JAVA:UPDATE -

Windows Internet Eplorer keeps Alerting that malware is attempting to infect my PC

As soon as i open IE9 i get an IE security popup saying “A website wants to open web content using this program on your computer” “Windowas Host Process (rundll32)” I click allow.
I then randomly browse for a few minutes and then i get an avast malware warning popup.
I ran a boot time scan and it found four trojan files

I have put an image of my scan summary in my photobucket

http://i1182.photobucket.com/albums/x460/buttark/jacks/Virus1.jpg?t=1309332180

How did avast let through this virus. I don’t get the warning using google chrome, just ie9

Thanks in advance for any help guys

Check for malware with this

Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have the latest signatures before you scan
click on the remove selected button to quarantine anything found

post the scan log here

It ran and says no malware:

I have uninstalled java and no longer get the warnings

Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6977

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

29/06/2011 19:28:52
mbam-log-2011-06-29 (19-28-52).txt

Scan type: Full scan (C:|D:|E:|F:|)
Objects scanned: 319729
Time elapsed: 32 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Then i recomend you post an OTS log and let Essexboy have a look inside

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log ) save OTS log as ANSI

Essexboy will review the log when posted…

OTS Ran: see below

Additional Information:

The site that i was searching ‘for retro gear’ at the time
was Zyra.org.uk and when i tried to send an email using the email link on the page, i think it tried to download a java update. That’s exactly when the problem started.

I have emailed the site and they have looked at the code on their website and this is the response i got

"Hi David,

Thanks very much for discovering a fault in one of my pages!

I’ve had a good look through the code, using Linux things such as diff, cmp, and od. I would say that the page has been hacked, but oddly the resulting suspicious page does not appear to have any “bad” code about it. I’ve looked at it very closely and examined an octal dump.

There’s something very odd about what’s happened, because it’s as if someone has hacked the page and altered it but not made any meaningful changes. So, I’m now wondering if these people are introducing deliberate false positives!?

Obviously the page www.zyra.org.uk/zyraeml.htm is clean now. But in the interests of research, I have published the hacked variant at www.zyra.org.uk/suspicious.htm

That location can’t be reached from the rest of the site, but I invite Avast to examine both the clean and hacked versions and see if they can make any discoveries.

If you find any more pages that have problems please let me know. I’m keen to get any such things solved. I’ve told my hosting company and they’re looking into how the site got hacked and what else needs to be done to avoid this sort of thing.

Kind Regards,

Zyra

www.zyra.org.uk"

They seem very helpful

On completion of this let me know of any problems you are experiencing

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> [Java(tm) Plug-In 2 SSV Helper]
< Run [HKEY_USERS\S-1-5-21-779371464-2803430553-3871501812-1000\] > -> HKEY_USERS\S-1-5-21-779371464-2803430553-3871501812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "eventCommsppm" -> C:\Users\David\AppData\Local\msMainhid\eventCommsppm.dll [rundll32.exe "C:\Users\David\AppData\Local\msMainhid\eventCommsppm.dll",oleMainserv LibCommonlink]
[Files/Folders - Created Within 30 Days]
NY ->  msMainhid -> C:\Users\David\AppData\Local\msMainhid
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Hi there,

I followed the instructions and my screen went blank then logged me out
I didn’t get a chance to see a log

Cheers

David

Could you run a fresh OTS log please to see if they were removed

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
Registry value HKEY_USERS\S-1-5-21-779371464-2803430553-3871501812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eventCommsppm not found.
DllUnregisterServer procedure not found in C:\Users\David\AppData\Local\msMainhid\eventCommsppm.dll
C:\Users\David\AppData\Local\msMainhid\eventCommsppm.dll moved successfully.
[Files/Folders - Created Within 30 Days]
C:\Users\David\AppData\Local\msMainhid folder moved successfully.
[Empty Temp Folders]

User: All Users

User: David
->Temp folder emptied: 3619012407 bytes
->Temporary Internet Files folder emptied: 523225957 bytes
->Java cache emptied: 2023 bytes
->Google Chrome cache emptied: 439404900 bytes
->Flash cache emptied: 10939 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mcx1-DAVID-PC
->Temp folder emptied: 516 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 22256308 bytes
RecycleBin emptied: 8279544 bytes

Total Files Cleaned = 4,399.00 mb

[EMPTYFLASH]

User: All Users

User: David
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Mcx1-DAVID-PC

User: Public

Total Flash Files Cleaned = 0.00 mb

Cannot create restore point. Unable to start RPC service!
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 06302011_200851

Files\Folders moved on Reboot…
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

Are you having any problems now ?

It seems to have stopped, no malware popups.
I have established that my son installed Utorrent on this PC and has been downloading films

Ah the perfect vector for malware, you are guaranteed to get the newest and best bad boys from there

Could you run for a day or so and if all is still good, let me know and I will tidy up

I have uninstalled Utorrent and a few other things ‘wizard101’

I’ll use the computer in the normal way, I’ve left malwarebytes running, I will update you on Monday

Thanks again for your help

David

Hi,

All seems fine, i have not tried to reinstall java yet but no need at the moment

Thanks for the help

Gosub

I do not have java on my system and not noticed the lack yet ;D

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup an select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[
]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: