Website block message + dead AVAST

Hello there.
I’ve come here because I’m not sure what to think of my little experience last night. Here we go;

I was googling for an image I needed, and when I enlarged it Avast popped up and said it’s a malicious website (URL:MAL), and that it had been blocked. No big deal, happens now and then and usually it’s fine. Although the website wasn’t exactly blocked, I got those annoying popups saying something along the lines of ‘Virus found in your system. Click OK to scan’, I just killed FireFox and let it be, it’s what I usually do with silly scams like that. Buuuut… then my Avast started acting weird. I couldn’t access my online logs, I couldn’t actually access any Avast websites. Firefox had its connection cut so i tried IE to see if I could find anything about this website on which the picture was hosted (proofnessmicrosoftremedy.info) but IE didn’t like me either. So I cut my connection altogether and decided to use my phone (praise modern technology) but didn’t find anything special about this site. I did a quick MBAM scan and it came up with uninstall.exe, I opened the location and it was in temp, and was actually called ‘killprocess uninstall.exe’ and had a ‘killproc.exe’ as well, both 48kb. A quick google let me know that these are pretty bad. I got rid of them, wondering how they even got there. After that my net was fine but I decided to leave it off, and my PC scanning overnight, full MBAM, full Avast and Spybot S&D. No problems except for Avast not being able to scan some nVidia files in use. All good, so here I am, everything’s working fine… but I’m still concerned about last night. What happened, was it just some strange Avast bug or is something wrong with my precious PC. Anyone experienced this?

Here’s the nshield log btw.

01.02.2012 20:18:14 Network Shield: blocked access to malicious site hxtp://scareshell.org/g6tus5zxwopba/ [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 5244 ) ]
19.02.2012 01:05:43 Network Shield: blocked access to malicious site hxtp://download117.avast.com/iavs5x/servers.def.vpx [ C:\Program Files\AVAST Software\Avast\setup\avast.setup ( 132 ) ]
08.03.2012 22:05:56 Network Shield: blocked access to malicious site hxtp://rlslog.com/ [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 9244 ) ]
08.03.2012 22:05:56 Network Shield: blocked access to malicious site hxtp://www.rlslog.com/ [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 9244 ) ]
08.04.2012 01:11:44 08.04.2012 01:11:44 Network Shield: blocked access to malicious site hxtp://proofnessmicrosoftremedy.info/68efd410a6a48b3c/2/images/alert.png [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 2192 ) ]
08.04.2012 01:12:42 Network Shield: blocked access to malicious site hxtp://proofnessmicrosoftremedy.info/favicon.ico [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 4884 ) ]

I appreciate any help, I’m not quite sure how to proceed. Thanks

By the way ^ In addition to no internet connection, my Avast declined to scan or do anything until I cut my connection.

Hi NKRF,

First, please change http:// to hXtp:// to avoid the accidental clicks to potential malware.

This site indeed has been infested with malware.

Now, however, the site appears to have been taken down.
http://www.downforeveryoneorjustme.com/http://www.proofnessmicrosoftremedy.info/

Have a look at these:
https://www.virustotal.com/url/9f318256ac2280acc419dfa4914f740aadd6c8c8f60057e646c80d6131274a69/analysis/1333894033/
http://zulu.zscaler.com/submission/show/490199bf66534537678e6bf99e82fe89-1333893923
http://www.avgthreatlabs.com/sitereports/domain/proofnessmicrosoftremedy.info/

Because you say you were using Firefox, I take that you do not have NoScript installed. With NoScript, you can choose rather to allow or deny scripts on webpages. Thus, this blocking of scripts would have prevented you from infection. However, do NOT do anything on the infected machine until all is well. This includes, but is not limited to, downloading new software and entering a common password. We want to make sure that the infection is completely removed so it does not reinfect you in some way. Follow the instructions here: http://forum.avast.com/index.php?topic=53253.0 then attach given logs. From there, a qualified malware removal expert will assist you.

~!Donovan

Hellos, and thanks for your reply. The links didn’t even show as clickable links, but I’ll remember that in the future. Also, I do actually use NoScript but I’d disabled it to test another site, silly me. Oh well, thanks anyway I’ll do as you say :slight_smile:

Oh and I’ve already got MBAM, HiJackThis and OTL logs from last night but I’ll rescan.

Hi !Donovan, I get a 100/100 malware site

with 11004 [11004] Valid name, no data record (check DNS setup)

Is a compromised page. Suspicious site: http://www.google.com/safebrowsing/diagnostic?site=www.proofnessmicrosoftremedy.info

polonus

These are the logs you requested. I can’t post any more attachments, so excuse my overposting.

I thought I’d also add my other MBAM log, from before I removed the killproc thingy.
Alright, here’s something I didn’t see before. The KillProcess and Uninstall were part of my CoolerMaster Inferno software… And located in C, so it was another Uninstall exe MBAM got rid of apparently… confusion, sorry about that.

You can thank Milos for editing your post. :wink:

You disabled all of NoScript to test a site? ???

Generally, you would just allow the site that you are on versus the sites that it cross-sites to.

Essexboy is notified.

Looks like you dodged the bullet, I can see no apparent malware. Are you experiencing anything unusual at all ?

Yes, I got sick of activating everything, and then I forgot to re-enable it. Beer does that to you :wink:

Well… that’s good then. Not except for Avast FF and IE acting out last night… Nothing unusual now at all, I just wanted to make sure it was nothing, you never know! Thanks for your help guys. I appreciate it.