[Resolved] URL: Malware

[Sartigan]

Visiting that site without real-time shields? 3/16 detections on URLVoid (hpHost, Web of Trust and TrencMicro Web Reputation)
http://www.urlvoid.com/scan/themoviedownloads.com

[SafeSurf]

I was scanning under the original web site the OP posted (no need to repeat it here).  The OP then got the movie site listed in the Avast scan.  If you look at the results of Anubis, this site can cause many changes.

To play it on the safe side, I would have one of our malware experts review this later and add comment to this.  In the meantime, I would not turn off Avast shields and follow instructions I have posted earlier.  Thank you. 

[Shalimar]

@Sartigan...

About this:
"So I went a step farther by copying those few lines and pasting them into my email (where I have some notes about this avast problem), and AS SOON AS I PASTED THOSE LINES INTO MY EMAIL, the Avast alerted me, again!"

- Well, the most used tracking method is a transparent gif image with 1x1 pixel size, and when you copied the text, you could copy an image too, avast! (as I know) won't give you warning if you copy and paste some text. (That image could be located anywhere inside the text)
And as I said, because this site is listed on avast!'s URL Blocklist, when you pasted the text, avast! detected that there was something in that text you copied, warned you and blocked the connection.

I hope I was understandable

Thank you for your explanation.
As I previously said, I didn't know if Avast would have sounded off its alarm with almost anything I would have copied from within that "freewebs" website, but because I had found words related to the other website called "movie downloads" within its web page (of which Avast had been sounding off its alarm), I wanted to report back to the forum what I had found...and so I chose to go ahead and copy/paste that text into an email draft only because it was quicker for me to do that instead of taking the time to write down the information.  Foolish of me?  "YES"!
As stated previously, the text I had copied/pasted from within the "freewebs" web page was:
"Sponsors....Movie Downloads...Click Here to Visit Movie Downloads"
And, of course, I was surprised to hear Avast sound off after pasting those words into my email because I then had been thinking it basically had been a false alarm.

@Devil...

I'm sorry,Shalimar.I checked the website again in the morning,i found all of them are clean.I think you can turn-off the Avast! real-time when you visit hxxp://www.themoviedownloads.com,But you must install AVG LinkScaner to keep you visit website safety.I hope can help you,Thanks!

Of note is that I don't download movies, so I have never "visited" or even attempted to visit the website called hXXp://www.themoviedownloads.com

With that said, I guess it appears the reason Avast was sounding off its alarm when I was trying to access the website called -  hXXp://www.freewebs.com/reptoids/undergroundbases.htm  - was because that website actually contained information about the "movie downloads" website WITHIN its web page and was containing the image/banner_n1.gif malware.

Also, for what it's worth, I would like to mention that I personally would prefer never to turn off my Avast when using the internet because I wouldn't feel safe in doing so.

@SafeSurf...

"I just performed several on-line scans and for those of you who did visit the site, I have bad news  Cry -- see Anubis (the 2nd and 3rd give detailed results)."

"Please do not visit the site mentioned in this thread..."

(A) For me personally, I only tried going to this website link:
hXXp://www.freewebs.com/reptoids/undergroundbases.htm
...which contains malware on its web page from an image/banner by "the movie downloads" website.
So until that ever gets fixed, I realize that I should not try linking to the "freewebs" website.
(B) I have no intentions of ever going to the "movie downloads" website.
QUESTION:
Are you referring only to hXXp://www.themoviedownloads.com?
OR...are you referring to both websites; the website I tried linking to and then actually ended up visiting, also (hXXp://www.freewebs.com/reptoids/undergroundbases.htm)?

Since I didn't know if you were also referring to the website I actually ended up visiting (the freewebs one) "after" I ran the first MBAM & TFC scans (and CCleaner), and in order to be safe, I ran both of them, again, and all is well.

[SafeSurf]

Are you referring only to hXXp://www.themoviedownloads.com?
OR...are you referring to both websites; the website I tried linking to and then actually ended up visiting, also (hXXp://www.freewebs.com/reptoids/undergroundbases.htm)?

Since I didn't know if you were also referring to the website I actually ended up visiting (the freewebs one) "after" I ran the first MBAM & TFC scans (and CCleaner), and in order to be safe, I ran both of them, again, and all is well.

I ran the online scanners for the malware detection with hXXp://www.freewebs.com/reptoids/undergroundbases.htm and got the positive hit with Anubis.

Keep MBAM as an on-demand scanner; just remember to always update prior to using it and you can do a Quick scan in the future.  Many of us use it here.  The cleaners come in very handy as well.

