alerts from on access scanner

Avast on-access scanner continues to pop up, displaying a message about blocking access to some malicious site (ht t p://railuhocal .ru/bin/teemaeko.bin). It has blocked it seven times today, and more yesterday. What is the source of the detection, why is it continuous, and how can I stop it? Thank you.

can you post a screenshot of the popup

does it say the malware is located in IE/temp ?

Try cleaning your temp files and see it that help

Temp File Cleaner by OldTimer ( It will reboot computer )
http://www.geekstogo.com/forum/TFC-Temp-File-Cleaner-OldTimer-file187.html

The link is dead
http://downforeveryoneorjustme.com/http://railuhocal%20.ru/bin/teemaeko.bingoogle.com

Something either on a site that you are visiting has been hacked and is redirecting or calling that page, or there is something on your system which is trying to connect to that site.

The railuhocal.ru is most certainly considered malicious, see image, is this the one you are getting ?

avast isn’t the only thing to consider it suspect/undesirable, http://www.mywot.com/en/scorecard/railuhocal.ru and http://www.malwareurl.com/listing.php?domain=railuhocal.ru.

Other info indicates this is related to Zeus Tracker so you may have a Zeus infection.

Hi chafed

This is found there:
Threat Name: Packed.Cupx!gen6 avast detects as Win32:MalOb-BK [Cryp]
Location: htxp://railuhocal.ru/bin/teemaeko.exe
9 / 17 (53 %)
Status DANGEROUS
http://scanner.novirusthanks.org/analysis/9758f04d2f1bd664f37c4285a013372a/dGVlbWFla28uZXhl/

It is a Zeusbot server: http://www.malwaredomainlist.com/forums/index.php?topic=3733.135
More of this malware listed here: http://www.webs.links.lc/feeds/feed_sec_malware_domain.php (123)
http://support.clean-mx.de/clean-mx/viruses?scope=viruses&as=AS42560
new malware: hxtp://forums.malwarebytes.org/index.php?showtopic=55460&mode=threaded

polonus

Attached is a screenshot of the alert. It appears randomly while I’m on the internet, and once when I wasn’t connected to the browser. Coincidentally, it popped up while I was reading this page.

http://img84.imageshack.us/img84/4420/alertz.png

Check your computer for Malware with

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install click update so you have latest database before scan
click the remove selected button to quarantine anything found
you may post the scan log here

I see you are using avast 4.8 why not upgrade to the new avast 5 ?

Hi chafed,

If it indeed was blocked by the avast webshield, maybe you luckily escaped a zeusbot version 3 infection,
CA warns that the bot has been revised to be more resistant to reverse engineering and more focused: The latest Zeus bot configuration contains list of targeted financial institution from Spain, Germany, United Kingdom, and USA,

polonus

I downloaded the malwarebytes and am scanning now, thanks. I performed a scan last night with avast and with AVG anti spyware, both finding nothing.

I was not aware there was a new version of avast, but I will update it soon, thanks.

And I am glad that avast webshield is blocking the connection, I am just curious as to why it is blocking it so often. Since I posted the screenshot, it has alerted me 3 more times. Is it likely that there is malware on my computer attempting to connect with a host online, and that is what avast keeps alerting me of?

From your image it indicates you are using avast 4.8 and avast 5.0 has been out over five months. So my suggestion is that you update/install avast 5.0.594 on your system as it has more detection routines/features that aren’t available in avast 4.8.

  • You can download the full 5.0.594 installer and it will allow you to update. If you have avast home or avast Pro you can install over the existing avast 4.8 installation and that will retain your existing registration/license information, uninstall avast 4.8 and install avast 5.0.

Free AV: http://files.avast.com/iavs5x/setup_av_free.exe - Avast! Free antivirus Quick Start Guide http://files.avast.com/files/documentation/quick-start-guide-free-en-ww.pdf
Pro AV: http://files.avast.com/iavs5x/setup_av_pro.exe - Avast! Pro antivirus Quick Start Guide http://files.avast.com/files/documentation/quick-start-guide-pro-en-ww.pdf

The new Avast Internet Security suite is also available but you would have to pay to upgrade to that after a 30 day trial if you wish to continue to use it.
AIS: http://files.avast.com/iavs5x/setup_ais.exe - Avast! Internet Security Quick Start Guide http://files.avast.com/files/documentation/quick-start-guide-is-en-ww.pdf

here is the alert from the newest version of avast.

http://img706.imageshack.us/img706/1435/alert2.png

I also scanned with malwarebytes. It didn’t find anything, but I was only in quick scan. I suppose I should do a full scan.

What is your firewall ?

The reason I ask is that under normal circumstances explorer.exe shouldn’t need outbound connection, you can actually type a URL into the normal address window and it would open the web page. So this is taking advantage of the fact that explorer can connect, my advice would be to block explorer.exe from having internet access in your firewall. That obviously requires that your firewall has outbound checking XP’s firewall doesn’t, Vista and win7’s firewalls have outbound checking but that is disabled by default.

There is certainly something on your system possibly Zeus, so you should run an avast full scan and possibly even run a boot-time scan and report the findings.

I have zonealarm free firewall.
In the program control section, I found windows explorer. Should I block it from there, and if so, for which column (there are two blocking/allowing sections, access and server)?

And I will scan again with my updated avast, although my full scan last night did not find anything.

I would certainly block it as that is what it is using to access these sites, which may give you some breathing space to try and deal with what this is. Try scheduling a boot-time scan - From the avastUI, Scan Computer, Boot-time Scan, Schedule Now button and reboot.

Look in the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt file, check this file using notepad for info on the scan/detections, etc.

boot-time scan found nothing.

07/15/2010 16:41
Scan of all local drives

File C:\Documents and Settings\Stephen\Local Settings\Temp\hcs7vl6t.rar.part|>Passion Pit - Manners (2009)\01 Make Light.mp3 Error 42126 {RAR archive is corrupted.}
Number of searched folders: 17057
Number of tested files: 784072
Number of infected files: 0

OK, that is a start. I take it that you have blocked explorer.exe in your firewall and that you are at least not getting the attempts to connect to that site and no avast alerts ?

That’s me for the night, a after 4am here.

try scanning (quick scan first) with ad aware pro (free version) from majorgeeks, please.

Personally I wouldn’t give adaware Pro (or otherwise) hard disk space. The two anti-spy/malware applications currently at the top of the heap are MBAM and SAS so if MBAM hasn’t found anything I doubt adaware will.

maybe so david, but i had mbam installed and its scans showed nothing, and ad aware solved the problem. anyway, just trying to help out for a day or 2

no more notifications since blocking explorer.exe.
I am going to unblock it and see if the problem is still existent.

I would say it is almost certainly to be back as nothing has been found that is using explorer for this purpose.