URL:MAL

Viruses and worms
1

My web shield is popping up about every three hours detecting three malicious websites, but it does not give me enough information to determine where the program is in my computer that’s making it try to connect. I’ve scanned with Avast, Malwarebites, visually inspected and deleted internet cookies/objects, searched MSconfig and add/remove programs…but I can’t seem to find the culprit.

I realize that the URL’s are blocked so I’m not in immediate danger, but at the same time there has to be a virus on my cpu (or at least some kind of script) that’s making this connection attempt occur. How do I figure out where it is…because this one is not in the usual places.

2

Post the information from the logs, e.g. from the avastUI, Real-Time Shields, File System Shield or Web Shield or Network Shield, Show report file.

Change any reported URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

3

Hi keith075,

What were the url’s involved, give them like wxw or htxp and we can see what script is making avast shield disconnect?

polonus

4

(88.80.7.152/cgi/pfkpu.php?tjzo=6733616<x044453x4x4x4x=2x) was the last one…I’ve been searching for logs or indicators of what is causing my computer to try to connect to these websites and I can’t find it.

Is there a way to find the logs of the network shield? The popup only remains on the screen for 10 or so seconds and it’s not enough time to type each page before they disappear.

5

Easy to find really open the avastUI, Real-Time Shields, Network Shield and click the ‘Show report file.’

6

All it shows is-
avast! Real-time Shield Scan Report

  • This file is generated automatically
  • Started on: Monday, June 14, 2010 10:59:02 AM

It doesn’t actually show the websites, but I did figure out that when the threat block pops up I can pin it in place…I’ll update in about an hour and a half when the next attempt happens.

7

Okay, I finally had another popup and pinned the page so I can give all three links-

media9s.com/cgi/crhwmrxg.php?gggg=6733616
nopagency.com/cgi/kpudd.php?ddddd=6733616
88.80.7.152/cgi/oejo.php?dsi=6733616

All three pages were launched (well, attempted to launch) using Internet Explorer, but for the life of me I can’t find the process requesting the attempts. All of them ending in the same number sequence tells me that my computer is being tracked as an indivisual, which worries me. From my last post you can estimate how often it is trying to connect to the internet…and this happens twenty-four hours a day.

Any help would be greatly appreciated.

8
9

The IP address for the last one is for prq.se a Swedish domain.
The media9s.com is also the same Swedish domain prg.se.

The nopagency.com domain has been suspended, presumably because of this type of attempt

Is IE open when this is going on ?
Have you tried using other browsers as your default, I suggest firefox, chrome or opera ?

As you say this is happening every three hours, are there any tasks in the windows Scheduled Tasks ?

What is your firewall ?

10

Hi lets have a deeper look at the system - First though have you checked your proxy settings ?

David may well be right about a bad job in the task folder

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

And for Firefox there are instructions on this page and you want the setting to be no proxy

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Check the box that says Scan All Users
[*]Under the Custom Scan box paste this in


netsvcs
drivers32
%SYSTEMDRIVE%*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /180

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

11

Hi keith057

media9s.com is a site that is classified as dangerous on several counts:
http://www.malwaredomainlist.com/mdl.php?search=media9s.com
Malware distributing site with drive-by-downloads/viruses
for nopagency.com see: http://www.malwaredomainlist.com/mdl.php?search=nopagency.com
same type of malware indicated…
the third site also: http://www.malwaredomainlist.com/mdl.php?search=88.80.7.152&colsearch=All&quantity=50
Could be this range of malware: http://www.threatexpert.com/reports.aspx?find=Monkif%20C%26C
About this Monkif C&C trojan on the media9s.com server read here: http://www.malwaredomainlist.com/forums/index.php?topic=4154.0
More information about this recently active malware from the Koobface family - Monkif C&C read:
http://research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html

Follow the instruction of malware eliminator, essexboy, to the dot and be safe and secure,

polonus

12

Hello all,

1st post!

I too started getting this “media9s.com/cgi” url warning about a week ago. I have tried everything above - still get the warning.

13

Isn’t it because the site is infected ???

14

I had the same problem with:
media9s.com/cgi/crhwmrxg.php?gggg=6733616xxx
nopagency.com/cgi/kpudd.php?ddddd=6733616xxx
88.80.7.152/cgi/oejo.php?dsi=6733616xxx (no xs on the ends)
for about a week, I tried everything I had, full scans with Avast, Malwarebytes & SuperAntiSpyware and they did not find these. I turned off restore, dumped my temps. did a reboot, turned System Restore back on, updated Malwarebytes (always do this) and did a full scan (said clean), updated SuperAntiSpyware and it found these: (trojan.Dropper/Win-NVxxx(without the xs))
in that there were 2 -
(C:\WINDOWS\MSVIDEO.DLLxxx(without the xs))
I moved them to Quarantine yesterday and have not seen the blocked warning again ! I hope I’m done with them. and hope this might help someone…dave

15

To answer everyone’s questions…I have uninstalled/reinstalled IE and it made no difference. I do not have to have the browser launched for the warning to pop up, it does it on its own.

The proxy server option is not checked under internet settings.

The log file is attached from OLT; it did not give me an extras.txt file though.

Finally, I keep Windows, Advanced System Care, Malwarebites, and Avast updated…none of them show any problems with full scans. I also downloaded and updated SuperAntiSpyware but it only found some tracking cookies.

16

Let me know if it continues after this run please

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O2 - BHO: (WitBHO Class) - {75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F} - Reg Error: Value error. File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

17

For:
media9s.com/cgi/
nopagency.com/cgi/
88.80.7.152/cgi/…

See:
http://forum.avast.com/index.php?topic=60749.msg513053#msg513053

Don’t know how - just know it worked.

Thanks djDave!

18

Since completing the above steps the popup seems to be gone…so evifentally it was generic malware that did not properly show up as a named threat. Thanks for everyone’s help!

19

O2 - BHO: (WitBHO Class) - {75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F} - Reg Error: Value error. File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

These were the two elements that I believe caused it

or was it the removal of this ?
C:\WINDOWS\MSVIDEO.DLL

20

Removal of 2x trojan.Dropper/Win-NV in C:\WINDOWS\MSVIDEO.DLL