Was your Avast FULL scan clean?  If you have a 32-bit machine, did you do a Boot-time scan and was that clean as well?  If you have a 64-bit, let me know and I will give you another diagnostic tool to use. 

Is your machine otherwise acting normally now?  If not, please describe any problems.  Thank you.

[Shalimar]

Hi SafeSurf!

Thanks for explaining which website you scanned because I was mistakenly under the impression you had scanned the movie downloads site instead.
QUESTION:
If the freewebs website (hXXp://www.freewebs.com/reptoids/undergroundbases.htm) would eliminate the "movie downloads" text they have within their web page, do you think their website would then be free of malware?

I do updates with MBAM, SuperAntiSpyware, & Spyware Blaster daily before going on the internet, and I had done updates, again, before running MBAM both times regarding this issue.  I use the quick scan regularly, but I chose to do full scans in this case.

I also use CCleaner daily (actually more than once daily).  I had never used the TFC before, so I really don't know if that is something I should be using on an ongoing basis or not.

Yes, my Avast full scan was clean, and here are the results of the 2nd scan:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4505
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
8/30/2010 4:38:58 AM
mbam-log-2010-08-30 (04-38-58).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 216460
Time elapsed: 24 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

My machine has been working fine so far.  I have a 64-bit OS (which includes a 32-bit internet explorer), so if you wish to give me another tool to use, please advise, and thank you.

[Pondus]

I had never used the TFC before, so I really don't know if that is something I should be using on an ongoing basis or not.

It comes in handy if you have malware located in the temp files that can not be removed. Essexboy use it as part of the weekly cleaning...

[Shalimar]

@Pondus...

It comes in handy if you have malware located in the temp files that can not be removed. Essexboy use it as part of the weekly cleaning...

Thank you!  I will now include TFC as part of my armor!

OFF SUBJECT:
I just read about the new rootkit "destroyer" in another thread and discovered that if you have a 64-bit Windows with UAC turned on, you should be safe from getting infected.  Well, I've been running my 64-bit with UAC turned "off" ...but I shall now go turn it back on!!!
I knew I was supposed to be leaving UAC "on", but I had preferred not to...but no longer!

[Sartigan]

QUESTION:
If the freewebs website (hXXp://www.freewebs.com/reptoids/undergroundbases.htm) would eliminate the "movie downloads" text they have within their web page, do you think their website would then be free of malware?

If they detect it, but this page belongs to a website hosted on freewebs. (I don't know who will remove it)
I would avoid freewebs

[YoKenny]

Make the UAC pop-up not so invasive.

Configure Windows 7 UAC
http://www.w7forums.com/configure-windows-7-uac-t1553.html

[Shalimar]

@Sartigan...Thanks!

@YoKenny...
RE: My "off-topic" note
I've been using this new PC for 5 months now and with the UAC "off".   Unfortunately, just within the last couple of hours with the UAC "on", I have been getting a tad bit frustrated , but I'll just have to get used to it for safety sake. Sometimes we don't like things that are actually good for us, right?   Anyway, I'm going to change my UAC to the one you showed because I see it will be less invasive, so thank you very much!

[YoKenny]

Sometimes change is good and staying still leads to old age then senility!

[SafeSurf]

If the freewebs website (hXXp://www.freewebs.com/reptoids/undergroundbases.htm) would eliminate the "movie downloads" text they have within their web page, do you think their website would then be free of malware?

Until the freewebs website removes the malware, I would not go on that site.

It sounds like you are doing all the right things to protect yourself and your MBAM log is clean.

What browser do you use normally?  Perhaps adding some extra safety features within your browser may help you, but ultimately it is the user that needs to make the careful choice of where to go/surf.

I may also suggest that you check to make sure that your software is up to date using Secunia Software Inspector: http://secunia.com/vulnerability_scanning/personal/ on a weekly basis since software changes so frequently.  This will also add security to your system.

Please let me know if you have any additional questions.  Thank you.

[Shalimar]

I try to remember running my Secunia PSI weekly, but it has been about a week or so since I last ran it...
AND so I just ran it and it shows that I have 3 insecure programs.

