AVG continuously detecting threats (virus found exploit)

[Kirei Blossom]

Hi,

My avg keeps detecting viruses and trojan horses in the C::/documents and settings/user/local settings/temporary internet files. I noticed it usually happened while I was on the main page of my yahoo mail, buts it happening elsewhere too.

The taskbar on my IE showed it was trying to open http://do.qwertyy.cn/..... right before a virus hit, so I added "http://do.qwertyy.cn/*" to the restricted sites in the security options. The trojan horses have stopped coming, but the virus is still there. According to AVG, the Virus Discovery is "Virus found Exploit", and Object name is "do[1].htm"

The virus hits, avg detects and moves it to the virus vault. It's not doing any damage, but its annoying.

Any fixes?

 

[kimsland]

Run CCleaner

Then do this:

How to use Reset Internet Explorer Settings (RIES

To use RIES in Internet Explorer 7, follow these steps:

1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

Note for users who cannot start Internet Explorer 7 for some reason, use RIES from Internet Options in Control Panel.


Then have a look at:

Viruses/Spyware/Malware Preliminary Removal Instructions

 

[Kirei Blossom]

I ran cccleaner, ad-aware, and AVG antivirus, it doesn't find anything. But then when I'm online, the viruses keep coming. It's always the same one. Every time the virus strikes, I notice this URL in the status bar:

http://img.tongji.cn.yahoo.com/695113/ystat.gif

Is there any way to just block this URL? I have a suspicion that the whole wi-fi LAN network I use for my internet might be infected.

 

[Kirei Blossom]

my hijackthis log:

 

[Bobbye]

C::/documents and settings/user/local settings/temporary internet files.

Delete the file in the AVG Virus Vault.
Delete your temporary internet files.

Per the HijackThis log:
You are running AVG v7 which is not currently supported as far as I know. Update to v8 ASAP:
http://free.avg.com/

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 10

Did you set our homepage to come up as a blank page? If not, you have the about:blank malware. Remove the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

This should be stopped:

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
The CLSID is for Alexa_registry_entry Registry key that creates a menu item that points to a local web page that points to an MSN search page that uses the Alexa engine.

Check against your ISP:

O17 - HKLM\System\CCS\Services\Tcpip\..\{7DD95751-5724-4307-BEAE-7AFCE92E324B}: NameServer =
Directing to the following IPs. IF this is You ISP or company server, leave.If it is not, remove>
202.138.96.2
inetnum: 202.138.96.0 - 202.138.96.255
netname: IDC-Infrastructure
country: IN
descr: IDC-Internal-Infrastructure

202.138.103.100
inetnum: 202.138.103.0 - 202.138.103.255
netname: Banglore-IDC-1
country: IN
descr: Banglore-IDC-Colo-Internal-Infrastructure

203.122.63.152, 203.122.63.154
inetnum: 203.122.0.0 - 203.122.63.255
netname: SPECTRANET
descr: SPECTRA NET LIMITED
descr: FIRST FIBRE BROADBAND NETWORK IN NEW DELHI, INDIA.
country: IN

220.225.3.65,
inetnum: 220.224.0.0 - 220.227.255.255
netname: RCOM
descr: Reliance Communications Ltd
descr: Dhirubai Ambani Knowledge City
descr: Thane Belapur Road, KoparKhairane
descr: Navi Mumbai - 400710
descr: India

172.16.10.1
Private address to NameServer: BLACKHOLE
{c95fe080-8f5d-11d2-a20b-00aa003c157a}

 

[Kirei Blossom]

Deleted all temp internet files
Updated Java. Uninstalled older java versions.
My homepage was set to about:blank
Fixed the 09: extra tools menu item in hijackthis
All those IP addresses are mine. They're all listed in the DNS, gateways etc.

Putting up new Hijackthis log.

 

[Kirei Blossom]

Sigh.. none of this worked. The viruses are still appearing, even more than before now. They mostly appear whenever my IE blocks these cookies from particular strange URLs. I'm adding a screenshot of these strange URLs that keep trying to open.

I'm getting the virus exploit, trojan horse exploit, and trojan horse js/downloader agent.

I keep deleting the temp internet files, where all the viruses go. AVG keeps catching them, but no matter how much I clean my system, the viruses keep on coming when I connect to the internet.

Also, I don't know if this is related, but during all these viruses continuously popping up, a message balloon appeared in the taskbar: Application popup: Windows - Virtual Memory Minimum Too Low : Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied. For more information, see Help.

 

[Bobbye]

But you didn't update AVG and that means you aren't getting current update. That means you are going to continue to get infected:

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

:
It means that even though you have an antivirus program installed and loading, it isn't getting the updates of recent or current malware. So the second you access the internet, you are open for whatever virus/Work/Trojan might be around.

Post 5:

Per the HijackThis log: (current logs not updated)
You are running AVG v7 which is not currently supported as far as I know. Update to v8 ASAP:
http://free.avg.com/

Update this and then maybe we will get somewhere.

 

[D0uD0u]

I'm no expert but Is your computer on a local network?
i had a similar problem. I had norton IS 2007 which kept popping up trojan.Webkit!html. Yet, on full system scan no viruses were detected. Then, I downloaded AVG 8. AVG 8 started giving me the "Virus found Exploit" message with every webpage i tried to open either with IE or firefox. With firefox, i noticed the message "u.cruze3.cn" waiting. And again no threats on full scan.
Finally, i found out that an infected computer in my network was presenting itself as the default gateway and was returning this address with the script in the html documents.

 

[Kirei Blossom]

D0uD0u, yes that's exactly whats happening with me. I have a local network. And I'm getting the u.cruze3.cn with IE and Opera, even though nothing turns up on a full scan.

How can I figure out which computer is infected? My internet providers provide internet to the whole city! And I doubt they'd want to investigate the whole thing.

Bobbye, I have a very very old computer. It can't handle updating to XP SP2, and I can't upgrade to AVG 8 without sp2. Anyhow, the problem isn't really AVG, because AVG is doing its job (and even avg 7,5 is updating itself daily, and the virus database always says it was released 1 day or 2 days ago) Problem is my internet. I know of two or three computers that are using the same ISP, and having the same virus problem.

 

[Bobbye]

Suggest you replace AVG with an antivirus program that you can keep current.

 

[Kirei Blossom]

I talked to my ISP today, and they acknowledged this virus problem, and are working on it.

Thanks everyone for your help.