Author Topic: URL:Mal y HTML:RedirME-inf FAKE??  (Read 58130 times)

0 Members and 1 Guest are viewing this topic.

jeffce

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #30 on: April 02, 2012, 03:17:02 AM »
Were you able to get aswMBR ran yet as well?  :)

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #31 on: April 02, 2012, 03:18:13 AM »
Dont understand about the word "movies" but in general, Ive got the myspace normal settings and some reverbvation widgets taken directrly from reverbnation www.reverbnation.com . Just copy and paste the code from reverbnation.com

I can attach the code:
<snip>


NOTE: This code is the exactly code reverbnation gives, I think myspace recodes it in some way

One thing that they all have in common is the c.gigcount url. This is not shown in the redirect urls, giving a major hint. If you are certain that all the coding you used from that site is given, Reverbnation does not seem to be the culprit. It is a possibility that your site was hacked.


And yes, MySpace recodes all scripts that you feed it.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

4444

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #32 on: April 02, 2012, 03:31:20 AM »
4th time I tried to run aswMBR a friendly blue screen came rebooting my computer, this time not knowing when the soft stops. The soft always starts..

___



Its a posibilyty to be hacked of course..

I retyped the codes again and changed my pass before yesterday..

yesterday there was no AVAST popup showing virus..

Today the popups came again

Today I typed again the codes and changed my pass again and still having the avast virus popup

« Last Edit: April 02, 2012, 03:33:07 AM by 4444 »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #33 on: April 02, 2012, 03:35:51 AM »
I retyped the codes again and changed my pass before yesterday..

yesterday there was no AVAST popup showing virus..

Today the popups came again

Today I typed again the codes and changed my pass again and still having the avast virus popup
I suggest changing your passwords on a different computer and don't logon to myspace on the computer being stubborn with aswMBR.


I'll report back tomorrow as it's around 10 pm here.
« Last Edit: April 02, 2012, 03:38:52 AM by !Donovan »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

jeffce

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #34 on: April 02, 2012, 03:39:35 AM »
I agree with Donovan...for the time being try not to use this computer for any banking or email purposes and don't download anything else besides what you are instructed to do here.

Please download TDSSKiller
  • Right-click and Run as Administrator TDSSKiller.exe
  • Press Change Parameters
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  • Click on the Start Scan button
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
    • Note: If Cure is not available, please choose Skip instead, [color="#FF0000"]do not choose Delete unless instructed[/color].
  • Copy and paste the log in your next reply
    • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
----------

4444

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #35 on: April 02, 2012, 03:56:47 AM »
I retyped the codes again and changed my pass before yesterday..

yesterday there was no AVAST popup showing virus..

Today the popups came again

Today I typed again the codes and changed my pass again and still having the avast virus popup
I suggest changing your passwords on a different computer and don't logon to myspace on the computer being stubborn with aswMBR.


I'll report back tomorrow as it's around 10 pm here.

Done, changed pass and retyped all the codes from another computer.. still popup virus in my computer.

The other computer I changed my pass and retyped the codes was a windows xp using chrome with the same AVAST installed. No virus popup message in that computer (XP one).

I come back to my computer and the same virus detected
« Last Edit: April 02, 2012, 03:59:23 AM by 4444 »

4444

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #36 on: April 02, 2012, 04:08:35 AM »
I agree with Donovan...for the time being try not to use this computer for any banking or email purposes and don't download anything else besides what you are instructed to do here.

Please download TDSSKiller
  • Right-click and Run as Administrator TDSSKiller.exe
  • Press Change Parameters
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  • Click on the Start Scan button
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
    • Note: If Cure is not available, please choose Skip instead, [color="#FF0000"]do not choose Delete unless instructed[/color].
  • Copy and paste the log in your next reply
    • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
----------

Done, 2 objects in quarantee, log attached.

Actual detected object count: 2
04:06:01.0629 3536   C:\Windows\system32\epmntdrv.sys - copied to quarantine
04:06:01.0639 3536   epmntdrv ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
04:06:01.0669 3536   C:\Windows\system32\EuGdiDrv.sys - copied to quarantine

« Last Edit: April 07, 2012, 03:47:40 AM by 4444 »

adotd

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #37 on: April 02, 2012, 04:19:41 AM »
at least your getting somewhat near fixing this :)

4444

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #38 on: April 02, 2012, 04:23:56 AM »
Quote
Note: If Cure is not available, please choose Skip instead, [color="#FF0000"]do not choose Delete unless instructed[/color].

I messed this step, Ive put them both to quarantee. How do I solve it?

and again thxs for the help

adotd

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #39 on: April 02, 2012, 04:31:41 AM »
was cure avaliable?

iroc9555

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #40 on: April 02, 2012, 04:49:31 AM »
444.

Those files where unsigned files. Were they detected as malicious or just a warning. You only had to choose " cure " if they were malicious and if cure was available otherwise skip them.

 You better wait for Jeffce. He will be back tomorrow.

4444

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #41 on: April 02, 2012, 11:57:35 AM »
Both were suspicios object, medium risk, no cure availible..

I have put them both again  into quaranteee, scaning them again I have the choice again to skip, quarantee or delete, no to cure.

____

I did the aswMBR scan again and this time the soft stops in /Microsoft security apliacation.....
« Last Edit: April 02, 2012, 12:04:15 PM by 4444 »

jeffce

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #42 on: April 02, 2012, 01:42:14 PM »
Hi there 4444,

Yeah those entries were detected because they were unsigned. 
-------------

Download CKScanner by askey127 from Here & save it to your Desktop.
  • Right-click and Run as Administrator CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
----------

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://es.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = es
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 07 F5 7E 02 27 0A CD 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
FF - prefs.js..browser.search.selectedEngine: "Bing"
[2012/02/25 12:12:47 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
O18:[b]64bit:[/b] - Protocol\Handler\grooveLocalGWS - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------

In your next reply please post the logs made by CKScanner and all logs made by OTL.  :)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #43 on: April 02, 2012, 03:10:54 PM »
@444 & adotd
Please make live links non-click-through in your posts, like with htxp or wXw. In your reply you'd better not give quoted code. In the case of (script)code, it should be provided as an image, while it cannot do harm in that way. See attached example of how to do this.
So when posting no live links to live malware please or suspicious links because a newbie may accidentally click this or crawlers may easily find it, rather post the scanned links as VT results, Zscaler scan link, etc.

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

4444

  • Guest
Re: URL:Mal y HTML:RedirME-inf FAKE??
« Reply #44 on: April 02, 2012, 03:42:39 PM »
OK, now Ive got real problems..

Quote
Download CKScanner by askey127 from Here & save it to your Desktop.

step done, could not attach the log for reason ill tell later. No alerts found in the scan


Quote
Please download and run ERUNT (Emergency Recovery Utility NT).

Done

Quote
Run OTL.exe

Done, the process did not finish, and my whole computer stopped, I restart windows 7 but the computer just turns off the power while windows is restarting..

After the 5 attemp, windows let me do a restore, I did it, but my computer is not working well.. ill try to attach the ERUN log, wich has to be in the computer.

Right now im with another computer.