Help

I hope I don’t have a problem, I just went from Avast 4.8 to 5, I did a complete scan and it found, and I moved to chest, (win32:Delf-MZG (trj) ) and a (Win32:KillApp-W (pup) )…
Now I keep getting a (Malicius URL Blocked)
“avast network shield has blocked a threat”

Object: nopagency.com/cgi/yoetj:?td=67=03465x04445
Url: Mal
action: Blocked
Process: c\Program files\Internet Explorer\IEPLORE>EXE

and another one with all the same except

Object:media9s.com/cgi/eujzpe.php?pu=67=03465x04445

are these things in my PC that were blocked or things online that were blocked from getting to me ? Thanks so much in advance…dave

the 2 URL you listed was blocked by avast before you could enter the websites. so i guess they are on some bad website list…

(win32:Delf-MZG (trj) ) and a (Win32:KillApp-W (pup) )
This is found in your computer, but we need name of the files that was detected and where in the pc it was found to find out more....

check your computer for malware with

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install click update so you have latest database before you scan
run quick scan and click the remove selected button to quarantine anything found
post the log here

Thanks, I ran a scan yesterday and the day before they both came out clean (see below) the (win32:Delf-MZG (trj) ) and a (Win32:KillApp-W (pup) ) are in my Avast chest now. Is there still more to clean up ?
Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4189

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

6/11/2010 2:41:41 PM
mbam-log-2010-06-11 (14-41-41).txt

Scan type: Full scan (C:|D:|F:|M:|)
Objects scanned: 500379
Time elapsed: 3 hour(s), 40 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

PS: Sorry forgot to say what the "the 2 URL you listed was blocked by avast before you could enter the websites. so i guess they are on some bad website list " are…I get the blocked message every time I go to my Yahoo home page ! and got it again when I came here…

I doubt that the network shield alerts were in any way related to the Win32:KillApp-W (pup) detection, though there is a possibility it could be related to the win32:Delf-MZG (trj) detection (but as has been said we need the file name and location).

A quick MBAM scan is generally enough as a first scan, it will find the majority of what would be found in the c:\ drive.

Are you using an HP system as there have been a couple of detections relating to Win32:KillApp-W detection in c:\hp\bin, is that the original location of the file (and what is its file name) ?

Yes, it is an HP product, with an HP scanner and photo programs…How do I find out where things that are now in my virus chest came from ? It just says system volume informationrestore(ED1AD764-6EE8 and about 20 more numbers) under original location and the name is A0156470.exe if that helps…Quick and full scans with Malwarebytes all come up clean…this is all strange to me…Thankyou for trying to help

Now when I came back here to read this again I got the (Malicius URL Blocked)
“avast network shield has blocked a threat” media9s.com/cgi/eujzpe.php?pu=67=03465x04445 Process: c\Program files\Internet Explorer\IEPLORE>EXE
I didn’t have anything else open or running just this page when I got the message

Well right clicking on the file in the chest and selecting properties would show the original location.

So I would say that these ones in the system restore aren’t related to the Win32:KillApp-W detection are they ?

If so this is less of an issue:

  • Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.

  • Worst case scenario it isn’t infected and you delete it, you can’t use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.

  • So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

The other detections I mentioned relating to the Win32:KillApp-W detection were effectively live files and in the c:\hp\bin folder.

Well the detection appears good, see http://www.mywot.com/en/scorecard/media9s.com, though why it is happening is the mystery. Do you have any feeds, etc. set-up in IE that may be trying to access this site ?

Thanks again, where do I look for “any feeds, etc. set-up in IE that may be trying to access this site” ? I just changed to IE8 in the last few days, trying to find the problem, something keeps IE from loading for about 80 seconds, it used to load in about 10 seconds, so there must be something trying…thanks again…dave

I don’t use IE as my default browser, it is only there because IE is an integral part of the OS so you have to keep it up to date. So I use it very infrequently and am not very familiar with its settings now.

By feeds I mean RSS or Live Bookmarks, something that checks a site to see if there is anything new on it. That background checking would force the network shield to check the site against its malicious sites list.

I’m surprised that MBAM didn’t find anything if you are getting this in IE as it sounds a little like browser hijacking.

Try SUPERantispyware (SAS). On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available a portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required.

Thanks again, I have SUPERAntiSpyware Free Edition I’ve updated it and ran it several times lately, and it only comes up with cookies. I’ve deleted temps, trashed most old favorites, scanned and scaned and yet I have a very slow starting IE and the first time each restart I Right-click on any song or photo file it takes over a minute before I get the box to choose an option…strange stuff going on…

For the browser issue what happens if you try another browser, firefox, chrome or opera, etc. ?

If it is taking this amount of time before getting option on the right click of flies, it could be conflict, but trying to pin that down isn’t easy. Open the task manager so you can try and monitor what activity is going on when you try this. It could also be a shell extension (explorer right click entries) conflict, which may not show in any CPU increase and once more this isn’t easy to identify.

The only thing that jumped up in CPU under Processes was “explorer.exe” user name owner (mem usage-28,088k) I also have 2 “iexplorer.exe” with 40k & 48k of mem, they didn’t move, and down near the bottom “system” jumped just a little

That is weird as explorer is just the windows file process. I’m at a loss as to what it might be.

Just to bump this thread, my AVAST started flagging this same url about a week ago.

http://inthefrey.com/media9s.jpg

“bump” (+ subject titled)

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.

i concur with djDave

cleaned / checked > open Google (whereas he is opening Yahoo) > let it sit a few minutes > warning comes up

http://forum.avast.com/index.php?topic=60716.msg512868#msg512868