Malicious URL Blocked,Info please?

[acapone]

Hello,
when I visit the following site http://planetelderscrolls.gamespy.com/ I get a malicious URL blocked message.
I was wondering if someone could provide further info on this?

Here are the details:

Object: twiterpro.com/zxwqwa/
Infection: URL:Mal
Action: Blocked
Process: C:\Program Files\Mozilla Firefox\firefox.exe

I also have received the same message but with different processes when I reload.

Process: C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
Process: C:\WINDOWS\system32\svhost.exe

Is this a false positive? Should I contact the site admin to let then know that something is up?

Thanks,

[rragona]

I've run into the same thing (twitepro) with the same site (Planet Elder Scrolls)--first with my laptop, and today with my desktop.  Avast blocked it both times and I've locked it out using NoScript to forbid it.  I Googled it and it appears to be connected to spam/malware but that was just some vague entries that are pretty much Greek to me.

[Huitzilopochtli]

the very same thing started to happen to me some days ago, only that with planet quake (http://planetquake.gamespy.com/)
and since I have it as my firefox home, each time that I started firefox, the message came up to me (so at first I though something infected my computer, or firefox, but after seeing this, I guess it's the web page). I have no clue what it is, ang googling only brought me to this page (maye I didn't google hard enough?).
anyway, since two different pages associated with gamespy are having this problem, I'm guessing there may be something wrong with gamespy, and maybe the site admin should be contacted to let them know. But I wouldn't know, does anyone else know any more of this?

[acapone]

I've contacted the site and they replied that they have received other reports of this but only from
Avast! users and that their techs are investigating.
I did a WHOIS search of the URL and the contact is a WHOIS privacy protection service located in China...
It would be nice if Avast displayed more info on what exactly about the url is malicious.
Anyway I blocked the URL with Adblock Plus so I don't get the warnings anymore.

[DavidR]

I have just visited the gamespy.com domain and both of the links in this topic and no alert by avast. Ensure that you have the latest virus definitions.

[Probzzie]

I had my computer continuously trying to connect using the svchost.exe file.
Alot of temporary files I found were infected

Try deleting all temp files. Having said that: it's relatively safe to assume that 99.99% of everything in the c:\windows\temp folder is safe to delete,  assuming you didn't purposely install a program in that folder (not likely)
This whole issue I later found was caused by the userini.exe file.
I recommend installing hijack this and pasting a log. Make sure Hijack this is able to run with lifted privileges.

I believe if URLs are being blocked but the source of the connection is coming from svchost.exe whether you block the site or not its an infection causing it to try to connect in the first place.

Tell me, do you receive URL blocks when not surfing?

[Nesivos]

This is a shot in the dark but it might be helpful

Why is Every anti virus saying that Game spy Arcade is a virus?
I noticed that the AVG could detect the gamespy as a Threat so why does it keep doing that!? ill need a awnser.

Best Answer - Chosen by Asker
The free installers of GameSpy Arcade don't have any virus or spyware, but they do have adware, that comes with them.
If you want to get rid of this problem you must subscribe GameSpy Arcade and get the non-ad version.
Source(s):
http://forums.afterdawn.com/thread_view.…

http://answers.yahoo.com/question/index?qid=20090727182720AAJiL6Y

[acapone]

I have the latest Avast! program a definition updates and have cleared my cache and temp files using CCleaner and the still get a malicious URL blocked message both in IE and Firefox.I have not received any other blocked URL messages other than when visiting the listed site.Anything else I should do?Thanks  

I ran HighjackThis 2.0.4,here is the output:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:04:32 PM, on 11/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\WinTV\TVServer\HAUPPA~1.EXE
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinTV\WinTV7\WinTVTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\alpha\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [DelReg] C:\Program Files\MSI\DualCoreCenter\DelReg.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Eraser] "C:\PROGRA~1\Eraser\Eraser.exe" --atRestart
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: WinTV Recording Status..lnk = C:\Program Files\WinTV\WinTV7\WinTVTray.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\TVServer\HAUPPA~1.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: MySQL - Unknown owner - C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TVService - Team MediaPortal - C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 6061 bytes

[Probzzie]

Have you got Malware Bytes?

[acapone]

I am running a Malware Bytes scan now,I'm scanning all my drives including a USB external drive which has a lot of files on it so it's going to take a while.
Is this a scan and remove app or do I have to post any logs?

[Probzzie]

Scan and remove, but it pulls a log up which you should post.

[Probzzie]

When I am unsure but suspicious of virus or malware, I will run a quick scan with Malware Bytes which goes over the registry and system files... If the quick scan is successful in finding malicous software I will run a full scan. May not be the safest idea but it has left me virus free... I believe if a virus is severely infecting anyone's system there will surely be a regisrty entry or file found in the systems folder.

[VikingBabe]

I just came from PlanetElderScrolls myself and received the same "Blocked" message with "Process: C:\WINDOWS\system32\svhost.exe"  This is the first time I received such an AVAST popup notice while visiting there. It also came up while looking at another page there too.

I checked my AdBlock Plus to see what "twiterpro.com/zxwqwa" was.  It said it was a "Script".

I am running a quick Malwarebytes/AntiMalware scan right now....just in case. (

Update: It just finished...showed nothing was found or my computer infected by anything.

Addendum:
I checked the ElderScrolls forums and there was a report of "twiterpro.com" November 15th and last thread post was made November 18th.  Knowing the [WIZ] Helper Gang (swamped as they are normally), yes it has been reported and looked into.  Soooo, until this is fixed I guess I had better install "NoScript".  

[Asyn]

Report    2010-11-28 11:06:10 (GMT 1)
Website    twiterpro.com
Domain Hash    f7e51fd884e60236610543cc32abc20a
IP Address    178.162.181.58 [SCAN]
IP Hostname    -
IP Country    DE (Germany)
AS Number    28753
AS Name    NETDIRECT AS NETDIRECT Frankfurt, DE
Detections    1 / 17 (6 %)
Status    SUSPICIOUS

Scanning site with:    TrendMicro Web Reputation    DETECTED
http://reclassify.wrs.trendmicro.com/wrsonlinequery.aspx

[YoKenny]

@ VikingBabe

Please go to PROFILE then Modify Profile then Forum Profile Information then select your country in Please select your country: then update your Signature: with information like my signature as this helps the helpers offer pertinent advice.

In Account Related Settings select Hide email address from public? to prevent scammers and spammers harvesting your redrivernet.com email address.