Avast WEBforum
Other => Viruses and worms => Topic started by: djDave on June 13, 2010, 11:51:28 PM
-
I hope I don't have a problem, I just went from Avast 4.8 to 5, I did a complete scan and it found, and I moved to chest, (win32:Delf-MZG (trj) ) and a (Win32:KillApp-W (pup) )...
Now I keep getting a (Malicius URL Blocked)
"avast network shield has blocked a threat"
Object: nopagency.com/cgi/yoetj:?td=67=03465x04445
Url: Mal
action: Blocked
Process: c\Program files\Internet Explorer\IEPLORE>EXE
and another one with all the same except
Object:media9s.com/cgi/eujzpe.php?pu=67=03465x04445
are these things in my PC that were blocked or things online that were blocked from getting to me ? Thanks so much in advance...dave
-
the 2 URL you listed was blocked by avast before you could enter the websites. so i guess they are on some bad website list.....
(win32:Delf-MZG (trj) ) and a (Win32:KillApp-W (pup) )
This is found in your computer, but we need name of the files that was detected and where in the pc it was found to find out more....
check your computer for malware with
Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install click update so you have latest database before you scan
run quick scan and click the remove selected button to quarantine anything found
post the log here
-
Thanks, I ran a scan yesterday and the day before they both came out clean (see below) the (win32:Delf-MZG (trj) ) and a (Win32:KillApp-W (pup) ) are in my Avast chest now. Is there still more to clean up ?
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4189
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11
6/11/2010 2:41:41 PM
mbam-log-2010-06-11 (14-41-41).txt
Scan type: Full scan (C:\|D:\|F:\|M:\|)
Objects scanned: 500379
Time elapsed: 3 hour(s), 40 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
PS: Sorry forgot to say what the "the 2 URL you listed was blocked by avast before you could enter the websites. so i guess they are on some bad website list " are..I get the blocked message every time I go to my Yahoo home page ! and got it again when I came here...
-
I doubt that the network shield alerts were in any way related to the Win32:KillApp-W (pup) detection, though there is a possibility it could be related to the win32:Delf-MZG (trj) detection (but as has been said we need the file name and location).
A quick MBAM scan is generally enough as a first scan, it will find the majority of what would be found in the c:\ drive.
Are you using an HP system as there have been a couple of detections relating to Win32:KillApp-W detection in c:\hp\bin, is that the original location of the file (and what is its file name) ?
-
Yes, it is an HP product, with an HP scanner and photo programs..How do I find out where things that are now in my virus chest came from ? It just says system volume informationrestore(ED1AD764-6EE8 and about 20 more numbers) under original location and the name is A0156470.exe if that helps...Quick and full scans with Malwarebytes all come up clean...this is all strange to me...Thankyou for trying to help
-
Now when I came back here to read this again I got the (Malicius URL Blocked)
"avast network shield has blocked a threat" media9s.com/cgi/eujzpe.php?pu=67=03465x04445 Process: c\Program files\Internet Explorer\IEPLORE>EXE
I didn't have anything else open or running just this page when I got the message
-
Well right clicking on the file in the chest and selecting properties would show the original location.
So I would say that these ones in the system restore aren't related to the Win32:KillApp-W detection are they ?
If so this is less of an issue:
- Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.
~~~
The other detections I mentioned relating to the Win32:KillApp-W detection were effectively live files and in the c:\hp\bin folder.
-
Now when I came back here to read this again I got the (Malicius URL Blocked)
"avast network shield has blocked a threat" media9s.com/cgi/eujzpe.php?pu=67=03465x04445 Process: c\Program files\Internet Explorer\IEPLORE>EXE
I didn't have anything else open or running just this page when I got the message
Well the detection appears good, see http://www.mywot.com/en/scorecard/media9s.com (http://www.mywot.com/en/scorecard/media9s.com), though why it is happening is the mystery. Do you have any feeds, etc. set-up in IE that may be trying to access this site ?
-
Thanks again, where do I look for "any feeds, etc. set-up in IE that may be trying to access this site" ? I just changed to IE8 in the last few days, trying to find the problem, something keeps IE from loading for about 80 seconds, it used to load in about 10 seconds, so there must be something trying...thanks again...dave
-
I don't use IE as my default browser, it is only there because IE is an integral part of the OS so you have to keep it up to date. So I use it very infrequently and am not very familiar with its settings now.
By feeds I mean RSS or Live Bookmarks, something that checks a site to see if there is anything new on it. That background checking would force the network shield to check the site against its malicious sites list.
