Avast WEBforum
Other => Viruses and worms => Topic started by: Sartigan on June 26, 2010, 07:58:40 PM
-
Hi everybody, I'm getting scared from these things:
FireFox blocks redirections on the following sites:
chiponline [dot] hu
pcguru [dot] hu
faviccek [dot] hu
brusheezy [dot] com
NoScript whitelist contained unknown sites and 1 malware site (rated by wot)
One of them is orbitcycle [ dot ] com - the malicious
I ran MBAM and Avast!, both says CLEAN.
Everything started when I visited msn.com - I randomly clicked on "The MSN's Homepage" when it's menu didn't appeared.
I PM-ed essexboy about this.
Please help me ???
-
I PM-ed essexboy about this.
Please help me ???
As you already contacted essexboy, there's not much left to do...!! ;)
asyn
-
Nevertheless...
Report 2010-06-26 20:25:47 (GMT 1)
Website chiponline.hu
Domain Hash 6ecbc443b47b13f1c73c082ead664aa1
IP Address 193.28.86.140 [SCAN]
IP Hostname 3.bleed.hu
IP Country HU (Hungary)
AS Number 47381
AS Name EASYGO-AS EasyGO Kft.
Detections 0 / 19 (0 %)
Status CLEAN
Report 2010-06-26 20:27:48 (GMT 1)
Website pcguru.hu
Domain Hash 45929b188d96310c907a9a292cd0baaf
IP Address 193.28.86.140 [SCAN]
IP Hostname 3.bleed.hu
IP Country HU (Hungary)
AS Number 47381
AS Name EASYGO-AS EasyGO Kft.
Detections 2 / 19 (11 %)
Status SUSPICIOUS
Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender CLEAN
Scanning site with: Finjan DETECTED
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MalwareDomainList CLEAN
Scanning site with: McAfee SiteAdvisor CLEAN
Scanning site with: McAfee TrustedSource CLEAN
Scanning site with: MyWOT CLEAN
Scanning site with: Norton SafeWeb SUSPICIOUS
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard CLEAN
Scanning site with: ZeuS Tracker CLEAN
Report 2010-06-26 20:29:13 (GMT 1)
Website faviccek.hu
Domain Hash 627053620bdbbf28ab97b4a92a6fd0c8
IP Address 85.25.77.86 [SCAN]
IP Hostname server3-customer.iworx-host.com
IP Country DE (Germany)
AS Number 8972
AS Name PLUSSERVER-AS PlusServer AG, Germany
Detections 0 / 19 (0 %)
Status CLEAN
Report 2010-06-26 20:30:41 (GMT 1)
Website brusheezy.com
Domain Hash c9afdeeddab08edf01996aaae099a1c0
IP Address 174.36.237.116 [SCAN]
IP Hostname dale.eezyinc.com
IP Country US (United States)
AS Number 36351
AS Name SOFTLAYER - SoftLayer Technologies Inc.
Detections 0 / 19 (0 %)
Status CLEAN
Report 2010-06-26 20:32:12 (GMT 1)
Website orbitcycle.com
Domain Hash 6449e67a3e4aff54d797b807c405e3ea
IP Address 216.234.246.157 [SCAN]
IP Hostname 9d.f6.ead8.static.theplanet.com
IP Country US (United States)
AS Number 21844
AS Name THEPLANET-AS - ThePlanet.com Internet Service...
Detections 3 / 19 (16 %)
Status DANGEROUS
Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender UNRATED
Scanning site with: Finjan CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts DETECTED
Scanning site with: Malware Patrol CLEAN
Scanning site with: MalwareDomainList CLEAN
Scanning site with: McAfee SiteAdvisor CLEAN
Scanning site with: McAfee TrustedSource CLEAN
Scanning site with: MyWOT DETECTED
Scanning site with: Norton SafeWeb UNRATED
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard DETECTED
Scanning site with: ZeuS Tracker CLEAN
-
Avast! Network shield also scans the following: twitter.com/steive23isking
A hour ago, avast! checked a rapidshare connection with a stupid and long filename ended with rar.htm
I hope I get answer for my problems
-
I hope I get answer for my problems
Be patient..! ;)
essexboy will drop in, sooner or later...
asyn
-
PM sent didn't realise you started a thread
Post the details here please ;D
-
Hi Sartigan,
Could go there, faviccek.hu, with flock browser with NS and RP activated, no flag whatsoever. Scan reports clean.
See attached gif. So I think our qualified eliminator essexboy should come into action once again,
polonus
-
As you said essexboy, I did the scan with combofix
Here is the log
-
Nothing apparent there - what are the exact problems you are experiencing
-
Hi essexboy,
Did he try to ping the various sites' IPs from the command prompt, and what were the results, did he try to check to see if the sites were only off-limit to him, was the IP-range from his provider being blocked higher upstream because someone in that range did something "devious", questions, questions,
polonus
-
Now let's try one - does it tries to redirect?
Faviccek.hu = DOESN'T TRIES REDIRECT
I saw combofix deleted something ending with PE.tmp
Ok let's try another - chiponline.hu.......
Tries to redirect :(
Brusheezy: No redirect
PCGuru and Chiponline are big partners
I haven't got any other problems
-
And this only happens in Firefox ?
