Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help me to remove this attacks everyday


  • Please log in to reply
8 replies to this topic

#1 theinvulnerable

theinvulnerable

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 08 June 2010 - 08:10 AM

What should I do to stop this? The attack to my computer. I always get this everyday in this week. Others says i have virus in my system already so that this is the cause of attacks. But I've already scanned my system with malwarebytes, spybot search and destroy, and avast free scheduled in boot time scan and nothing was detected. I already tried this in regedit Hkey local machine software microsoft ole DCOM Y value replace by N because they say it can stop this attacks logging in network shield but until now I still get this:

08.06.2010 03:56:00 Network Shield: blocked access to malicious site 88.80.7.152/cgi/dtiyodt.php?otc=67340145x044452x<x5x04=2x=1x [ C:\Program Files\Internet Explorer\iexplore.exe ( 856 ) ]
08.06.2010 07:41:52 Network Shield: blocked access to malicious site media9s.com/cgi/ncmm.php?mm=67340145x044452x<x5x04=2x=1x [ C:\Program Files\Internet Explorer\iexplore.exe ( 212 ) ]
08.06.2010 07:41:52 Network Shield: blocked access to malicious site nopagency.com/cgi/ajj.php?jjj=67340145x044452x<x5x04=2x=1x [ C:\Program Files\Internet Explorer\iexplore.exe ( 212 ) ]
08.06.2010 07:41:53 Network Shield: blocked access to malicious site 88.80.7.152/cgi/peeuujjz.php?peukz=67340145x044452x<x5x04=2x=1x [ C:\Program Files\Internet Explorer\iexplore.exe ( 212 ) ]
08.06.2010 15:22:22 Network Shield: blocked access to malicious site media9s.com/cgi/zen.php?tiy=67340145x044452x<x5x04=2x=1x [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 3868 ) ]
08.06.2010 15:22:23 Network Shield: blocked access to malicious site nopagency.com/cgi/gw.php?bqg=67340145x044452x<x5x04=2x=1x [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 3868 ) ]
08.06.2010 15:22:23 Network Shield: blocked access to malicious site 88.80.7.152/cgi/kzpeuk.php?puzjj=67340145x044452x<x5x04=2x=1x [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 3868 ) ]
08.06.2010 18:39:21 Network Shield: blocked access to malicious site media9s.com/cgi/iiii.php?ii=67340145x044452x<x5x4x=1x [ C:\Program Files\Internet Explorer\iexplore.exe ( 3344 ) ]
08.06.2010 18:39:22 Network Shield: blocked access to malicious site nopagency.com/cgi/qfva.php?zzpp=67340145x044452x<x5x4x=1x [ C:\Program Files\Internet Explorer\iexplore.exe ( 3344 ) ]
08.06.2010 18:39:22 Network Shield: blocked access to malicious site 88.80.7.152/cgi/yhhhhhhh.php?hhhhh=67340145x044452x<x5x4x=1x [ C:\Program Files\Internet Explorer\iexplore.exe ( 3344 ) ]

Edited by Orange Blossom, 08 June 2010 - 03:50 PM.
Move to AII as required logs not posted and prep. guide not followed. ~ OB


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:51 AM

Posted 09 June 2010 - 10:08 AM

Network Shield filters traffic coming from all applications (not only browsers), and on all ports. For performance reasons, though, it tries a bit harder in case of the well-known HTTP ports.

Network Shield works on both DNS and HTTP level, i.e., blocks domains on DNS level, but in no way it's limited to whole domains only. The plan is to actually only block malicious URLs unless they're 100% certain there's no useful stuff hosted on the domain (in which case they will block it altogether). It can also block by IP's.

Also, Network Shield is a protection against known Internet worms/attacks. It analyses all network traffic and scans it for malicious contents. It can be also taken as a lightweight firewall (or more precisely, an IDS (Intrusion Detection System).

Network Shield protects you from internet worms that spread themselves via various security holes in your system. Typicaly these kind of viruses don't infect files but instead they attack running processes on your PC (either Windows components or some server programs like SQL Server, IIS etc.). These kind of attacks are not easily catched by ordinary antivirus during file or mail scanning. It is not a duplicate work with Standard Shield.
Basically, it covers all Internet worms. Such as Win32.CodeRed, Win32.SQLSlammer, Win32.Blaster, in32.Welchia (Nachi) and Win32.Sasser.

WebShield scans only http traffic on redirected ports (generally, 80 only). It stops the connection to malware even before the file is saved to the computer.

avast Forum, Post 7: Network Shield explained

When avast determines sites may be distributing malware or redirecting to malware servers, the url is blocked to prevent you from going there. If you receive "blocked access to malicious site" alerts, that means avast is doing its job by keeping the computer from connectimg to that server.

Edited by quietman7, 09 June 2010 - 10:08 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 theinvulnerable

theinvulnerable
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 09 June 2010 - 01:51 PM

So it means there is a malware resides in my computer that's why it connects or redirect somewhere. Then how could I find out and remove this on my computer to prevent the attack forever, because you know it is annoying you'll saw that message every hour or every 3,4, 5, 6 and so on hours of interval.