I'm surprised that MBAM didn't find anything if you are getting this in IE as it sounds a little like browser hijacking.
Try SUPERantispyware (http://www.superantispyware.com) (SAS). On-Demand only in free version.
Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie (http://en.wikipedia.org/wiki/HTTP_cookie).
Also available a portable version of SAS, http://www.superantispyware.com/portablescanner.html (http://www.superantispyware.com/portablescanner.html), no installation required.
-
Thanks again, I have SUPERAntiSpyware Free Edition I've updated it and ran it several times lately, and it only comes up with cookies. I've deleted temps, trashed most old favorites, scanned and scaned and yet I have a very slow starting IE and the first time each restart I Right-click on any song or photo file it takes over a minute before I get the box to choose an option....strange stuff going on...
-
For the browser issue what happens if you try another browser, firefox, chrome or opera, etc. ?
If it is taking this amount of time before getting option on the right click of flies, it could be conflict, but trying to pin that down isn't easy. Open the task manager so you can try and monitor what activity is going on when you try this. It could also be a shell extension (explorer right click entries) conflict, which may not show in any CPU increase and once more this isn't easy to identify.
-
The only thing that jumped up in CPU under Processes was "explorer.exe" user name owner (mem usage-28,088k) I also have 2 "iexplorer.exe" with 40k & 48k of mem, they didn't move, and down near the bottom "system" jumped just a little
-
That is weird as explorer is just the windows file process. I'm at a loss as to what it might be.
-
Just to bump this thread, my AVAST started flagging this same url about a week ago.
(http://inthefrey.com/media9s.jpg)
-
"bump" (+ subject titled)
-
Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
Maybe you could contact its webmaster.
-
i concur with djDave
cleaned / checked > open Google (whereas he is opening Yahoo) > let it sit a few minutes > warning comes up
-
i concur with djDave
cleaned / checked > open Google (whereas he is opening Yahoo) > let it sit a few minutes > warning comes up
http://forum.avast.com/index.php?topic=60716.msg512868#msg512868
-
in other words, another thread on the subject:
http://forum.avast.com/index.php?topic=60716.msg512868#msg512868
-
Or run OTL, post the log`s as attachments, and let Essexboy have a look....
http://forum.avast.com/index.php?topic=53253.0
-
I had the same problem as others are having with:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
for about a week, I tried everything I had, full scans with Avast, Malwarebytes & SuperAntiSpyware and they did not find these. I turned off restore, dumped my temps. did a reboot, turned System Restore back on, updated Malwarebytes (always do this) and did a full scan (said clean), updated SuperAntiSpyware and it found these: (trojan.Dropper/Win-NVxxx(without the xs))
in that there were 2 -
(C:\WINDOWS\MSVIDEO.DLLxxx(without the xs))
I moved them to Quarantine yesterday and have not seen the blocked warning again ! I hope I'm done with them...I hope this helps someone...dave
-
Thanks for sharing.
You say you moved them to quarantine in SAS, it would be helpful if you can send a sample to avast.
Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
Unfortunately that would need you to first restore them from SAS quarantine, copy to the avast chest and then run an SAS scan again to remove it again...
-
Hi DavidR,
It is being reported elsewhere as well:
http://webcache.googleusercontent.com/search?q=cache:-5b0mbucuRoJ:www.garenaworld.com/archive/index.php/thread-427.html+&cd=3&hl=en&ct=clnk
http://jsunpack.jeek.org/dec/go?report=1a19a872d7a5a212d800d5f872291f3ed090dc27
cleansing proposal here: http://www.bleepingcomputer.com/forums/topic322608.html
It is a Monkif. C&C site: http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-May/007476.html
http://www.malwaredomainlist.com/mdl.php?search=nopagency&colsearch=All&quantity=50
polonus
-
Hi DavidR, I hope the info from polonus is what you need, as I'm kinda chicken to move the problem back into my PC.. I do have logs from OTL that I saved while I had the problem, I could E_Mail them to you or to an Avast address of your choice if that would be of any help. Thanks again for all you and others do here..dave
-
Not really, my concern is sending a sample to avast as they didn't detect it, so that they can hopefully add it to the virus definitions. The logs don't provide the sample which would be used to create a detection signature.
I understand not wanting to restore it.
-
I had the same problem as others are having with:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
for about a week, I tried everything I had, full scans with Avast, Malwarebytes & SuperAntiSpyware and they did not find these. I turned off restore, dumped my temps. did a reboot, turned System Restore back on, updated Malwarebytes (always do this) and did a full scan (said clean), updated SuperAntiSpyware and it found these: (trojan.Dropper/Win-NVxxx(without the xs))
in that there were 2 -
(C:\WINDOWS\MSVIDEO.DLLxxx(without the xs))
I moved them to Quarantine yesterday and have not seen the blocked warning again ! I hope I'm done with them...I hope this helps someone...dave
Worked ... Thanks djDave!
