tvnzb.com/tvnzb_new.rss - avast! blocked you from visiting an infected

Viruses and worms
1

hXtp://www.tvnzb.com/tvnzb_new.rss

This is really annoying. Avast pops up like the attached pic a couple times an hour, seemingly randomly because it happens on various websites, NOT just on hXtp://www.tvnzb.com when I tried it to see what happens. I have never been to that site and avast doesn’t even allow me to see it. I’m not subscribed to any RSS feeds and I have done several spyware sweeps (SUPERAntiSpyware, MalwareBytes, Spybot, Ad-Aware). Is this a false positive or for real? Oh, how do I stop it. LOL Thank you for your time. :slight_smile:

Avast! Home 7.0.1426
Win7 Premium Home
Firefox 12.0
Adblock Plus 2.0.3
NoScript 2.4

2

Hi pulp,

First, please change http:// to hXtp:// to avoid accidental clicks.

Sucuri says clean. See: http://sitecheck.sucuri.net/results/www.tvnzb.com
However, AVG says infected. See: http://www.avgthreatlabs.com/sitereports/domain/tvnzb.com/

Zulu has some issues with the IP. See: http://zulu.zscaler.com/submission/show/49c06dbfc43003dc1373b1b67343d14a-1336427436
And URLVoid tells us that the IP contains some malicious sites. See: http://urlvoid.com/scan/tvnzb.com/

When I try to go to the link you provide with NoScript, I get 3 redirects. After the 3rd redirect, I am at a phishing site. Is this the same for you? If so, do you know the site is a phish?

3

I have NoScript running but Avast doesn’t let me get to the site. I don’t want to disable avast, would you like me to?

4

No.

First of all, why are you trying to go to the site? The site is worthless; a phish. There is no need for you to go to this site. See urlQuery for screenshot.
http://urlquery.net/report.php?id=52092

5

Sorry for the confusion Donovan. I DO NOT want to go to the site. Avast RANDOMLY pops up the above warning. For example, I’l be on cnn.com and then maybe dslreports.com and BINGO, that tnzb warning pops up! I have NEVER been there, do NOT want to go there and want this Avast warning to stop happening when I never even go there.

6

This is the sign of infection. Follow the instructions here: http://forum.avast.com/index.php?topic=53253.0 and attach logs in this post. A qualified malware removal expert will assist you the next steps.

This is really annoying. Avast pops up like the attached pic a couple times an hour, seemingly randomly because it happens on various websites, NOT just on hXtp://www.tvnzb.com when I tried it to see what happens. I have never been to that site and avast doesn’t even allow me to see it.

This is suppose to happen. It means that avast! blocked you from visiting a harmful website.

7

Okay, so my Firefox is trying to visit the website without me knowing it, stealthily. Wow!

EDIT***

Okay, I read what you requested me to do. I have to go to work soon and that’s going to take some time. I’ll report back after work. Thanks!

8

Monitoring… :slight_smile:

9

There is no “Custom Scan” for OTL, as per the instructions:

[b]"Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
%USERPROFILE%..|smtmp;true;true;true /FP
CREATERESTOREPOINT"[/b]

How shall I proceed with the “paste this in”?


http://img718.imageshack.us/img718/7546/otlnocustomscan.jpg

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.08.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
user :: WIN7-PC [administrator]

5/8/2012 3:34:38 PM
mbam-log-2012-05-08 (15-34-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 200102
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

10

do you see txt box at the bottom… above it you see the “custom scan/fixes”. tekst
http://www.geekstogo.com/#!/entry/otl-by-oldtimer-ndash-a-modern-replacement-for-hijackthis,1888/2

so you copy and paste the tekst in to that box at the bottom marked nr 1… see pic in link above

11

Ahhhhh + FIXES. I thought it was offering fixes. OK!

12

it will later…i mean jeffce will make one, and to do that he need the OTL log, so he can see what to fix

13

I see no option as save as ANSI. Hope this is okay. Have to do it twice because Forum Limit exceeded.

14

Extras.txt

15

its okay…
.if you had done it wrong they would be unreadable…look like chinese gibbely gobbel

16

aswMBR.exe LOG

Anything else?

17

now you relax and wait for jeffce to do the work…
he is on US timezone so not sure when he is online…

18

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-1022496972-1567293300-2936888071-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/iat/us_ca.aspx
IE - HKU\S-1-5-21-1022496972-1567293300-2936888071-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1022496972-1567293300-2936888071-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F2 87 F1 DB E8 AA CB 01  [binary data]
IE - HKU\S-1-5-21-1022496972-1567293300-2936888071-1000\..\SearchScopes,DefaultScope = {A0DF909A-F431-4555-BF82-CED7DD27BE1C}
IE - HKU\S-1-5-21-1022496972-1567293300-2936888071-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1022496972-1567293300-2936888071-1000\..\SearchScopes\{A0DF909A-F431-4555-BF82-CED7DD27BE1C}: "URL" = http://www.google.ca/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}&rlz=1I7GGHP_en-GBCA434
FF - prefs.js..browser.startup.homepage: "http://www.ctvnews.ca/"
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
O2:[b]64bit:[/b] - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll (AnchorFree Inc.)
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.)
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\user\Desktop\*.tmp files -> C:\Users\user\Desktop\*.tmp -> ]
[2012/04/22 22:53:36 | 000,008,704 | ---- | M] () -- C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

19

Done!

20

Well, I haven’t had that pop-up… yet. Appears to be fixed but awaiting further feedback from the superduper fantastic jjffce. 8)