Virus(?) using IE/Firefox to connect to a website.

Viruses and worms
1

Hello I have a problem with a virus that keeps using IE/Firefox to connect to a website that Avast! thankfully blocks each time.

It started when I went to download Pacman from here: http://www.download-free-games.com/pc/pac_man.htm (sorry if I’m not meant to post links). The website has “a good rating based on few votes” according to Avast! Webrep so I figured it would be safe, it downloads an exe and then the exe downloads more stuff; this is when Avast! first popped up saying ‘connection blocked’, I immediately cancelled the download, used CCleaner to clear temp files/registry clean and deleted the exe. However since then it has popped up twice more trying to connect to these websites (all the same really):

(Copy and pasted from Webshield.txt (but I removed http bit so it wasn’t a link))

DO NOT USE THESE LINKS UNLESS YOU KNOW WHAT YOU ARE DOING Just a friendly warning.
03/08/2011 19:22:36 kyoka.gaikai.com/Kyoka/php/kyokaApp.js.php?v=3.1.7&sesKey=000084eac084c.4e399207cb9d09c5c8e214284eccba76970de5d8db78c276814b9f5c42b06cfd87d1285482526 [L] JS:Downloader-AUX [Trj] (0)

03/08/2011 19:27:29 kyoka.gaikai.com/Kyoka/php/kyokaApp.js.php?v=3.1.7&sesKey=0000b7c249cc9.4e39932d5b4f09c5c8e214284eccba76970de5d8db78c21ee7f7c09cf54691bf60e746013debd [L] JS:Downloader-AUX [Trj] (0)

03/08/2011 19:42:40 kyoka.gaikai.com/Kyoka/php/kyokaApp.js.php?v=3.1.7&sesKey=0000c973874c4.4e3996bc101d09c5c8e214284eccba76970de5d8db78ce3573e62c3b352da29d1944f72d1aefe [L] JS:Downloader-AUX [Trj] (0)

A quick scan with both Avast! and Malwarebytes showed up nothing and the warning has not come up again since the scans but I’m still worried about it, naturally I like to run a very clean computer. So my question is, is the problem likely to be a registry entry? Or is a boot-time scan likely to find anything?

Any help would be great, thanks

Adam

EDIT: The bastard did it again! When I opened a new tab in Firefox and clicked a link to ‘The Escapist Magazine’ (definitely trusted), my guess is its trying to hide itself by only connecting when I connect to something else.

EDIT AGAIN: Its continuously popping up now on this website, right after it does an advert appears, so possibly adware, although it could just be the website. Could really do with some help here.

2

did you run that .exe ?
was Malwarebytes updated when you scanned ? if not update and do a quick scan

the kyoka.gaikai.com links are dead http://www.downforeveryoneorjustme.com/www.kyoka.gaikai.com

3

Unfortunately yes I was an idiot and ran the exe, I stopped it about half way through downloading whatever it was downloading.

Malwarebytes was updated etc before I ran the scan.

4

I have reasons to believe the “JS:Downloader-AUX [Trj]” detection is a false positive in virus definitions 110803-1.
This evening avast! Free Antivirus started to warn me on my own website (help.artaro.eu) about PluginDetect.js (version 0.7.5). The script was compiled on http://www.pinlady.net/PluginDetect/ months ago and its contents have not changed (I compared the file size and contents). I restored the file from a backup made back in May and avast! still labeled it as a Trojan Horse. Even recompiling at publisher’s site does not help.
VirusTotal shows that only avast! and GData label the file as Downloader-AUX.
I submitted this file as false positive via avast! Free Antivirus, hopefully it will be resolved quickly.

5

what was the exe name ? or do you have the full link to it

post hxxp or wxw so it is not clickable

6
This evening avast! Free Antivirus started to warn me on my own website (help.artaro.eu)
@msaluste i get no detection on VT ?

VirusTotal - URL scan
http://www.virustotal.com/url-scan/report.html?id=d8ba1761e50817ae03c9a6ac1daaa1dc-1312394717

VirusTotal - HTML scan
http://www.virustotal.com/file-scan/report.html?id=339caa93018e283fe5ee6c0e3255e41573014f720054104974a33f75d97c24c2-1312401942

7

The links are in the original post.

hxxp://kyoka.gaikai.com/Kyoka/php/kyokaApp.js.php?v=3.1.7&sesKey=000084eac084c.4e399207cb9d09c5c8e214284eccba76970de5d8db78c276814b9f5c42b06cfd87d1285482526

Thats the first one.

JS:Downloader-AUX

Thats the trojan, according to Avast!

Also, not being funny but is ‘msaluste’ trustable? Was just looking in another (unrelated) thread and someone was throwing around false advice and got banned…

EDIT: Oops you meant the pacman exe thing. You can find it here: hxxp://www.download-free-games.com/pc/pac_man.htm just click “Free Download” although you probably don’t want to… I’m afraid I don’t have the name of it because I deleted it instantly.

8

I just ran an OTS scan, I’m not sure what it does but its recommended in one of the stickies. I’ll attach it if someone can tell me how.