-
I will try it with IE, but I don't trust it
I didn't started Internet Explorer since a year. I don't have any ad / script blocking addons for Internet Explorer, that's why I don't use it
-
If you have IE8 that is quite secure - leastwise I do not use anything else apart from Simple Adblock
-
Hi Sartigan,
You could also make a new profile with Fx, re: http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows
polonus
-
It's a bit strange, because I lost all my opened tabs, all my addons and I needed to reinstall them, set the settings, I just hope it will help :-\
Didn't helped me, FireFox blocks a redirection on chiponline.hu - in the new profile :S
-
Hi sartigan,
Did you try to go to these sites using a website proxy of some sort like Hidemyass or similar, were you allowed to go there then, then it has something to do with a situation outside your machine, try that,
polonus
-
I didn't tried it
New profile thing doesn't works - FireFox blocks a redirection at Chiponline :S
-
Didn't helped me, FireFox blocks a redirection on chiponline.hu - in the new profile :S
Maybe you set FF up to do so...??
There's an option for it, but sorry can't lead you there, as I use the german version.
English users would know better, where to find it... Please jump in..!
asyn
-
AWWW.... I installed internet explorer 8 and asked me to restart, I restarted my system and freezed with a window: Adding personal settings
I rebooted more than 4 times and now Online Armor asked about 2 files from IE8 but Windows Started normally and everything is loaded.
I need back IE7 :S
Now I'm going to restore a backup :S
-
AWWW.... I installed internet explorer 8 and asked me to restart, I restarted my system and freezed with a window: Adding personal settings
I rebooted more than 4 times and now Online Armor asked about 2 files from IE8 but Windows Started normally and everything is loaded.
I need back IE7 :S
Now I'm going to restore a backup :S
So what is your problem, right now - exactly..?
asyn
-
My only problem is the chiponline.hu redirection - what FireFox blocks
Brusheezy and faviccek.hu redirection doesn't appears, just on chiponline
-
Hi Sartigan,
Look for a hidden inline script there, something like: hxxp://79.135.152.181/stats/go.php?sid=1 (the url may vary), scanners hardly detect this script, go to novirusthanks.org and scan with their hidden iFrame detector..
On connecting to chiponline.hu it immediately starts to redirect and download malcode...
# hidden összes magasan értékelt letöltés - htxp://download.chip.eu/hu/Home_1899.html?order=5
# <A> hidden összes magas érték - hxtp://download.chip.eu/hu/Home_1899.html?order=3
See: http://jsunpack.jeek.org/dec/go?report=b5da8da1d94e36d98d6515216fee7e516c39f9fe
polonus
-
:o :o
OH MY GOD, so this isn't my computer?
I won't go there anymore :S
Thank you very much for giving me answer ;)
This happens on some PCGuru.hu pages too. I will check it
Thank you again
I didn't allowed the redirection, I though it was my computer - so essexboy, you were right about this site is probably being hacked :D
Thank you and keep up the good work ;)
-
Not all problems are on the host computer - and once they have been eliminated there is only one logical answer - a hacked site
-
And what should I do with Combofix's quarantined files? Like C:\Installer.exe and some others...
No more redirections - just these
I hope I won't get any more problems like this! But the bad is always back.....
-
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems
Upgrading Java:
- Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 20 (http://java.sun.com/javase/downloads/index.jsp).
- Click the "Download" button to the right.
- Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
- Click on Continue.
- Click on the link to download Windows Offline Installation (jre-6u20-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java version.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586-p.exe and select "Run as an Administrator.")
SPRING CLEAN
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place.
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Keep safe :wave:
-
Howdy Sartigan,
Fine we could solve this problem and bring it back to its true proportions, hidden script injection of a certain web page with malcode. This is a gigantic online problem at the moment because malcreants try to inject as many web pages as they are able to through ready made exploit kits and also cybercriminals will take to these actions for their own devious ends, and what to think of all the fake av re-directs and malcoded ad code, on one page it is gone and cleansed and on another page it rears again its ugly head. Therefore use in-browser protection and learn to use the full protection of the NoScript extension in the Firefox browser (or any other type of Mozilla browser like flock, etc. for that matter) and these issues won't bite you next time around. May your surfing be safe and secure, is the wish of
polonus
-
chiponline.hu is the Hungarian "news portal" of a very popular website that everyone knows: download.chip.eu - and (as it looks like) it's infected, I warned my website's members about this :) - and I wrote this to the end of my post - on my forum (in Hungarian): "Thank you polonus, essexboy!" :)
Essexboy, where can I download OTL? Because I haven't got OTL, I always update my MBAM and run a scan once a week, I will download Spyware Blaster after I clean up with OTL.....
-
Essexboy, where can I download OTL? Because I haven't got OTL
http://forum.avast.com/index.php?topic=53253.0 click the OTL
-
Essexboy, where can I download OTL? Because I haven't got OTL
http://forum.avast.com/index.php?topic=53253.0 click the OTL
Thank you ;)
OK Done, but OTL opened the DCOM Port, I closed it with WWDC :)
I updated Java - as you said
I always download the security updates for Windows.
I installed Spyware Blaster - now let's see how does it work :)
Do I need to do anything else?
-
I visited Safeweb.norton.com and Firefox blocked a redirection but it was a "Friendly" one, because the "Refresh" meta tag looks like this: "0;URL=/noscript/"
NoScipt tries to give me a warning or what is this?
Any ideas? :)
-
NoScipt tries to give me a warning or what is this?
Any ideas? :)
Yes, NS does this, if you set it up to do so... (This doesn't mean the redirection is bad, though)
Also FF does this, if specified in the settings...!
asyn
-
Now let's see what is this "warning"...
You're right: NS warns me about I haven't got js enabled
-
I viewed chiponline.hu again and now it has a refresh meta tag (noscript blocked it - by my settings) to /index.php :)
Others could be caused by something on my computer but now they don't appear.
Polonus, now it's a meta redirection! Did they correct something? ::)