This the scenario when the attacks happened... Whenever the avast scanner message the attacks their is IEXPLORE.EXE popout in my task manager and when I tried to scan it with avast by right clicking the blue ball icon in system tray the avast can perform memory checking but suddenly it was lost in my sight and the avast simple user interface won't open. But if I endtask the IEXPLORE.EXE I can see the avast simple user interface again. The IEXPLORE.EXE is running under my computer user account, for example my user account used is Admiral.

Edited by theinvulnerable, 09 June 2010 - 02:02 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:51 AM

Posted 09 June 2010 - 02:20 PM

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download Norman Malware Cleaner and save to your desktop.
alternate download link
  • Be sure to read all the information Norman provides on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 theinvulnerable

theinvulnerable
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 09 June 2010 - 03:12 PM

Sir I just want to clarify something about norman malware cleaner, because you said Restart your computer in "Safe Mode". While in norman malware cleaner Note! This tool will not work in Windows Safe Mode. Please run Windows in Normal Mode. I'm confused. And should I disable my avast resident scanner also when performing this Temp File Cleaner and Norman Malware Cleaner? And when my computer is scanned online by kaspersky and my avast resident scanner is off and suddenly the attacks happened what will happen to my system, can they penetrate it? And can you state also how long is your estimated time for Temp File Cleaner, norman malware cleaner, and kaspersky online scan each of them respectively. So that I can scheduled them with proper time and not bored in waiting for each of this until when it finish.

Thank you...

Edited by theinvulnerable, 09 June 2010 - 03:18 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:51 AM

Posted 10 June 2010 - 08:00 AM

norman malware cleaner Note! This tool will not work in Windows Safe Mode.

Thanks for bring that to my attention... I will revise my notes. They must have changed the instructions as previous versions recommended using in safe mode...just ignore and scan in normal mode.

No need to disable avast when running TFC or Norman. If Kaspersky does not like it running we can try another Online Virus Scan like ESET.


The speed and ability to complete an anti-virus or anti-malware scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted programs (PUPS).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
Note: It is not unusual for an anti-virus or anti-malware scanner to be suspicious of some compressed, archived, .cab and packed files because they have difficulty reading what is inside them. These kind of files often trigger alerts by security software using heuristic detection because they are resistant to scanning (difficult to read). This resistance may also result in some scanners to stall (hang) on these particular types of files. Certain files in the System Volume Information Folder like the Tracking.log (created by the Distributed Link Tracking Service to store maintenance information) have also been reported as a source causing some scanners to hang.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 eliasbwick

eliasbwick

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 11 June 2010 - 03:27 AM

Sorry to interject but I thought that I should say something since my experience has been almost identical to theinvulnerable.

Started getting messages from avast about "Malicious URL blocked" roughly 3-4 days ago. Found that it usually happens when I start the IE (version 8).

The opening of a IE new window causes the cpu to get completely get bogged down for about 20 seconds and thereafter the behavious seems normal. I usually get a message from avast saying that

Posted Image

as well as the following objects

Object: media9s.com/cgi/ffv.php?vvv=671673=
Object: nopagency.com/cgi/rb.php?bbq=671673=

all related to the process:
C:\Program Files\Internet Explorer\iexplorer.exe

THe way I see it something is happening in the background when IE starts and it is probably a malware. Initially when ran spybot and malwarebytes and avast got a couple of hits and they were removed. Now the softwares come up empty but the problem persists so I am not sure if the original hits were associated with this problem or not.

BTW the internet runs fine on the safe mode. I will go through the instructions suggested by quietman7 but I thought that I would post so that the 'experts' and may be get a clue about this threat and suggest a solution accordingly. Any help is appreciated. Thanks

Edited by eliasbwick, 11 June 2010 - 03:29 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:51 AM

Posted 11 June 2010 - 06:25 AM

Hello eliasbwick

I have read that the lsass.exe process is associated with sasser worm but others have said that this is a critical windows process.

The sasser worm is an older type of malware infection. lsass.exe is the Local Security Authentication Server which verifies the validity of user logons to your computer and generates the process responsible for authenticating users for the Winlogon service. The lsass.exe process receives authentication requests from WINLOGON and calls the appropriate authentication package (implemented as a DLL) to perform the actual verification, such as checking whether a password matches what is stored in the SAM (the part of the registry that contains the definition of the users and groups). This process is important for stable and secure operation of your system and should not be terminated. Determining whether lsass.exe is malware or a legitimate Windows process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate lsass.exe file is located in the C:\Windows\System32 folder. If found running from a different location, it's usually indicative of malware.

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 eliasbwick

eliasbwick

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 11 June 2010 - 11:10 AM

Thanks quietman.

I will start another posting then.

If you want you can delete my reply from this post




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users