JAVA:UPDATE -

[gosub]

Windows Internet Eplorer keeps Alerting that malware is attempting to infect my PC

As soon as i open IE9 i get an IE security popup saying "A website wants to open web content using this program on your computer" "Windowas Host Process (rundll32)" I click allow.
I then randomly browse for a few minutes and then i get an avast malware warning popup.
I ran a boot time scan and it found four trojan files

I have put an image of my scan summary in my photobucket

http://i1182.photobucket.com/albums/x460/buttark/jacks/Virus1.jpg?t=1309332180

How did avast let through this virus. I don't get the warning using google chrome, just ie9

Thanks in advance for any help guys

[Pondus]

Check for malware with this

Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have the latest signatures before you scan
click on the remove selected  button to quarantine anything found

post the scan log here

[gosub]

It ran and says no malware:

I have uninstalled java and no longer get the warnings

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6977

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

29/06/2011 19:28:52
mbam-log-2011-06-29 (19-28-52).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 319729
Time elapsed: 32 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Pondus]

Then i recomend you post an OTS log and let Essexboy have a look inside


Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log ) save OTS log as ANSI

Essexboy will review the log when posted...

[gosub]

OTS Ran: see below

[gosub]

Additional Information:

The site that i was searching 'for retro gear' at the time
was Zyra.org.uk and when i tried to send an email using the email link on the page, i think it tried to download a java update. That's exactly when the problem started.

I have emailed the site and they have looked at the code on their website and this is the response i got

"Hi David,

Thanks very much for discovering a fault in one of my pages!

I've had a good look through the code, using Linux things such as diff, cmp, and od. I would say that the page has been hacked, but oddly the resulting suspicious page does not appear to have any "bad" code about it. I've looked at it very closely and examined an octal dump.

There's something very odd about what's happened, because it's as if someone has hacked the page and altered it but not made any meaningful changes. So, I'm now wondering if these people are introducing deliberate false positives!?

Obviously the page www.zyra.org.uk/zyraeml.htm is clean now. But in the interests of research, I have published the hacked variant at www.zyra.org.uk/suspicious.htm

That location can't be reached from the rest of the site, but I invite Avast to examine both the clean and hacked versions and see if they can make any discoveries.

If you find any more pages that have problems please let me know. I'm keen to get any such things solved. I've told my hosting company and they're looking into how the site got hacked and what else needs to be done to avoid this sort of thing.

Kind Regards,

Zyra

www.zyra.org.uk"

They seem very helpful

[essexboy]

On completion of this let me know of any problems you are experiencing

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> [Java(tm) Plug-In 2 SSV Helper]
< Run [HKEY_USERS\S-1-5-21-779371464-2803430553-3871501812-1000\] > -> HKEY_USERS\S-1-5-21-779371464-2803430553-3871501812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "eventCommsppm" -> C:\Users\David\AppData\Local\msMainhid\eventCommsppm.dll [rundll32.exe "C:\Users\David\AppData\Local\msMainhid\eventCommsppm.dll",oleMainserv LibCommonlink]
[Files/Folders - Created Within 30 Days]
NY ->  msMainhid -> C:\Users\David\AppData\Local\msMainhid
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[gosub]

Hi there,

I followed the instructions and my screen went blank then logged me out
I didn't get a chance to see a log

Cheers

David

[essexboy]

Could you run a fresh OTS log please to see if they were removed

[gosub]

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
Registry value HKEY_USERS\S-1-5-21-779371464-2803430553-3871501812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\eventCommsppm not found.
DllUnregisterServer procedure not found in C:\Users\David\AppData\Local\msMainhid\eventCommsppm.dll
C:\Users\David\AppData\Local\msMainhid\eventCommsppm.dll moved successfully.
[Files/Folders - Created Within 30 Days]
C:\Users\David\AppData\Local\msMainhid folder moved successfully.
[Empty Temp Folders]
 
 
User: All Users
 
User: David
->Temp folder emptied: 3619012407 bytes
->Temporary Internet Files folder emptied: 523225957 bytes
->Java cache emptied: 2023 bytes
->Google Chrome cache emptied: 439404900 bytes
->Flash cache emptied: 10939 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Mcx1-DAVID-PC
->Temp folder emptied: 516 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 22256308 bytes
RecycleBin emptied: 8279544 bytes
 
Total Files Cleaned = 4,399.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: David
->Flash cache emptied: 0 bytes
 
User: Default
->Flash cache emptied: 0 bytes
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: Mcx1-DAVID-PC
 
User: Public
 
Total Flash Files Cleaned = 0.00 mb
 
Cannot create restore point. Unable to start RPC service!
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 06302011_200851

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[essexboy]

Are you having any problems now ?

[gosub]

It seems to have stopped, no malware popups.
I have established that my son installed Utorrent on this PC and has been downloading films

[essexboy]

Ah the perfect vector for malware, you are guaranteed to get the newest and best bad boys from there

Could you run for a day or so and if all is still good, let me know and I will tidy up 

[gosub]

I have uninstalled Utorrent and a few other things 'wizard101'

I'll use the computer in the normal way, I've left malwarebytes running, I will update you on Monday

Thanks again for your help

David

[gosub]

Hi,

All seems fine, i have not tried to reinstall java yet but no need at the moment

Thanks for the help

Gosub