Hi the following red warning keeps popping up about every minute when I am online since yesterday. I haven’t installed any new software or done anything different recently. I’ve just looked at another post with a similar problem, but I do not recognise any of the sites mentioned.
(sorry I don’t know how to copy and paste the warning but it’s like this:)
MALICIOUS URL BLOCKED
avast! Network Sheield has blocked a harmful site
[u]Vist the avast! CommunityIQ info portal for more inforamation
Object: jeronimkali23.co.cc/nomore123/gate.php?guid=6.0.6002!FELLOWS-WEIRPC!..[and it goes on…]
Infection: URL:Mal
Action: Blocke
Process: C:\Windows\Explorer.EXE
There is another warning which alternates with this and is the same except that the object starts:
lupinaval123.co.cc/nomore123/gate…[etc as above]
Maybe I should add that everytime I come to switch off there is an update waiting to be installed which is unusual?
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
OK i’ve done the scan - file attached - thanks again
I noticed that my machine keeps trying to connect to the internet even though I disconnected it during the scan - this doesn’t seem normal!
more from that malware domain, see: htxp://www.scumware.org/report/91.193.194.155
Only advised to go to last mentioned link as experienced security user, do not click anything there)
Sorry, but for the benefit of a non-expert, can you explain if this malware has already entered my computer and if so, what should I do? If it hasn’t infected my machine, will it keep on popping up as being blocked and will it eventually go away??? many thanks again
This is a sign that there was either SpyEye dropper run or there is active SpyEye installed on that machine. This url is not the download, but the ‘call home’ - it comes directly from malware on that computer. It’s blocked and the malware can’t get ‘commands’ from the bot herder though.
would this explain why my machine keeps trying to connect to the intenet when disconnected? which doesn’t usually happen.
So how do I check if it’s there and get rid of it?
I have sent essexboy, our top malware helper, a message. He will soon post here and then instruct you to get rid of this Spey Eye infection. In the meantime do this an attach the logfile you get:
Step 1: Restart your PC, keep pressing key of F8 and choose “Safe Mode for Networking” by arrow key. Click key of Enter and then your PC will go into the Mode of Safe.
Step 2: Downloading MBAM ( Download Link: http://www.malwarebytes.org/mbam-download.php ), installing it and then updating its database. After that, restarting your PC to make MBAM completely functional, do Step 1 again to get into the Safe Mode and do a complete scan for all of your PC.
Attention: if you have problems installing MBAM, you can rename the installer to iexplore.exe or winlogon.exe. Then double-click mentioned program and do the mentioned install steps.
Ps: firstly making extensions of files slow, before renaming Malwarebytes. Make file extention show first.
Post the MBAM log file as an attached file in your next posting,
Once your system has been compromised, don’t trust it. Specially if you perform sensitive tasks, such as accessing your bank account.
@ All
This is not an initiative against essexboy. He does a tremendous work helping people. He’s to be applauded. But, if the person in question uses the computer to sensitive tasks, such as accessing the bank account, I’d erase my hard drive using something like DBAN, and install Windows fresh and then work on the security aspect.
You have some point there, when a computer has been compromised for some extended time and to quite an extent, it can no longer be trusted as one does not know what the “malcreants” have done further to it. In this sense I agree. I know that essexboy knows in what cases a computer could be cleansed or in what cases a so-called “total recall” is to be preferred. In case of a file infector, I know the answer, with bots that are morphed all the time to go under the detection radar the answer to these questions also is not that easy. So if the user has enough back-ups or an image of their system that is known to be clean, the solution need not be that drastic, in other cases loosing a computer to cybercrime is a mournful experience,
If the bot is being blocked then the probability is that no information has been transfered. Also this type of programme is usually used for spamming/DOS attacks
But once the date of infection can be determined then the final call is up to the OP
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
hi again
I’ve done the MBAM scan and it found 6 infected files. Log attached. the warnings are no longer popping up so does it look like my PC is clear? Also, is it possible to tell what damage has been done? thank again
This was the kind of malware that MBAM cleansed from your comp: http://www.threatexpert.com/report.aspx?md5=f1af809f14c1461acb7258415ac969e6
kubecj’s hunch was right, SpyEye infection. Wait for essexboy establishing what remnants are still there and instructions what to do next, but I think MBAM did a good removal there. Maybe essexboy has some BHO cleansing there.
Keep MBAM there on that machine, update regularly and do a scan from time to time,
Hi the good news is that there was no sign of any dat files associated with this malware - which would suggest it never received any instructions from the master. DO you have any other problems ?
Your temporary folders are rather full so I would recommend running this
Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
