Avast WEBforum

Other => Viruses and worms => Topic started by: rusty_brown on October 08, 2012, 10:43:15 PM

Title: Constant Malicious URL warnings - ga.js infection
Post by: rusty_brown on October 08, 2012, 10:43:15 PM
I’ve had a problem with malicious url’s being detected and constant Avast popup warnings. They’re mostly to do with google-analytics.ga.js

It’s got to the point where the Avast warning box is constantly popping up whilst I’m browsing.

To make things worse I am now getting an ad.xtendmedia popup in the lower left corner of Chrome on nearly every page I open.

I’ve run complete scans with Avast, Malwarebytes, and SUPERAntiSpyware. Nothing is detected.
I read in another forum that it could be a problem with my router (the problem only occurs on my laptop, not on my PC) so I changed my login details and checked the DNS settings were correct. It didn’t make any difference and the problem persists.

I’ve run out of ideas and really need some help. All the logs requested in the sticky are attached.

Any help will be greatly appreciated!
Title: Re: Constant Malicious URL warnings - ga.js infection
Post by: rusty_brown on October 08, 2012, 10:44:36 PM
here's the malwarebytes log:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.06.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Louise :: LOUISE-LT2 [administrator]

08/10/2012 20:13:03
mbam-log-2012-10-08 (20-13-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205283
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Title: Re: Constant Malicious URL warnings - ga.js infection
Post by: mikaelrask on October 09, 2012, 04:24:49 PM
hey and welcome to the forum. i will drop a note to one of our malware expert here on the forum on you thread.
Title: Re: Constant Malicious URL warnings - ga.js infection
Post by: essexboy on October 09, 2012, 04:27:58 PM
Here we go a quickie fix.. Let me know if this cures it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:OTL
@Alternate Data Stream - 993 bytes -> C:\Program Files\Common Files\Microsoft Shared:RnwXmMlFWWUb61WqX9g5
@Alternate Data Stream - 169 bytes -> C:\ProgramData\TEMP:1CE11B51
@Alternate Data Stream - 1053 bytes -> C:\ProgramData\Microsoft:ynmwUvLOfr7Ish7HAJMrxDEcs
@Alternate Data Stream - 1013 bytes -> C:\ProgramData\Microsoft:M4t9lFuZfRwTpRpeEqbv

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
Title: Re: Constant Malicious URL warnings - ga.js infection
Post by: rusty_brown on October 09, 2012, 04:55:32 PM
I think it's fixed - thank you!
I've been browsing for 5 mins or so and no alerts or popups.

The quick scan results are attached.

What was this exactly? I've never had so much trouble getting rid of a virus or malware.

Thanks again!
Title: Re: Constant Malicious URL warnings - ga.js infection
Post by: essexboy on October 09, 2012, 05:04:24 PM
Quote
O1 HOSTS File: ([2011/10/02 17:46:39 | 000,001,392 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O1 - Hosts: 74.55.76.230 www.google-analytics.com.
O1 - Hosts: 74.55.76.230 ad-emea.doubleclick.net.
O1 - Hosts: 74.55.76.230 www.statcounter.com.
O1 - Hosts: 178.250.45.15 www.google-analytics.com.
O1 - Hosts: 178.250.45.15 ad-emea.doubleclick.net.
O1 - Hosts: 178.250.45.15 www.statcounter.com.
This was the culprit, your Host file was hijacked