SECUNIA PSI SHOWS:

ASSESSMENT: AT LEAST ONE ATTACK VECTOR EXISTS WHEN USING THIS BROWSER.
(1) Microsoft Internet Explorer 8.x ---------- Insecure, no solution  SA24314
(2) Microsoft Internet Explorer 8.x (64-bit) - Insecure, no solution  SA24314
ASSESSMENT: NOT SECURE FOR BROWSING; AT LEAST ONE CRITICAL ATTACK VECTOR EXISTS WHEN USING THIS BROWSER.
(3) Mozilla Firefox 3.6.x ---------------------Insecure, no solution  SA41095

RE: INTERNET EXPLORER
Criticality level:  Less critical
Typically used for cross-site scripting vulnerabilities and privilege escalation vulnerabilities.
Where   From remote     Solution Status  Unpatched  
Software: Microsoft Internet Explorer 7.x  and  8.x
CVE Reference(s):
Description:
The child frames in Microsoft Internet Explorer 7 inherit the default charset from the parent window when a charset is not specified in an HTTP Content-Type header or META tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set.
Successful exploitation requires that the user is tricked into visiting a malicious web site.
The vulnerability is confirmed in Internet Explorer 7 and 8 on a fully patched Windows XP. Other versions may also be affected.

RE: FIREFOX:
ASSESSMENT: NOT SECURE FOR BROWSING; AT LEAST ONE CRITICAL ATTACK VECTOR EXISTS WHEN USING THIS BROWSER.
Mozilla Firefox 3.6.x --------------------Insecure, no solution  SA41095
Criticality Level 4   Highly Critical (4 of 5)
Impact     System access
Where     From remote
Solution Status     Unpatched
CVE Reference(s)     CVE-2010-3131 CVSS available in Customer Area  
Description:
A vulnerability has been discovered in Mozilla Firefox, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to the application loading libraries (e.g. dwmapi.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into e.g. opening an HTML file located on a remote WebDAV or SMB share.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 3.6.8 for Windows. Other versions may also be affected.
Solution  Do not open untrusted files.

I posted some comments from 2 people about this subject:

palisade
RE: Internet Explorer Charset Inheritance Cross-Site Scripting Vulnerability
22nd Aug, 2010 19:52
I have verified this exploit still works on the latest IE8. I also tested Chrome and Firefox, they are not vulnerable.
Update: The IE9 preview is not vulnerable to this exploit. However, the preview is far from ready to be used as a replacement web browser for IE8 and it is not officially out yet. This vulnerability is not actually closed until MS fully releases IE9 to the public after the beta this September.

mlefevre
28th Aug, 2010 12:39
According to https://bugzilla.mozilla.org/show_bug.cgi?id=59157... , Mozilla's reference for this is https://bugzilla.mozilla.org/show_bug.cgi?id=57959... , although that bug is still locked.
It seems to have been fixed in the source code, so I guess that 3.6.9 will fix this (a release candidate for 3.6.9 just came out, and it's scheduled for release on September 7th).

SO....On September 7th, Firefox will have a new release (3.6.9) which will have the fix in it.
AND..Sometime in September, IE9 will be released, with the fix included.

In the meantime, while we wait for the "fixes", and to be on the safe side...just stop using your computer!

P.S.  If anyone discovers that I don't really know what I'm talking about here, please feel free to let me know...I can take it (I think?).



EDIT:
Well, I re-read the information above and elsewhere, and it appears that I DID misunderstand about the IE9 release in September.  Supposedly, the IE9 beta is to be released on September 15 and (as said above) it is NOT vulnerable to the harmful exploits which IE8 & IE7 are.  BUT the official full release, of course, could take a long time to be released...a lot longer than just September!
Again, from a statement made above in these notes somewhere, this comment was made:
"This vulnerability is not actually closed until MS fully releases IE9 to the public after the beta this September"

I then discovered these statements from the following website:

http://www.computerworld.com/s/article/9180659/Microsoft_to_release_IE9_public_beta_on_Sept._15?source=toc[/b]
Microsoft  has said nothing about a ship date for IE9, though many have speculated on an April 2011 release to coincide with MIX, the company's annual Web conference, which is slated to take place April 12-14, 2011, in Las Vegas.
It's possible the ship date will be significantly later: Microsoft finalized IE8 a full year after it released the first public beta for that browser. If it maintains the same pace for IE9, the upgrade's final edition might not appear until September 2011.

Does this mean that the regular public might be waiting over a year to have this security issue fixed?  I hope not.  Well, for now, I'll be looking forward to September 7th, when Firefox fixes the issue with their 3.6.9 release.

Again, if I'm making too much of this issue, I hope someone will please let me know!  It's just that I find it hard to believe that people might end up waiting a year or longer to get a security fix!

@SafeSurf
Aren't you glad you reminded me to scan my computer with my Secunia PSI?!?!  I sure am, BUT look at the length of this posting I just finished with...sorry!

[Gargamel360]

As far as the Fx warning goes, just follow the advice of not opening untrusted files.

But then, that is good advice always.

[Shalimar]

@Gargamel360
Good advice.

I've decided that I've just made way too big of an issue out of not having a secure browser...but that doesn't make me feel any more secure!