Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: HardcoreGR on June 22, 2013, 06:46:05 PM

Title: Gstatic.com URL:Mal - Avast red alert message
Post by: HardcoreGR on June 22, 2013, 06:46:05 PM
I got a spam email and I did the mistake to click in the signature of it for "Unsubscribe". From that moment I got a warning message from Avast. Even if I re-installed windows or followed instructions to remove it with other antiviruses I still get the same error!

I get an error from a Gstatic.com site after I open Google images or even other sites. The error is this (the URL field always changes).

URL: http://www.gstatic.com/bg/VPDtzeEv8kv9qL.js
C:\Program Files (x86)\Google\Chrome\Application\Chrome.exe
Infection: URL:MAL


I need help here! I hope it's not a spyware program. I've tried other antiviruses as well but nothing happens!
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: Pondus on June 22, 2013, 07:14:18 PM
See guide at top in virus and worms forum section....logs to assist in cleaning malware
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: HardcoreGR on June 22, 2013, 07:41:30 PM
Ok I found the topic (http://forum.avast.com/index.php?topic=53253.0) and already working on it. Will post back results.

Thanks.
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: chanas on June 22, 2013, 09:22:44 PM
Same issue here. DNS resolution is:

> t1.gstatic.com
Server:  pfsense
Address:  10.0.0.253

Non-authoritative answer:
Name:    t1.gstatic.com
Addresses:  2a00:1450:4017:801::1012
          173.194.39.242
          173.194.39.241
          173.194.39.240
          173.194.39.243
          173.194.39.244

> t2.gstatic.com
Server:  pfsense
Address:  10.0.0.253

Non-authoritative answer:
Name:    t2.gstatic.com
Addresses:  2a00:1450:4017:801::1012
          173.194.39.244
          173.194.39.240
          173.194.39.243
          173.194.39.241
          173.194.39.242

> t3.gstatic.com
Server:  pfsense
Address:  10.0.0.253

Non-authoritative answer:
Name:    t3.gstatic.com
Addresses:  2a00:1450:4017:801::1014
          173.194.39.244
          173.194.39.240
          173.194.39.241
          173.194.39.242
          173.194.39.243

> www.gstatic.com
Server:  pfsense
Address:  10.0.0.253

Non-authoritative answer:
Name:    www.gstatic.com
Addresses:  2a00:1450:4017:801::100f
          173.194.39.239

And according to WHOIS:

NetRange:       173.194.0.0 - 173.194.255.255
CIDR:           173.194.0.0/16
OriginAS:       AS15169
NetName:        GOOGLE
NetHandle:      NET-173-194-0-0-1
Parent:         NET-173-0-0-0-0
NetType:        Direct Allocation
RegDate:        2009-08-17
Updated:        2012-02-24
Ref:            http://whois.arin.net/rest/net/NET-173-194-0-0-1

So does Google do evil or is it a FP?
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: ioannidis.chris1 on June 22, 2013, 09:30:50 PM
in an effort to reduce loading times and make google services quicker, google has mitigated static files to another domain (gstatic.com

I too get this error message. Most likely you are not infected and it's a false positive.
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: HardcoreGR on June 23, 2013, 12:08:51 AM
Hey is anyone from Avast here to really help?

I tried everyhting mentioned in this topic (http://forum.avast.com/index.php?topic=53253.0) but still nothing.

Look at the error message

(http://oi39.tinypic.com/ipbfpx.jpg)

Now look at what I got when I typed netstat. After 10 minutes and it keeps going!

(http://oi42.tinypic.com/n4a0km.jpg)

So why this gstatic.com tries to access my computer with javascript files and .png images? And after trying everyhting what should I do? Look at the netstats. Someone seems to be connected with me and I see so many links from this IP the previous guy mentioned (Gstatic) so I don't feel safe to tell Avast to leave it

I've even tried Malwarebytes : Free anti-malware with safe mode but nothing!
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: Pondus on June 23, 2013, 12:38:18 AM
Quote
I tried everyhting mentioned in this topic but still nothing.
nothing what?.....did you read the instructions

nothing will happen, you are to attach the requested logs, when done the removal experts will check for infections
and fix it if they see any
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: ioannidis.chris1 on June 23, 2013, 01:42:35 AM
Hey is anyone from Avast here to really help?

I tried everyhting mentioned in this topic (http://forum.avast.com/index.php?topic=53253.0) but still nothing.

Look at the error message

(http://oi39.tinypic.com/ipbfpx.jpg)

Now look at what I got when I typed netstat. After 10 minutes and it keeps going!

(http://oi42.tinypic.com/n4a0km.jpg)

So why this gstatic.com tries to access my computer with javascript files and .png images? And after trying everyhting what should I do? Look at the netstats. Someone seems to be connected with me and I see so many links from this IP the previous guy mentioned (Gstatic) so I don't feel safe to tell Avast to leave it

I've even tried Malwarebytes : Free anti-malware with safe mode but nothing!


