The Avast network shield is doing its job. The message shows up intermittently as well as whenever the PC is restarted. I’m running a virus scan now, but I couldn’t find any information on google about what I’m up against. I also don’t know what information it’s trying to send out, so I’ve cliped the CCRC and MD5 fields. I can see it identifying me as W7 with IE8.
Sidebar.exe, the W7 desktop gadgets process, and woot.exe, a sale tracking tool, are consuming as much CPU as they can get. They stay dead when I kill them.
Well from what I see there is something on your system, hidden/undetected using explorer.exe to try and connect to the malicious sites. I have explorer.exe blocked from having any internet access in my firewall.
Yes it is possible to type a URL into the windows explorer address window legitimately, it is highly unusual and personally if I needed to do that I would use my browser directly.
So it may be worth scanning with some other tools and see if we can find that:
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware (SAS). On-Demand only in free version.
The apocalypt2.net site is considered malicious by more than just avast:
http://www.malwareurl.com/submit.php/listing.php?domain=apocalypt2.net
http://www.mywot.com/en/scorecard/apocalypt2.net
http://www.freepcsecurity.co.uk/2010/01/22/malicious-sites-january-22/
Report 2010-06-18 22:24:17 (GMT 1)
Website apocalypt2.net
Domain Hash c707f7fef6905d189469fbc858e88eca
IP Address 67.215.237.19 [SCAN]
IP Hostname 67.215.237.19.static.quadranet.com
IP Country US (United States)
AS Number 29761
AS Name OC3-NETWORKS-AS-NUMBER - OC3 Networks & Web S…
Detections 4 / 19 (21 %)
Status DANGEROUS
i have the same error when i visit this site http://gf.wiretarget.com/ cant get in and im using this site long time so i dont think that there are viruses
URLVoid gives it as clean here:
Report 2010-05-24 03:52:42 (GMT 1)
Website gf.wiretarget.com
Domain Hash b9e5a380da17a7aa5d7f2b5f74c9dd54
IP Address 85.17.254.171
IP Hostname -
IP Country NL (Netherlands)
AS Number 16265
AS Name LEASEWEB LEASEWEB AS
Detections 0 / 9 (0 %)
Status CLEAN
Here is the robtex info on it: http://www.robtex.com/dns/gf.wiretarget.com.html
I get a <urlopen error (-2, ‘Name or service not known’)> error there
MBAM found cleansweep. Removing it has stopped the warnings.
A full scan of my hard drives with Avast, Mbam, and SAS hasn’t found the source of the trojan. I’m a bit concerned. I wouldn’t be tricked into running a trojan unless it was packaged with some other software, but AVAST usually catches those. It’s possible that my girlfriend had been tricked, but she’s usually pretty sharp.
And malicious sublinks found: ads.clicksor.com Malicious software includes 11 exploits, 5 trojans.
This site was hosted on 21 network(s) including AS174 (COGENT), AS26347 (DREAMHOST), AS24940 (HETZNER).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, ads.clicksor.com appeared to function as an intermediary for the infection of 34 sites including rarbg.com/, somaliweyn.com/, filmeaz.com/.
General advice: do not venture out there, as a bonus you will get a video how Backdoor.Graybird is being made, it took them only three minutes: http://www.youtube.com/watch?v=s9RL2KcaUTE