What is "borekoso.com/get/fgr/.html" ?

[bobbyboy]

I keep  getting an Avast pop-up that a threat has been detected and blocked.It says "borekoso.com/get/fgr/.html". I don't know what that means..This happens without my even surfing to new sites.It popped up just now while I'm on the Avast Forum site.Please advise.Thanks

[Pondus]

This is a web address, probably from a infected site you have been on. There may be something left in your browser cache/temp

Try this

TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.


If this does not work then we let Essexboy have a look at it...

[FatCax]

I have the same exact problem, I tried Pondus's solution, downloaded the program ran it, rebooted, still didnt fix anything. I ran avast and ran the run on boot thing avast offers with still no help. I also ran malware bytes but ended up with no infected files.

I was thinking about:
1. disconnecting from the net
2.running rkill
3.re-running avast and malware bytes

but I wanted to wait for a response from Essexboy before I did anything because I am guessing he is the Pro at this...
any help would be very much appreciated.

Thanks!

[Pondus]

He is, just a moment 

[spg SCOTT]

Generally, when avast reports a threat detected, it also lists the process that is responsible. This may help for determining the cause...

[Pondus]

well, i think he is gone for the day, he usually logs out about this time..

so you can do this and he will check the logs when he is back tomorrow.....
He is usually in here 8:00pm - 11:59pm uk time

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt / Malwarebytes Log )

[FatCax]

Ok, I am getting closer!

When i scan they say no virus has been found, I the virus isn't harming me(I think), i just keeps getting blocked and keeps popping up.

here is what I found:

Ive been watching the task manager since the process that avast says has the virus is svchost.exe but thats not much help since there are a ton of them and its not really just a specific file I can delete...

While watching the task manager I am pretty sure when the warning that comes up saying the virus was blocked, the svchost process with PID: 2468 jumps to CPU usage of 10 for a split second. I could just be seeing things or have wishful thinking but I'll keep watching and hope I am correct...

in my command prompt under the tasklist, PID #2468 is assigned as N/A... great... haha

now to find my next step.

I will keep ya updated on my progress and let you know how I fix this if I end up doing it.

Suggestions are still very much welcome!

[billmac1]

I'm getting the same message. From what I can find on the web, it's part of a Trojan called Carberp, which seeks to capture login information and send it back to a remote site. It's specifically associated with attempts to capture login information.

I don't have a removal solution yet. Some of the sites offering solutions to Carberp look suspicious. I'll post again if I get an answer.

Avast appears to block the attempt to transmit the information, so that's some comfort, but this one is definitely worrisome.

[SafeSurf]

@ bobbyboy,

Did you run TFC and did this help fix your problem?  If no, see below.

@ bobbyboy, FatCax,

For us to help you, we will need your MBAM and OTL logs that were requested (see the post from Pondus with the link).  Essexboy will analyze these logs and need these logs for malware removal, and yes, he is our malware expert.

Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTL logs (save them as ANSI and not Unicode).  When the OTL scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.  Post the MBAM log and the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). 

Please do not make any further changes to your machine after you have provided the logs or you will have to repeat making the logs.

IMPORTANT: If you are on a network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone, etc. if possible.  Please do not attempt any malware removal on your own after providing the above logs or you will need to repeat the logs and this will affect the malware removal process/results.

Let us know if you have any questions.  Thank you.

[essexboy]

Sounds intriguing this one

[FatCax]

Tomorrow morning I will re-scan and upload the logs.

The only problem with that is malware bytes wasnt picking the virus up... it said my system is clean.

maybe something will be different when I re-scan, ill upload the logs shortly.

[FatCax]

Ok, so I am pretty sure I have this problem fixed...

I didn't do much though haha. I don't think the computer was actually infected. I think that a piece of the virus was located on my computer(i think in C:/documents and settings/users/start menu/programs/startup).

I also agree that it is the carberp virus so if you actually get infected be very careful because it steals your identity and personal data...

Ok here is what I think:
     About the virus:
          I got it from a random web page.
          When I got it, it was a really small piece so it wouldnt get detected.
          That piece works by saving itself in your startup folder and/or temp and then running on reboot.
          once the computer is rebooted the virus runs and downloads the rest of the virus(the really bad parts which avast keeps blocking!)
          You cant see this file in windows explorer or search for it, I guess its super hidden, haha.
          You can see the file(if it is still there) using this cool application I came across called GMER.

          Since the piece was located in startup and/or temp, it ran once the computer re-booted.
          now, since avast is so good, it blocked the other files that little piece tried to download from the net,
          that is why you would always get the warning saying the virus was blocked.
          The virus keeps trying to download the main pieces from online so you keep getting popups.


What I did:
     I cleared all my temp, temp internet files, cookies, etc. using windows explorer(I think i got it using K-meleon browser)
     Ran Avast multiple times and ran the scan from starting boot thing too.
     Also cleared my private data using the browser's tool (tools->clear private data)
I don't get any more messages from avast and no files are infected upon scan.

Other Thoughts, Hints, Tips:
     Malware Bytes, although an awesome program, in this case did nothing. returned no warnings, and found no viruses
     A tip I found online to see if you have the full virus is to download process explorer from microsoft and do these steps:
          Download
          Run
          have explorer.exe highlighted
          click view -> show lower pane
          scroll to almost bottom and look at all the "threads"
          check for threads running with the name of something like "no process"(basically is running from no where.
          if you find one or more, sorry but you probably have the virus...
          if there aren't any running then most likely your clean
          you can also use the program ccleaner which will thoroughly clean your temp and other files, its a good program!

So this is all my info, hopefully im not wrong about everything haha I also hope this helps.
If my problem comes back I will let everyone know and I might need a little help because if it does come back obviously I wasted a lot of time and am pretty dumb haha.

Thanks for all the help everyone!

[SafeSurf]

@ FatCax,

May I ask how you confirmed it was the carberp virus?

If you think you are clean and everything is working fine, great.  I did have Essexboy, our malware expert, available to you and the others here in this thread on stand-by to help you out for malware removal.  Should you have problems in the future, please start a new thread in the Virus and Worms section but refer to this thread as well.  Thanks.

@ billmac1 and bobbyboy,

Still awaiting your replies.