Author Topic: hxxp  (Read 6703 times)

0 Members and 1 Guest are viewing this topic.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
hxxp
« on: April 10, 2009, 10:54:48 AM »
I just came back to avast on this computer and checked my log. Last time in, I wrote an infected and active url in full. Sorry folks, I was in too much of a rush. Correct this. Original post has been corrected as well.


Malware ID      hxxp://tejary.net/h.js

I also posted two entries from June 2008 that I found in my event viewer. I thought at first malware because I recall a plethora of malware infections at the time, perhaps a little later. Kids might download a browser to the desktop and the avast application gets overridden. Infected flash drives were common. Computers were easy cleaned of usual suspects. I thought there might have been more to it when I traced back through entries in the event viewer. But I don’t think so now. I don’t think there’s much in these two entries.

23-6-08
AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS (C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS) returning error, 00000005

17-6-2008
AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS (C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS) returning error, 00000005. 


I was installing avast quite regularly at the time. I went off feature heavy browsers and settled for a simpler desktop. I think the Mozilla browser was uninstalled before Oct / Nov 2008. I have no idea what the AAVM - scanning warning means.
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89443
  • No support PMs thanks
Re: hxxp
« Reply #1 on: April 10, 2009, 03:21:44 PM »
First there are two iframe tags inside that javascript file so the detection is good. One of these iframes links to a Chinese site with known malware the other appears a legit site, however, this use of a ,js file is very suspicious anyway.

The other two are access denied and nothing avast can do about that:
Personally I keep my nose out of the logs as for the most part the content is verbose and not to helpful to a user, more so for a developer. Only if I experience a problem with avast or hard errors are displayed to the screen do I look in the logs.
 
So are you getting any errors displayed to the screen or other avast problems ?
 
If not I wouldn't worry about this.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33990
  • malware fighter
Re: hxxp
« Reply #2 on: April 10, 2009, 03:33:32 PM »
Hi DavidR,

I have Event Log Explorer and that shows up what happens,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89443
  • No support PMs thanks
Re: hxxp
« Reply #3 on: April 10, 2009, 03:55:00 PM »
I'm not sure were event log explorer would come into this ?

If it is for the error number, it is a windows file system error and for that I just have a little program called Error Messages For Windows from gregorybraun.com a massive 150KB, there are lots of other small tools on the site.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: hxxp
« Reply #4 on: April 10, 2009, 04:27:13 PM »
How to check webpages is being asked here: http://forum.avast.com/index.php?topic=44139.msg369428#msg369428
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89443
  • No support PMs thanks
Re: hxxp
« Reply #5 on: April 10, 2009, 05:30:35 PM »
In this case I used my download manager, Orbit to download the .js file avast alerted twice, but I took no action. I cut and pasted it into my exclusions folder, checked in and checked the contents using notepad.

Not rocket science or really difficult but not something I would recommend unless you are prepared to deal with any potential consequences.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: hxxp
« Reply #6 on: April 10, 2009, 05:35:52 PM »
Not rocket science or really difficult but not something I would recommend unless you are prepared to deal with any potential consequences.
I wish some kind of tool that does that automatically...
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33990
  • malware fighter
Re: hxxp
« Reply #7 on: April 10, 2009, 06:50:41 PM »
Hi Tech,

If I did not have anti-virus log via Event Log Explorer, where would I get information on an Avast scanning error like:
AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\POLONUS~1\LOCALS~1\TEMP\~DFD14D.TMP (C:\DOCUME~1\POLONUS~1\LOCALS~1\TEMP\~DFD14D.TMP) returning error, 00000005.
All my av flag warnings also land there. Type Date Time Event Source Category User Computer
I am rather glad with this program, and glad bob3160 once pointed it out to me, all the logs are filed and saved,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89443
  • No support PMs thanks
Re: hxxp
« Reply #8 on: April 10, 2009, 07:14:46 PM »
Like I said earlier I keep out of the avast log viewer and the same goes for the windows event viewer (it is no more helpful than the avast log viewer) unless I have a specific problem or errors are displayed to the screen.

As in the case of the above it really is a non-error just a file with access denied.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

YoKenny

  • Guest
Re: hxxp
« Reply #9 on: April 10, 2009, 07:24:01 PM »
Hi Tech,

If I did not have anti-virus log via Event Log Explorer, where would I get information on an Avast scanning error like:
AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\POLONUS~1\LOCALS~1\TEMP\~DFD14D.TMP (C:\DOCUME~1\POLONUS~1\LOCALS~1\TEMP\~DFD14D.TMP) returning error, 00000005.
All my av flag warnings also land there. Type Date Time Event Source Category User Computer
I am rather glad with this program, and glad bob3160 once pointed it out to me, all the logs are filed and saved,

polonus

I am with polonus as I like Event Log Explorer as it makes the Event Logs much easier to view and handle
Quote
Analyze your event logs with Event Log Explorer™

Event Log Explorer™ is an effective software solution for viewing, monitoring and analyzing events recorded in Security, System, Application and another logs of Microsoft Windows NT/2000/XP/2003 operating systems. Event Log Explorer greatly extends standard Windows Event Viewer monitoring functionality and brings many new features.
http://www.eventlogxp.com

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: hxxp
« Reply #10 on: April 10, 2009, 11:06:40 PM »
Thanks DavidR, Avast support forum, for sharing knowhow.  :)

The two AAVM scanning warning messages appear isolated events that occurred when access was denied (returning error, 00000005) as you say. There appear no other associated entries in event viewer.

23-6-08
AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS (C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS) returning error, 00000005

17-6-2008
AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS (C:\DOCUMENTS AND SETTINGS\MKIS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\FYCG5LV2.DEFAULT\PREFS.JS) returning error, 00000005.

‘FYCG5LV2’ a bit of a worrying looking reference (profile or account reference perhaps?). I just didn’t like the look of it.  :o


Default pref. Files seem to be preference settings from user customization of Mozilla toolbar functions which may have tried to launch at startup but access subsequently denied as part of Mozilla security I presume – and so error registered for the event.

http://www-archive.mozilla.org/catalog/end-user/customizing/briefprefs.html

I’m not worried about the two files. I thought perhaps something more may have been happening than actually was. The Mozilla program / toolbar was uninstalled later and no entries have since registered outside the two originals.

‘FYCG5LV2’ still a bit worrying but can’t see any record of malware come to surface. So have to say okay. May be looking for too much that isn’t there. And I'll keep a closer eye on how I write any suspect urls from now on.

Much thanks

mkis
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89443
  • No support PMs thanks
Re: hxxp
« Reply #11 on: April 10, 2009, 11:21:04 PM »
This is just the random naming of the firefox folders that store the browser profiles (see image, nothing to worry about, note the random naming).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: hxxp
« Reply #12 on: April 11, 2009, 01:50:37 AM »
Very clear now. I see random naming. Much appreciated.  :) :) :)
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89443
  • No support PMs thanks
Re: hxxp
« Reply #13 on: April 11, 2009, 03:26:48 AM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: hxxp
« Reply #14 on: April 11, 2009, 05:59:13 PM »
Like I said earlier I keep out of the avast log viewer and the same goes for the windows event viewer (it is no more helpful than the avast log viewer) unless I have a specific problem or errors are displayed to the screen.
There are more things behind the screen... I use Windows Events frequently. Helps on diagnosis and to know what is happening in the backgrounds.
The best things in life are free.