScout? If yes, then they are ok.
O9 - Extra button: (no name) - {51B035FC-5ABA-471F-A34E-7499E951FF7A} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra 'Tools' menuitem: Extract Flash Video with Bytescout... - {51B035FC-5ABA-471F-A34E-7499E951FF7A} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html
O9 - Extra button: Extract Flash Video with Bytescout... - {DE4FDA6F-7571-4455-A09F-D205E4DC9C46} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html
The below may be related to either Virtumonde or Smitfraud and I hope someone else can confirm this for me.
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD}
Do you or have you uploaded photos to CVS Pharmacy, Costco, WalMart, or other such Online Photo Center services? The the below is related to such services through primedia.com
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD}
Those are the only ones I see in your HJT log that are either questionable or perhaps not needed.
***
-
***
Welcome to the forums, Deaki. :)
Please start your own thread in order to not confuse the help given in this thread. Use the "New Topic" button near the top right of this section of the forum.
***
EDIT to correct spelling error.
-
I just started getting this msg this morning, have no idea what it means or where I picked it up. I ran a full scan with avast an found nothing.
31.12.2008 12:14:28 Network Shield: blocked access to malicious site 78.110.175.21/cp/x/?u=0A1&i=0+e10000494a9707443781920b4b412693924db8BOOK-I9BOMLIG6Q+Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.2;%20.NET%20CLR%201.1.4322;%20.NET%20CLR%202.0.50727;%20.NET%20CLR%203.0.04506.30;%20.NET%20CLR%203.0.04506.648) [ C:\Program Files\Mozilla Firefox\firefox.exe ]
It comes up about every 4 min. Do I have something to worry about?
C4Monk
-
You could monitor this topic and run the suggested software. But it would be better to start your own new topic so as not to complicate this one.
Please start a New Topic of your own as it will just confuse the topic and we will try to help.
- Go to this link, http://forum.avast.com/index.php (http://forum.avast.com/index.php), scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.
-
31.12.2008 12:14:28 Network Shield: blocked access to malicious site 78.110.175.21
This site (78.110.175.21) is infected.
-
Hi,
I did a number of those scans and pulled some of the recommended items from the HiJack list...anyway, I stumbled across what I think is the solution in topic #41423.0
http://forum.avast.com/index.php?topic=41423.0
I deleted the file in question and the avast blocking messages have stopped, the google searches are accurate again and I can run Microsoft Update...
Thanks to all those who put the time in to help
-
***
You are welcome, mariner, and it is good to know you now have your problem corrected. :)
***
-
There could be many things thats causing this it could be a cookie ADware PUt up a Hijackthis log up and then we should know whats happening
-
Hi mariner,
Update your java version, because that could get you infected, but it might be the right version, check. A good way to keep an eye on the latest versions and patches is via this free download: http://secunia.com/PSISetup.exe
If you have to cleanse something in SafeMode, disable Teatimer for the time you are at that, enable later again..
Then you apparently haven't got a firewall running there, what is making you vulnerable on the Internet.
Survey of Active tasks on your OS
smss.exe
System task
Session Manager Subsystem
winlogon.exe
System task
Microsoft Windows Logon Process
services.exe
System task
Windows Service Controller
lsass.exe
System task
Local Security Authority Service
svchost.exe
System task
Microsoft Service Host Process
svchost.exe
System task
Microsoft Service Host Process
aawservice.exe
Anti Add/Spyware software
Ad-Aware 2007 Service
aswUpdSv.exe
Virusscan
Avast Anti-Virus Component
ashServ.exe
Virusscan
Avast
Explorer.EXE
System task
Microsoft Windows Explorer
SMax4PNP.exe
Background task
SMax4PNP MFC Application
iTunesHelper.exe
Application
Apple Itunes
StatusClient.exe
Background task
Hewlett-Packard Status Client
VM_STI.EXE
Background task
BigDogPath
jusched.exe
Background task
Sun Java Update Scheduler
HOMERunner.exe
Application
Part of TomTom routeplanner software - TML P
ashDisp.exe
Virusscan
Avast AntiVirus
HPWuSchd2.exe
Background task
Hewlett Packard Software Update Scheduler
CTDetect.exe
Background task
Auto-detect and play a DVD when using a Creative Soundblaster Audigy2 soundcard.
ctfmon.exe
System task
Alternative User Input Services re: http://www.howtogeek.com/howto/windows-vista/what-are-wmpnscfgexe-and-wmpnetwkexe-and-why-are-they-running/
WMPNSCFG.exe
Bsckground task
Windows Media Player Network Sharing Service Confi
TeaTimer.exe
Application
Spybot S&D Realtime Scanner
spoolsv.exe
System task
Microsoft Printer Spooler Service
reader_sl.exe
Background task
Adobe Reader Speed Launch
boincmgr.exe
Background task
BOINC manager
WinCinemaMgr.exe
Background task
WinCinema Manager is needed when using the WinDVD Remote Control for WinDVD from Intervideo.
ICQ.exe
Application
ICQ
EasyShare.exe
Background task
Software bundled with Kodak digital cameras to manage the connection between the PC and the Camera.
WindowsSearch.exe
Background task
Windows Desktop Search Tray
boinc.exe
Background task
Berkeley Open Infrastructure for Network Computing
javaw.exe
Application
Sun Java
hadsm3_6.07_windows_intelx86.exe
Unknown task
Unknown task
Hotsync.exe
Background task
HotSync Manager
hadam3_6.01_windows_intelx86.exe
Unknown task
Unknown task
IEXPLORE.EXE
Application
Windows internet explorer
CTsvcCDA.EXE
Background task
Creative CD-ROM Services
cvpnd.exe
Application
Cisco VPN Service
hadsm3_um_6.07_windows_intelx86.exe
Unknown task = ClimatePrediction.net.uk ??
Unknown task
svchost.exe
System task
Microsoft Service Host Process
iaantmon.exe
Background task
Intel Application Accelerator RAID Monitor
nvsvc32.exe
Application
NVIDIA Driver Helper Service
HPZipm12.exe
Driver
HP Taskbar Utility
SMAgent.exe
Background task
Analog Devices magent
svchost.exe
System task
Microsoft Service Host Process
SearchIndexer.exe
System task
Search Indexer
ashMaiSv.exe
Virusscan
Avast Anti-Virus Component
ashWebSv.exe
Virusscan
avast! Web Scanner
iPodService.exe
Background task
Apple iTunes
hadam3_um_6.01_windows_intelx86.exe
Onbekende taak
Onbekende taak
SearchProtocolHost.exe
System task
SearchProtocolHost
WLLoginProxy.exe
Application
Microsoft? Windows Live Login Helper
wuauclt.exe
Systeem taak
AutoUpdate Client
wuauclt.exe
System task
AutoUpdate Client
HijackThis.exe
Application
Hijackthis,
polonus
-
There could be many things thats causing this it could be a cookie ADware PUt up a Hijackthis log up and then we should know whats happening
To whom are you addressing your comment to as there are two posters in this and one has already posted a HJT log and received help on it. So if it is addressed to the other poster, I asked him to start another topic as it would just confuse this one, which he did and his problem has also been resolved.
Also don't ask for a HJT log to be posted unless you are prepared to do the analysis.
I appreciate you are trying to help but you have to read the topic so we are all working from the same page or it just confuses things.