Detected threats

Hello everyone, well this is my first post on the forum, but as a ESET user, it's not my first time using the website for help and guidance. I am not too savvy with computers in the sense of a wizzkid, but have a good understanding of the different programs and terminology, so please be gentle

I am having an issue with NOD32 detecting an quarantining what looks like a browser redirect, only this is detected before I am actually redirected, I can see the sites or whatever starting to load on the grey information bar to the bottom left hand side of the screen. These are then quarantined.

Please see a few of many of the Sysinspector log files from these last few days which have been detected and quarantined, there have been quite a few, I have replaced some of the text and number strings with **** and spaced these out for posting.

27/02/2011 20:34:29 HTTP filter file http:// fa12.co.cc/f*******d .pdf JS/Exploit.Pdfka.OQL trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.

27/02/2011 14:10:26 HTTP filter file http:// nalmeron.cz.cc/dh****** .jar a variant of Java/TrojanDownloader.OpenStream.NBF trojan connection terminated - quarantinedThreat was detected upon access to web by the application: C:\Program Files\Java\jre6\bin\java.exe.

26/02/2011 22:50:36 HTTP filter file http:// marillador.cz.cc/2****d .pdf JS/Exploit.Pdfka.OQD trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.


It has detected the following threats on numerous occassions all linked to different websites (I presume) js/exploit.pdfka.oql.trojan and also java/trojandownloader.openstream.ndftrojan

I have also taken a few screen dumps of the messages from one of the instances recorded.

There is also a message pops up asking:

"Do you want to allow this website to open a program on your computer"
From: FA12.co.cc
Program: Microsoft Help and Support Center
Address: hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A .... (and lots of other symbols & letters)

This seems strange as it states from, heavens knows where and teh program is Microsoft Help and Support Center, back to front, wrong way round?

When this happens, the little Java "teacup" sometimes appears and I thought it may be a Java issue, but I have downloded the latest version to desktop, uninstalled and reloaded.

These "attacks" or detections dont happen every minute or few minutes, they just pop up if I am browsing and at any time. Any ideas on this or help you can offer?

I have also ran MBAM and Spybot Search & Destroy in both normal and safe mode. MBAM found nothing and Spybot had a couple of tracking cookies found. I have also ran tdsskiller (nothing found) and superantispyware (SAS) (some tracking cookies found as well) - all of these after the lstest updates installed.

Why would this still happening and why is nothing being detected, apart from NOD32 picking the redirects up? What do you advise?

Any help and assistance would be gretaly appreciated. I can still use the computer and am on it typing this, but any any time, these threats coudl happen at any minute.

I am also using IE8 with Spoofstick installed and Windows XP Home edition.

Any help would be greatly appreciated.

Thanks,
ZenZen

 

Hello again everyone, I thought I'd follow up on this (even though it's my own post) as it seems ebay, myvue, autotrader (UK) and the London Stock Exchange have been hit by some type of "malvertising attack" hence NOD32 picking up attempted redirects and mallicious software downloads on my PC.

Please see the links to ebay forums:

http://community.ebay.co.uk/question/Buying-Ebay/Malware-Ebay/1900036660?messageID=2000270270

http://community.ebay.co.uk/topic/G.../Ebaycouk-Malwarespyware-Infection/2000035398

Also more news here:

http://community.websense.com/blogs...otrader-co-uk-infected-with-malvertizing.aspx
Seems like a lot of users have been having problems with infected PC's.

Hope this may help anyone else who may use these sites.

Cheers,
ZenZen

 

I'd suggest contacting ESET Customer care and supplying them with a SysInspector log for perusal.

 

May I ask how I can supply this? I have a log created OK, but how do you send the information?

Also can you tell me and sorry about my lack of knowledge in this. I had these re-directs caught each time by NOD32 and my connection momentarily disconnected before I was taken to teh rogue sites, however the IE box above did appear on my desktop asking if I wanted to download, I just hit “X” or cancel. Is there any possibility that anything still got through? Or would I have had to either be taken to the host site or clicked “allow” for this to happen.

I have quite a number of these attacks in quarantine with different variations captured, so I will happily send them for analysis once I find out how.


Cheers,
ZenZen

 

Hello everyone, I have managed to find out how the SysInspector log is created from the link below:

http://kb.eset.com/esetkb/index?page=content&id=SOLN2219

Can anyone supply details of how to then send this to ESET? Is there an online section to submit logs or is it via an email address?

Thanks in advance,
ZenZen

 

Hello ZenZen,

Please contact your local distributor from here:

http://www.eset.com/us/partners/worldwide-partners

Open a support ticket and provide all the info, including a link to this thread.

Thank you.

 

You can contact customer care via the Help and support section in the program window.
Edit: Tony beat me to it

 

Thanks! I managed to send a Zip file. Thanks again.

Regards,
ZenZen