EDIT: Thanks Pondus, but the file is too large! Is there somewhere else I can upload it?

9

lower left corner > aditional options > attach

10

@pondus: me neither, but opening the site in a web browser while avast! Free is running opens the attached warning.
Uploading the file directly to VirusTotal causes some detections: http://www.virustotal.com/file-scan/report.html?id=e73061df4aaf56f73374b76366f6032b5c74cd3078c3eeda841b8f6416ea4871-1312403043

11

VirusTotal - pacman_s1_l1_gF2908T1L1_d1408243229.exe - 0/43
http://www.virustotal.com/file-scan/report.html?id=4438ce3034e24421022001b77d2f49d8e8df982f6038cafc405c5c522d82577e-1312403667

12

@msaluste i see you have started your own topic…stay in that when you post
http://forum.avast.com/index.php?topic=82597.0

13

The OTS.txt was too large (230kb) can I upload it to another site or something? Preferably without having to sign up to anything.

14

http://www.mediafire.com/

and post the download link here

15

Thanks Pontus, that website is brilliant!

http://www.mediafire.com/?463u1cdyc36xt61

Note: About a 3rd of the way down it lists some very dodgy sounding websites, I don’t know if this is SpyBot protecting me from them or a virus that has put them there.

Also before running the scan I reinstalled Firefox (thought it might have been infected).

16

Ok so I’m beginning to get skeptical about this one, it only pops up on this website now: hxxp://www.escapistmagazine.com/videos/view/zero-punctuation and SpyBot found nothing. So maybe it is a false-positive.

17

Is it just that site ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2287921795-3912660771-842721480-1001\] > -> HKEY_USERS\S-1-5-21-2287921795-3912660771-842721480-1001\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Registry - Additional Scans - Safe List]
< 64bit-Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
YY -> C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^FancyStart daemon.lnk -> C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

18

Done.

OTS

All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-2287921795-3912660771-842721480-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
[Registry - Additional Scans - Safe List]
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^FancyStart daemon.lnk\ deleted successfully.
File  not found.
C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe moved successfully.
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Adam\Desktop\cmd.bat deleted successfully.
C:\Users\Adam\Desktop\cmd.txt deleted successfully.
[Empty Temp Folders]
 
 
User: Adam
->Temp folder emptied: 1700396 bytes
->Temporary Internet Files folder emptied: 24791603 bytes
->Java cache emptied: 3184631 bytes
->FireFox cache emptied: 77962885 bytes
->Flash cache emptied: 58172 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56468 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6434 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50467 bytes
RecycleBin emptied: 236038 bytes
 
Total Files Cleaned = 103.00 mb
 
 
[EMPTYFLASH]
 
User: Adam
->Flash cache emptied: 0 bytes
 
User: All Users
 
User: Default
->Flash cache emptied: 0 bytes
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: Public
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 08032011_220936

Files\Folders moved on Reboot...
C:\Users\Adam\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Adam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BZD6GDZA\api[1].htm moved successfully.
C:\Users\Adam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BZD6GDZA\api[2].htm moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

aswMBR

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-03 22:14:23
-----------------------------
22:14:23.185    OS Version: Windows x64 6.1.7601 Service Pack 1
22:14:23.185    Number of processors: 8 586 0x1E05
22:14:23.185    ComputerName: ADAM-PC  UserName: Adam
22:14:26.695    Initialize success
22:14:26.961    AVAST engine defs: 11080301
22:14:34.012    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:14:34.012    Disk 0 Vendor: ST950042 0003 Size: 476940MB BusType: 3
22:14:34.028    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
22:14:34.028    Disk 1 Vendor: ST950042 0003 Size: 476940MB BusType: 3
22:14:34.043    Disk 0 MBR read successfully
22:14:34.043    Disk 0 MBR scan
22:14:34.043    Disk 0 Windows 7 default MBR code
22:14:34.043    Service scanning
22:14:39.285    Modules scanning
22:14:39.285    Disk 0 trace - called modules:
22:14:39.300    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll 
22:14:39.316    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007dee790]
22:14:39.316    3 CLASSPNP.SYS[fffff88001b6543f] -> nt!IofCallDriver -> [0xfffffa8006d2f040]
22:14:39.332    5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007bbd050]
22:14:40.268    AVAST engine scan C:\Windows
22:14:41.859    AVAST engine scan C:\Windows\system32
22:15:48.284    AVAST engine scan C:\Windows\system32\drivers
22:15:56.146    AVAST engine scan C:\Users\Adam
22:21:25.182    AVAST engine scan C:\ProgramData
22:23:15.178    Scan finished successfully
22:23:26.051    Disk 0 MBR has been saved successfully to "C:\Users\Adam\Desktop\MBR.dat"
22:23:26.051    The log file has been saved successfully to "C:\Users\Adam\Desktop\aswMBR.txt"

Also its the only site I’ve been on since it first appeared a few hours ago that makes it happen. But I’m 99.99% sure I wasn’t on that site when it first appeared.

19

How is the computer behaving now ?