1) the netstat command displays inbound and outbound network connections. If you close google software (chrome) and wait for approximately 10 seconds the netstat list will shorten and  you won't be connected to any of the gstatic ip's. This has nothing to do with the problem at hand.
2) gstatic.com (probably stands for GoogleSTATIC.COM) is a site to created by google to make google services faster. Static google content like their logo (one of the png images you saw), basic scripts, etc are stored there to make user experience faster.


this whole deal was probably a human error inside the latest virus signature db that made avast concern content from gstatic.com as malware. Why it hasn't affected all avast users, i don't know. Probably, bug specific to some systems However, as of now, a db update has already taken place, so by the time you see this post, the problem is solved.

For future reference (simplified version): avast will protect you from all threats included in its virus signature db. This is updated daily. In order for you to get infected by malicious software, said software must not be included in the db. Even then, avast probably will warn you of suspicious files. However, the chances of that happening are slim to none.

Try to access gstatic.com. you'll get a 404

ΥΓ: χαχαχαχαχαχαχαχα, φίλε μόλις τώρα είδα οτι είσαι έλληνας! Μην ανησυχείς αδερφάκι, λύθηκε το πρόβλημα!
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: mxbaran707 on June 23, 2013, 06:37:59 AM
I received this warning while on my Hotmail ( online ) account. An email from a friend had a link, and since I trusted this friend, I clicked the link. Avast immediately put up the warning popup, and I felt dumb. 7 years or so ago, I opened up a file with the STAR BITCH Trojan in it (also from a dubious source, and way back when, Norton was still a decent product, and stopped the infection. Because it was online, I was spared infection this time. But as a precaution, I will run the files referenced in the worm and virus forum. Just in case. I am a happy customer...





AMD64 1.6G w/Gig RAM Win 7SP1/64 w/IE 10 AVAST 8.0
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: shodanx on June 23, 2013, 07:25:15 AM
Hello,

I created an account to say that I too am getting this probably false positive notice

It only happens so far when I search videos on youtube (using the youtube search from mycroft using browser firefox)

Infection Details
URL:   http://csi.gstatic.com/csi?v
Process:   C:\Program Files (x86)\Mozilla Firefox\f...
Infection:   URL:Mal

full warning url http://www.avast.com/en-ca/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_80_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-ca%2Fvirus-alert-default&p_vir=URL:Mal&p_prc=C:\Program%20Files%20%28x86%29\Mozilla%20Firefox\firefox.exe&p_obj=http://csi.gstatic.com/csi?v=2%26s=youtube%26action=results%26e=921050,930901%26yt_lt=cold%26ei=kIHGUZ_tAoWW2AX_7YDIDw%26yt_spf=0%26yt_li=1%26srt=297%26rt=ct.182,js_head.286,js_foot.315,ol.605,aft.605%26it=st.183&p_var=.%2Ffa%2Fen-ca%2Fvirus-alert-default&p_pro=0&p_vep=8&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=30&p_lng=en&p_lid=en-ca&p_elm=7&p_vbd=1489

oh btw, why does it ask for captcha again, even after I have logged in ? this is unecessary as you already know I'm a human from a few seconds ago !
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: CraigB on June 23, 2013, 07:46:24 AM
oh btw, why does it ask for captcha again, even after I have logged in ? this is unecessary as you already know I'm a human from a few seconds ago !
The captcha is for the first three posts, this is set this way to curb spammer activity.
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: HardcoreGR on June 23, 2013, 11:22:25 AM
To mods: Please move this topic to viruses and worms forum.
(As Pondus said, because here I think we are off-topic).

So here are the results for me. I run all 4 antivirus of the example link in safe mode

Hmm...as I see now Avast doesn't display this alert anymore so it seems fixed. I don't know if it has to do with a database upgrade or with the fact that I run all 4 antiviruses in safe mode, while in other cases I was running them in Normal Windows mode. Anyone must save an HTML file with the instructions as it won't work.

But again, I still remember that the alert started appearing after I clicked in an unknown spam email signature in the "Unsubscribe button". I use Avast for less than a week and I hadn't seen this Alert in the first days.

Will post again when it re-appears

Quote from: ioannidis.chris1
ΥΓ: χαχαχαχαχαχαχαχα, φίλε μόλις τώρα είδα οτι είσαι έλληνας! Μην ανησυχείς αδερφάκι, λύθηκε το πρόβλημα!
Στειλε μου ενα email στο hardcoregr παπάκι yahoo τελεία comνα σε ρωτησω κατι.
Title: Re: Gstatic.com URL:Mal - Avast red alert message
Post by: essexboy on June 23, 2013, 11:56:26 AM
Nothing apparent in the logs as it stands