Malware

Hi,

My wife visited purported charitable web site, KIS & WOT both warned or/blocked. Now when she surfs the net, the same bad url, comes up, often. How do I stop this from happening

Thanks
Rico

 

I would do one or more of the following:

1. Download, install, update and scan/clean with Malwarebytes AntiMalware.
2. Download, update and scan/clean with Emsisoft Emergency Kit.
3. Download and scan/clean with Dr.Web CureIt.
4. Download and scan/clean with Hitman Pro (To clean you need to activate a free license first.)

 

or ask one the dedicated sites listed for assistance
https://www.wilderssecurity.com/showpost.php?p=1533481&postcount=3

 

MBAM, KIS, EMSI Emergency 3.0, HMP all detect 0. Well HMP removed a couple of tracking cookies.

She goes on line > at some point a web site, blocked by KIS comes up. And she does not enter the blocked site. Sometime later it happens again.

 

turn it off in your browser

 

My mother, and father had the same problem recently. My niece, and nephew had installed a bunch of games they had been playing online that contained trojans. Everytime they would go online the browser would randomly redirect them to several different sites that were sources of malware. She also had some browser add-ons installed that came with the games they had installed. I removed all the software, and the browser add-ons. It still did not completely resolve the problem. I ran a scan with WSA, and Kaspersky. Each one found a system 32 virus on her machine. I'm finding more, and more vendors are missing or not warning the users of dangerous software. I contacted one popular vendor here about this issue, and I was informed that if the user voluntarily installs the software, and there is an option to uninstall the software then they generally do not detect that software. I say the average user does not know the potential dangers of installing eye appealing software because they do not know about the nasties contained in many of those softwares. I was really surprised by the vendor that informed me of this because they use to be top of the line for detecting such threats. I will probably start a separate thread on this later. Are you convinced she got infected when visiting the sites you mentioned? Has anyone installed any software on the computer recently that could have contained hidden nasties? Many of the vendors are not detecting these right now for what ever reason. I have to give NOD 32 credit as much as I have been giving them a hard time lately for not scoring well on some independent test. I have found they do warn the user of these type of threats.

 

She attempted to go to a charity related site, KIS blocked her from entering, she did not force her way in, she move on. Now it periodically comes back. I just flushed her cookies & history & now will look for strange add ons.

Just looked at add-ons nothing strange. One of her favorite & up it pops.

Would it be helpful & kosher, if i mention the url??

Thanks
Rico

Culla What do you mean turn it off in the browser, which is IE9 or how?

 

these [from what you've asked] are just warnings that a site you're attempting to access may or may not contain malicious content a lot are false claims in my experience
use sandboxie ,turn it off in your browser security and i reckon you'll be fine i've seen many reported attack sites which are clean

 

I thought he meant she was being randomly redirected to the URL. If that's the case then that behavior usually points to an infection. If she is meaning to visit the sites in question, and getting a warning from WOT then that is quite normal. You must ask yourself though why WOT would be flagging a charity site as bad. If you do not know those operating the charity then maybe it warrants further investigation.

 

I have seen perfectly legitimate sites receive a Warning from WOT. Some will flag a site, especially a religious site, if they have strong feelings against that particular belief system. Also, make sure you check the address bar to determine if you have been re-directed to another URL, which is actually the one being flagged by WOT. Instead of clicking on a link to the charitable site, you may need to manually enter the charitable site's URL in the address bar.

Jim

 

Send the blocked URL to Kaspersky so they can check it out , if it indeed is an FP, or if the site is infected in some way meaning that KIS is doing it's job by not letting her visit the site.

Until then, I wouldn't turn off the web protection in KIS.

 

SweX,

I will do that, but it does not help.

I do believe, after the charity link was visited the, flagged (KIS) keeps showing up. Even if KIS said it was a legit web site, I don't want it presenting itself, unwanted.

So something has to be telling IE to display that popped up url, that's currently being blocked.

kis, mbam, sas, cureit, emsi emergency, HMP - cant find anything

so what's causing it to return?

cookies, history deleted no strange add ons

A host entry, would just inform me that the site was blocked, many times, during each internet usage.

It's like they know her machine & send it to her, Kis blocks it, & scans show nothing as the problem resides elsewhere.

Can this be silently blocked (if the above is true) via Win 7 FW?

Am I correct that hosts would not silently block?

 

P2P sites get flagged the same way by these copyright groups.

 

Tried it with IE6 on XP SP2. Nothing happens.

 

May be installing a HIPS temporarily can help to catch the culprit!

 

What ever is generating the URL, that's blocked by KIS and also flagged by WOT is not on her machine.

TDSSKILL & MBAR in addition to the other(s) mentioned previously, find ZERO.

I'm not sure if its relevant but, the site being blocked, is actually opening another IE window.

 

Hola Neighbor Ron,

I'm working on it, it's like I've tried every bait & lure, but no nibbles. Next boot from Avira boot disk, hopefully I'll snag the big one while it sleeps.

Thanks
Rico

 

Avira bootable Rescue Disk found 1 item.

media/mediadevices/sd1/program files/quick cribbage 3.3/uninst.exe

compressed with an unusual runtime compression tool PCK/NSIS.M file deleted
______________

Questions:

Avira is reporting the path usin forward slash " / ", I thought path used backslash " \ "

The actual path if i were on " C:\ " would start at program files\.... is that correct? And "Sd1" is the name of c while the drive is mounted, by Avira rescue? Is this correct?

Is it possible or likely in windows the malware could hide from: all full scans, KIS, HMP, Cureit, SAS, MBAM, MBAR, EMSI Emergency, TDSSkIller, or just ignored

Also why do boot AV's all have difficulty , or skip locked files. Why can't they open & scan?

Does anyone else have problems updating AVIRA in the linux enviorn? I use a Ethernet cable. But no luck updating AVIRA.

KAV rescue, I can update, using the ethernet cable, it will scan for awhile, then the screen goes black, won't come back til I force a reboot.

Thanks
Rico

 

Post you logs at, for example, Bleepingcomputer, if you do it yourself you will never know if you really clean everything out.

 

Seems that the bug Avira rescue caught was not the culprit. As its back.

Discovered that, we can not reproduce pop up, using FF only happens In IE.

That is in IE another instance of the browser, will start & be blocked by KIS.

IE's pop up blocker is on. I've tried flushing IE's cache, cookie history. No luck

 

Have you checked the proxy settings , open I.E go to tools > internet options > connections > lan settings > and see if a proxy is being used
This program may be worth running too
http://www.bleepingcomputer.com/download/adwcleaner/ Use the bleeping computer download link

 

Hi Mick,

no proxy, only box checked was auto detect.

Thanks
Rico

 

That program deserves far more attention!

Rico, why don't you follow the advice from Ron and Cudni and fax?

 

Hi Mick, Fan J,

I did run adwcleaner

I believe it was 4 reg items were removed.

It still with me.

Thanks
Rico