-
Before you did that, did you send a sample to avast as suggested earlier in Reply #23 before quarantining it ?
-
To David R, If someone else is working on this, could you explain how to find it in the PC, to send a sample to avast as SAS does not give much info about it once it's in SAS Quarantine ?
to: Phobos, I'm glad it worked for you, I forgot to say that after all seemed well again I went to System restore and created a new restore point.
-
As I said in my reply #23 above, if it is already in the SAS Quarantine (you won't find it on your PC) a protected area, the only option is to restore it (and that carries a limited risk, which you had before any detection, but avast is blocking that) to the original location.
Then add it to the avast chest (where it can be submitted later) then run SAS again and allow it to quarantine it again. Now it can be submitted to avast from the sample you put in the avast chest. I understand anyone's reluctance to restore if from the SAS Quarantine, which is why it is important to add it to the avast chest before taking that action.
-
To David R, If someone else is working on this, could you explain how to find it in the PC, to send a sample to avast as SAS does not give much info about it once it's in SAS Quarantine ?
to: Phobos, I'm glad it worked for you, I forgot to say that after all seemed well again I went to System restore and created a new restore point.
You're welcome ... and yes, i did that ... thanks.
-
As I said in my reply #23 above, if it is already in the SAS Quarantine (you won't find it on your PC) a protected area, the only option is to restore it (and that carries a limited risk, which you had before any detection, but avast is blocking that) to the original location.
Then add it to the avast chest (where it can be submitted later) then run SAS again and allow it to quarantine it again. Now it can be submitted to avast from the sample you put in the avast chest. I understand anyone's reluctance to restore if from the SAS Quarantine, which is why it is important to add it to the avast chest before taking that action.
I would have done that, however i could not (and cannot) understand 'how' ... when the avast popup occurred, i would click on it (nothing) ... then i went to the 'network shield' section so i could see the problem - i could see it in the 'last analysed connection' part - clicked on it (nothing) - looked in 'traffic history' (nothing), 'report file' (nothing), and then wondered if i had some settings that were affecting my ability to see more details about the popup so that i could a) understand its origins, and b) do anything about it (eg: add to chest)
Note (if it helps) it involved the removal of 2x trojan.Dropper/Win-NV in C:\WINDOWS\MSVIDEO.DLL
-
Phobos: I know what you mean, that's the way it was for me also. When moved into SAS Quarantine, I could not r/click on it for properties, so I was not sure if I could find it, or if restoring it - would change it in some way??? At least for now the darn thing is gone and has not come back...Have a great day... dave
-
Goodbye:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
This is the 4th day since I did the cleaning as reported in reply #22 and all is still well here. I did a complete scan with SAS today and all came up clean ! I'm running XP and IE. I don't know if this works the same for others, but it has for me. Thankyou Avast and everyone that helps here...djDave
PS: Have a great weekend...
-
Goodbye:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
This is the 4th day since I did the cleaning as reported in reply #22 and all is still well here. I did a complete scan with SAS today and all came up clean ! I'm running XP and IE. I don't know if this works the same for others, but it has for me. Thankyou Avast and everyone that helps here...djDave
PS: Have a great weekend...
Refusal IE !
Recommend Firefox !
-
Goodbye:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
This is the 4th day since I did the cleaning as reported in reply #22 and all is still well here. I did a complete scan with SAS today and all came up clean ! I'm running XP and IE. I don't know if this works the same for others, but it has for me. Thankyou Avast and everyone that helps here...djDave
PS: Have a great weekend...
Refusal IE !
Recommend Firefox !
Hi guys!
Can you help test my website in china ?
My website named GHD (http://www.ghdtradezone.com)
-
Hi guys!
Can you help test my website in china ?
My website named GHD
This page seems to be <clean>
http://www.UnmaskParasites.com/security-report/?page=www.ghdtradezone.com
URLvoid
Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender UNRATED
Scanning site with: Finjan CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MalwareDomainList CLEAN
Scanning site with: McAfee SiteAdvisor UNRATED
Scanning site with: McAfee TrustedSource UNRATED
Scanning site with: MyWOT DETECTED
Scanning site with: Norton SafeWeb UNRATED
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN
WOT
http://www.mywot.com/en/scorecard/www.ghdtradezone.com