facebook malware alarm

Hello everybody,

avast! (free version) keeps warning me from malware, stating these are induced from facebook.com about every 30 minutes. Anybody knows how to fix this/whats the issue?


http://img101.imageshack.us/img101/4630/avast1z.jpg

Uploaded with ImageShack.us

Well what is strange is that it is using windows explorer.exe (not iexplore.exe) to connect and whilst explorer.exe can connect it isn’t normal to see this happen unless ‘you’ type a URL into the address bar.

So it would appear that something undetected/hidden is misusing explorer.exe.

Also strange that it is facebook.com, whilst that could be the domain displayed it may be possible that the actual URL points or redirects elsewhere, though I can’t say for certain.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Thank you for your quick help :slight_smile:

I downloaded the two programs you suggested. I am currently running the scans and meanwhile got some errors of avast! warning me of SUPERAntiSpyware and Malwarebytes using/scanning .exes of several programs (my graphic driver for example) on my system, which I don’t see as a problem, though. I also got a warning of avast! concerning mbam.exe, the .exe of Malwarebytes to be a Trojan.

Nothing to worry about, is it?

I wouldn’t have though it would be an issue, but there is insufficient information on a) the file name, location, malware name and more crucially which avast shield alerted.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
For detection on on access scan (file system shield), check the FileSystemShield.txt file in C:\Documents And Settings\All Users\Application Data\Alwil Software\Avast5\Report (Windows 2000, Windows XP). Or C:\ProgramData\Alwil Software\Avast5\log (windows Vista, windows 7).

There is a possibility it could also be a Behavior Shield detection, same location different file BehaviorShield.txt. Or the AutoSandbox see C:\ProgramData\Alwil Software\Avast5\log\autosandbox.log file.

Generally I would suggest pausing/stopping avast whilst running third party scans, as what the scans may be doing could be considered suspicious, but it isn’t essential.

Avast pops up and tells me that for example mbam.exe tries to access to iview.exe or something and then suggests to transfer it in the sandbox.

So I’d suggest it’s the auto-sandbox fuction you mentioned. avast! doesn’t state the file is infected, just that malwarebytes or SUPER tries to access it.

I will screenshot the !avast notification the next time it pops up.

If it is the autosandbox as you say then select allow it to run normally and check the Remember my answer for this program (assuming it relates to MBAM or SAS). See image example, click to expand.

Thats what I get.


http://img233.imageshack.us/img233/4156/avast2.jpg

Uploaded with ImageShack.us

SUPERs scan is done and found 90 tracking cookies which I got deleted. Malwarebyte’s scan is still running.

It is just saying that the File was opened by MBAM.exe which is acceptable as it is doing a scan. So select open normally and check the Remember my answer for this program option, see image.

Should you need to post images, it is easiest to attach them to the actual post, as I have in my examples. When you are replying to a post, there is an Additional Options… link, which expands to allow images and text files to be attached to the post.

The imageshack.us isn’t good for all avast members as it has a selective/restrictive policy that not all ISPs or domains will be able to view the image. Fortunately I can see it.

Malwarebytes is done and found some errors.

Here’s the log:
Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 6696

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

27.05.2011 13:52:27
mbam-log-2011-05-27 (13-52-23).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:|D:|E:|)
Durchsuchte Objekte: 288573
Laufzeit: 1 Stunde(n), 54 Minute(n), 26 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 1
Infizierte Dateien: 5

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4E3E0230AEBB4E96 (Trojan.Agent) → Value: 4E3E0230AEBB4E96 → No action taken.

Infizierte Dateiobjekte der Registrierung:
HKEY_CLASSES_ROOT\regfile\shell\open\command(default) (Broken.OpenCommand) → Bad: (“regedit.exe” “%1”) Good: (regedit.exe “%1”) → No action taken.

Infizierte Verzeichnisse:
c:\Recycle.Bin (Trojan.Spyeyes) → No action taken.

Infizierte Dateien:
c:\recycle.bin\recycle.bin.exe (Trojan.Agent) → No action taken.
c:\dokumente und einstellungen\egowittey\anwendungsdaten\sun\java\deployment\cache\6.0\32\75f61ce0-10d5858a (Trojan.Downloader) → No action taken.
c:\dokumente und einstellungen\egowittey\anwendungsdaten\sun\java\deployment\cache\6.0\38\319b2fa6-71d9b452 (Trojan.Agent) → No action taken.
c:\system volume information_restore{fe477aac-3492-410f-afe6-78f4a55a414e}\rp288\a0061022.exe (Trojan.Agent) → No action taken.
c:\Recycle.Bin\config.bin (Trojan.Spyeyes) → No action taken.

I’m sorry it’s german but I think it’s understandable.

It seems that mainly the recycle bin is infected, which is quite tricky, I think. I deleted everything with Malwarebytes.

Your log shows No action taken, so if you haven’t run MBAM again and selected the files for removal.

The language isn’t a problem as the MBAM layout is the same.

Are you still getting the avast alerts ?

Yeah I posted the log before I deleted the malware.

Everything seems alright to me now… I was hardly able to check until now since I wasn’t really on my computer, but I didn’t recognize any alarms yet.

Seems your method worked out well, thanks a lot :slight_smile:

You’re welcome.

I think that the alerts were to do with the c:\Recycle.Bin (Trojan.Spyeyes) detected by MBAM.

What is your Firewall (as that should have been your first line of defence against unauthorised outbound connections) ?
If only XP firewall that is worthless as it has zero outbound protection.

Monitor your system over the next couple of days for any unusual activity and alerts, but the most important issue is to get it up to date.

On to your next issue, Your OS (XP SP1) is so far out of date that it is at grater risk of infection, due to vulnerabilities which have been closed by security updates. XP SP3 was released over 18 months ago and XP security updates ended for XP SP2 over a year ago.

I don’t know if you can call avast! a firewall. I don’t really have a true firewall program.

I know that my SP1 is a major problem, not only because of security problems, but also due to a lot of problems not running on SP1. I’m going to uptade it to SP3 soon by either downloading SP2 and SP3 (which is gratis, I think?) or by purchasing a new Windows-version.

Avast free doesn’t have a firewall, its network shield isn’t a full firewall it does monitor some common worm/exploit ports.

Inly Avast Internet Security has a full firewall as one of its main modules.

You should be able to download SP3 http://www.microsoft.com/downloads/en/details.aspx?familyid=5b33b5a8-5e76-401f-be08-1e1555d4f3d4&displaylang=en. This is a massive 300MB plus download (but free). Also see http://support.microsoft.com/kb/322389 for more general information.

Ignore the bit about not using it if you only have one computer as visiting windows.update with XP SP1 may just get blocked, but if not would be huge and probably complex trying to install SP2 (which I believe can be skipped) then SP3 and finally any security updates after SP3. I can’t recall if there are any windows genuine advantage checks to see if your copy of windows is legit with this SP.

Even after SP3 is installed you are going to have to visit windows update to get what has been released after SP3, this too could be quite a lot.

Thank you again for your help :slight_smile:

I will download SP3 the next time I can spare the traffic (my DSL is terribly slow).

You’re welcome.