www.diosdesign-wp.com & zlz.gr/wp-content

I had two emails at the same time with links in as follows:

  1. hxxp://zlz.gr/wp-content/themes/newtheme/greatlife.php
  2. hxxp://www.diosdesign-wp.com/wp-content/themese/twentyeleven/greatlife.php
    both suspicious - I inadvertantly clicked on the first ( :-[)
    Avast alerted the problem - forget which message; I’ve run avast in boot-scan and two ordinary scans which are now clear.
    Soon after, I got a msg that avast had detected a secure line in Outlook (again, forget the exact msg) but I am concerned something may have got hold of my Outlook and possibly sending out similar msgs to the one which I received.
    Any help please?
    Thanks
    tvm

Hi tvm,

Make these links non-click-trhough like with hxtp
The first link is to a known spam site, see: http://sitecheck.sucuri.net/results/zlz.gr/wp-content/themes/newtheme/greatlife.php
2012-05-04 16:16:20 htxp://canoneosdslr.com/images/helpdesk/www.halifax-online.co.uk/personal/Logon/login.htm 65AF8E59E288731FC927CDCE1FE1BB95 216.172.180.34 US PHISH/Halifax.K.1 → -http://www.millersmiles.co.uk/search/Halifax
The second link also redirects to htxp://www.careviagragroup.com
See: hxtp://zulu.zscaler.com/submission/show/9ff57bc302a617621c26991f772c6888-1336400032 100/100% malicious
Blacklisted in multiple real-time domain blocklists, also flagged at RootsWeb

If you feel you were infected, you could forward the logs, see: http://forum.avast.com/index.php?topic=53253.0
Soon a qualified malware remover will look into the matter for you then,

polonus

Many thanks for your time & help.
On the basis that Avast has run through 6 times with nothing found, I think I will assume all is well. I was wondering whether there was any more info on this particular issue which might suggest Avast would not pick it up.
I will google hxtp/htxp to get more info on stopping them from clicking through; if you have any quick info, again much appreciated.
Many thanks
tvm

Just noticed, my ‘hxxp’ ref should have been http. Not a good day. :-[

I now find my Outlook contacts have disappeared! Both Malwarebytes and Avast have run through without detecting any issues?

No it shouldn’t have been http, it was modified by one of the moderators as links to suspect sites/content shouldn’t be active. By substituting the XX in place of tt breaks the link, avoiding accidental exposure.

The web shield will no doubt have been the shield that alerted and its task is to prevent it getting on your system by Aborting the connection for that suspect content.

Whilst in full blown panic mode when avast alerts, you need to retain your composure and record the information (or do a screen capture of the alert window), it is that which helps us to help you.

I got a msg that avast had detected a secure line in Outlook (again, forget the exact msg)

This is more likely avast telling you that it has found an SSL connection but it can’t scan it because it is secure/encrypted (not usual for spam/suspect email (see #### below). Most spam if an hidden/undetected spambot was on the system wouldn’t be using your email program but a very small smtp program of its own.

Thank you.
I will look through the link to see if it will help.
The fact that my Outlook contacts have disappeared is obviously a concern. I am running the Microsoft virus & malware program now (11 hours and counting!); it gives an alert which I can look at when it has completed.
Trevor.

More info: Microsoft software found Exploit CVE-2010-0480.DW and Worm Win32/Ornina!rts ; both removed by the MS tool.
I’m wondering why Avast did not detect these?

What were the file names and locations for the detections ?

The reason I say this is that this Exploit CVE-2010-0480.DW malware being on your system implies that your OS is way out of date as this exploit from 2010 has long been closed by a windows security update.

Thanks
My OS is up to date; history shows 16/3/12 and 13/4/12 and 6/5/12; and always has been? When I go into Outlook and try to display Contacts, nothing is displayed; it would suggest Outlook has been corrupted?