in other words, another thread on the subject:
http://forum.avast.com/index.php?topic=60716.msg512868#msg512868
Or run OTL, post the log`s as attachments, and let Essexboy have a look…
http://forum.avast.com/index.php?topic=53253.0
I had the same problem as others are having with:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
for about a week, I tried everything I had, full scans with Avast, Malwarebytes & SuperAntiSpyware and they did not find these. I turned off restore, dumped my temps. did a reboot, turned System Restore back on, updated Malwarebytes (always do this) and did a full scan (said clean), updated SuperAntiSpyware and it found these: (trojan.Dropper/Win-NVxxx(without the xs))
in that there were 2 -
(C:\WINDOWS\MSVIDEO.DLLxxx(without the xs))
I moved them to Quarantine yesterday and have not seen the blocked warning again ! I hope I’m done with them…I hope this helps someone…dave
Thanks for sharing.
You say you moved them to quarantine in SAS, it would be helpful if you can send a sample to avast.
Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.
Unfortunately that would need you to first restore them from SAS quarantine, copy to the avast chest and then run an SAS scan again to remove it again…
Hi DavidR,
It is being reported elsewhere as well:
http://webcache.googleusercontent.com/search?q=cache:-5b0mbucuRoJ:www.garenaworld.com/archive/index.php/thread-427.html+&cd=3&hl=en&ct=clnk
http://jsunpack.jeek.org/dec/go?report=1a19a872d7a5a212d800d5f872291f3ed090dc27
cleansing proposal here: http://www.bleepingcomputer.com/forums/topic322608.html
It is a Monkif. C&C site: http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-May/007476.html
http://www.malwaredomainlist.com/mdl.php?search=nopagency&colsearch=All&quantity=50
polonus
Hi DavidR, I hope the info from polonus is what you need, as I’m kinda chicken to move the problem back into my PC… I do have logs from OTL that I saved while I had the problem, I could E_Mail them to you or to an Avast address of your choice if that would be of any help. Thanks again for all you and others do here…dave
Not really, my concern is sending a sample to avast as they didn’t detect it, so that they can hopefully add it to the virus definitions. The logs don’t provide the sample which would be used to create a detection signature.
I understand not wanting to restore it.
Worked … Thanks djDave!
Before you did that, did you send a sample to avast as suggested earlier in Reply #23 before quarantining it ?
To David R, If someone else is working on this, could you explain how to find it in the PC, to send a sample to avast as SAS does not give much info about it once it’s in SAS Quarantine ?
to: Phobos, I’m glad it worked for you, I forgot to say that after all seemed well again I went to System restore and created a new restore point.
As I said in my reply #23 above, if it is already in the SAS Quarantine (you won’t find it on your PC) a protected area, the only option is to restore it (and that carries a limited risk, which you had before any detection, but avast is blocking that) to the original location.
Then add it to the avast chest (where it can be submitted later) then run SAS again and allow it to quarantine it again. Now it can be submitted to avast from the sample you put in the avast chest. I understand anyone’s reluctance to restore if from the SAS Quarantine, which is why it is important to add it to the avast chest before taking that action.
You’re welcome … and yes, i did that … thanks.
I would have done that, however i could not (and cannot) understand ‘how’ … when the avast popup occurred, i would click on it (nothing) … then i went to the ‘network shield’ section so i could see the problem - i could see it in the ‘last analysed connection’ part - clicked on it (nothing) - looked in ‘traffic history’ (nothing), ‘report file’ (nothing), and then wondered if i had some settings that were affecting my ability to see more details about the popup so that i could a) understand its origins, and b) do anything about it (eg: add to chest)
Note (if it helps) it involved the removal of 2x trojan.Dropper/Win-NV in C:\WINDOWS\MSVIDEO.DLL
Phobos: I know what you mean, that’s the way it was for me also. When moved into SAS Quarantine, I could not r/click on it for properties, so I was not sure if I could find it, or if restoring it - would change it in some way??? At least for now the darn thing is gone and has not come back…Have a great day… dave
Goodbye:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
This is the 4th day since I did the cleaning as reported in reply #22 and all is still well here. I did a complete scan with SAS today and all came up clean ! I’m running XP and IE. I don’t know if this works the same for others, but it has for me. Thankyou Avast and everyone that helps here…djDave
PS: Have a great weekend…
Refusal IE !
Recommend Firefox !
Hi guys!
Can you help test my website in china ?
My website named GHD
Hi guys! Can you help test my website in china ? My website named GHDThis page seems to be http://www.UnmaskParasites.com/security-report/?page=www.ghdtradezone.com
URLvoid
Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender UNRATED
Scanning site with: Finjan CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MalwareDomainList CLEAN
Scanning site with: McAfee SiteAdvisor UNRATED
Scanning site with: McAfee TrustedSource UNRATED
Scanning site with: MyWOT DETECTED
Scanning site with: Norton SafeWeb UNRATED
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN