Extremely annoying warning message

Hi everyone, i’m using avast home 4.8…

ever since i visited this random website, the following popup keeps appearing every 5 minutes or so… i’m afraid it has installed some sort of process in my system without my consent…

http://img4.imageshack.us/img4/8336/alertl.png

How can i get rid of this warning and how can i delete it forever?

Thanks

A thing is tried to enter on your network so Network Shield blocked it dont worry :slight_smile:

Correct in any way if im false would be appreciate.

Mr.Agent

It hasn’t installed anything on your system as the network shield is blocking it.

This is the network shield blocking access to a site on its malicious sites list. The site you visited(?) is most likely hacked and something tries to redirect or run something at this Chinese site. What random site or are you talking about mixmediadirect.cn that ‘you’ visited ?

You don’t really want to get rid of the warning, how else are you to know there is something suspect going on at the site you are visiting ???

Hi anderson_p,

DavidR, you just beaten me to it,
Can you mention the url of that site in a non-clickable way, like for instance hxtp://malcode_site.com
hxtp or hxxp makes the link non-clickable for a n00b visitor that can get infected.
The question is this site maybe a reputable site that has been hacked and infected by a hidden iFrame or SQL injection so it redirects to a malware silent download site. The avast shield prevented your computer (via the browser) from getting infected. Do not visit the site until it is cleansed, or alert the webmaster or site admin. Avast has a unique detection rate here,

polonus

Im having the same problem as TS. Dunno what site i was on when it happend, but i know i was not on the site its trying to reach (like the pic in the 1st post)

It somehow infected my comp… cause every time i use Firefox i get this warningmessage, no matter what site im browsing on. I was hoping avast could detect from where in my comp the request is sent, but all i get is that box saying it blocked the access.

Its rly annoying to get it like once every 3rd min. Would rly appriciate all the help i can get!

http://www.shrani.si/f/1j/yk/2CE9OSiZ/nshield.png

Check here what’s the name of the process that is trying to access this webpage. My log is empty, but in your’s, there should be an entry with program name and address which is accessing it.
Post the name and location of the EXE file here please.


David & Polonus -

Please read the link below to see if the information there might help.

http://novirusthanks.org/blog/2009/03/analysis-of-a-website-infected-with-a-hidden-iframe/

The infector at the link is the same mixmediadirect.cn as in this thread.


Yes, but considering he is getting this in inetrvals, we can assume there is something on his system that is trying to download crap from this webpage. Thats why we need the name of the spawning process so we can eliminate it.


Isn’t that what is at that link? The link lists files found on that computer.


Hello, i have the same warning message.

As for the information asked :

19.05.2009 11:23:09 Network Shield: blocked access to malicious site mixmediadirect.cn/gate/gate.php [ C:\WINDOWS\system32\svchost.exe ( 3896 ) ]

Regards

First try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested. (Or open the tab at the top left of the scanner screen and select the boot time option from there.)

Try a scan with DrWeb CureIT!
Try a scan with Kaspersky Virus removal Tool

Try one or more of these free adware/spyware scanners.

SUPERAntiSpyware Free
a-Squared Free
Malwarebytes’ Anti-Malware

Yea i also got the
19.05.2009 11:59:13 Network Shield: blocked access to malicious site mixmediadirect.cn/gate/gate.php [ C:\WINDOWS\system32\svchost.exe ( 2024 ) ]

I looked through the link Charley posted, didnt find the same files as he did but i found some similar ones.
C:\WINDOWS\Temp\wpv531242686334.exe
Then i have a bunch of crypt.dll … however i dont know which are supposed to be there (if any)
I have these that is names smth with crypt:
crypt32.dll
crypt32(3).dll
cryptdlg.dll
cryptdll.dll
cryptdll(3).dll
cryptext.dll
cryptnet.dll
cryptsvc.dll
cryptsvc(3).dll
cryptui.dll
cryptui(3).dll

I dunno how to find the hidden one in my doc&settings

Thanks for all the help so far tho! :slight_smile:

Rando web sites shouldn’t be able to install malware (a drive-by infection).

You probably have some insecure web-facing software that allowed this.

Scan for out-of-date and insecure software using Secunia Online Software Inspector (OSI) and update any vulnerable software: this will help to prevent future infections.

I have reboot the computer.

I don’t get the message anymore.

But zonealarm told me that a strange programme tried to acces internet :
pqarocuvuw yfyqu (c:\windows\ld08.exe)

i removed it using hickjackthis.

I made a boot scan with avast, he found nothing.

Should i make another scan with kapersky virus removal tool ?

I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster.
  8. Check if you have insecure applications with Secunia Software Inspector.

If you still experience troubles, I can go further in my suggestions for on-line scanning.

Randel,

I did a “google” of that file name, and there are a lot of hits. (This is good.) Thought I’d offer some results:
NoVirusThanks, (about halfway down there are manual removal instructions).
Prevx Info. (Prevx makes a type of scanner/monitor which has quite a following, and thanks to a large user database tends to have quite a large malware database.)

Thanks for the help.

  1. Tempory files cleaned

  2. Avast boot scan done - nothing found

  3. MBAM, i got this

Malwarebytes' Anti-Malware 1.36 Version de la base de données: 2154 Windows 5.1.2600 Service Pack 2

19/05/2009 17:27:49
mbam-log-2009-05-19 (17-27-49).txt

Type de recherche: Examen rapide
Eléments examinés: 71188
Temps écoulé: 2 minute(s), 8 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 4
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 2

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) → Data: digiwet.dll → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
C:\WINDOWS\system32\digiwet.dll (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\Xavier\Local Settings\Temp\wJQs.exe (Trojan.Agent) → Quarantined and deleted successfully.

  1. RootkitBuster - nothing found

  2. HijackThis

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:25:43, on 19/05/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [SoundMAX] “C:\Program Files\Analog Devices\SoundMAX\smax4.exe” /tray
O4 - HKLM..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE RÉSEAU’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205780422468
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Extensions du pilote WMI WmiSSDPSRV (WmiSSDPSRV) - Unknown owner - C:\WINDOWS\system32\1042n.exe


End of file - 5548 bytes


An analysis of your HJT log shows only one problem :

Platform: Windows XP SP2 (WinNT 5.01.2600)

A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft’s windowsupdate site to download the newest version of the service pack.


Looks to me that you need to update your Java, and IE is at version 8 now; you appear to have version 6.

So what have you done???