Interesting place for a virus

Discussion in 'NOD32 version 2 Forum' started by jayt, Jan 9, 2006.

Thread Status:
Not open for further replies.
  1. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    hmm..... there's no virus on your link. :D But it can't be because it's the log off from your account. Have you tried logging on and off again?

    Or...perhaps MS started posting viruses on their websites. :p
     
  3. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    You know that wouldn't surprise me at all. ;)

    Actually it was probably a false positive of some sort. :)
     
  4. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Is Hotmail log off -MSN infected?

    NOD32 antivirus system alert: IMON
    Infiltration detected !


    Infiltration details:

    Web page:
    http://login.passport.net/uilogout.srf?lc=1033&id=2&ru=http://signout.msn.com

    Infiltration:
    probably unknown POLY.CRYPT.TSR.COM virus

    Description:
    Access to the web page was blocked by IMON.

    www.nod32.com

    I posted about this on January 9th under post "Strange place for a virus". It popped up again tonight. Anyone have any idea of what is going on?
     
  5. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Using the link you provided I get nothing with NOD or KAV.
     
  6. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Well, I obviously did. I copied and pasted from the IMON popup. It does not happen all the time. So far just these two times.
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Have a look in your logs to see the exact web page that is being blocked, as we can not get to it through a signin page for MSN.

    Cheers :D
     
  8. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Blackspear, where in logs should I look? It is blocked by IMON and would not be in quarantine. The only reference to it is in the IMON "blocked-cleaned" list. It occurs sporadically when I am logging out of Hotmail. That takes one directly to MSN.com.
    Ok, in the threat log I have this entry:

    Time Module Object Name Threat Action User Information
    1/20/2006 20:50:32 PM IMON archive http://login.passport.net/uilogout.srf?lc=1033&id=2&ru=http://signout.msn.com probably unknown POLY.CRYPT.TSR.COM virus
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Do you have the following ticked?

    Without knowing the exact website there is not much more that can be done.

    Cheers :D
     

    Attached Files:

    • Log.gif
      Log.gif
      File size:
      16.2 KB
      Views:
      365
  10. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    This is not part of your extra settings for NOD sticky. Should we be ticking that box anyway?
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Oh it's there now ;) :D I tick it so for cases like this thread we can see exactly where the intrusion attempt is coming from.

    Cheers :D
     
  12. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Nope. I am wondering if this is maybe something connected with the new AH engine? I did read something about a new one recently didn't I?
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It could be, but without knowing the actual website causing the issue it will be very hard to determine, as we can not get inside a UN and PW protected site to see what you see.

    Cheers :D
     
  14. Devin Scott

    Devin Scott Guest

    Hello:

    Same thing happened to me. Sent quarrantined information to ESET.

    Firewall Logs revealed following:

    202.56.94.93

    inetnum: 202.56.80.0 - 202.56.95.255
    netname: AIRZED
    descr: Airzed Networks Sdn Bhd
    descr: Broadband Wireless Internet Service Provider,
    descr: Kuala Lumpur, Malaysia

    64.54.183.195
    64.4.19.250
    65.54.183.192
    209.62.176.187
    72.246.50.22
    64.4.19.250

    Top IP was the last IP address shown after signing off Hotmail.com

    Hope this is helpful.

    Tried to upload .bmp of log itself, but unable to for some reason.

    Devin
     
Thread Status:
Not open for further replies.