Avast WEBforum
Other => General Topics => Topic started by: entu on July 11, 2009, 12:53:55 PM
-
Hi everybody,
I've noticed that my installation of Avast connects to some adult site during the update process.
It seems to download some pictures from there, and I really cannot see the reason for doing that.
Thank you for your attention,
Frank
-
-= Where did you download your copy of avast..? Was it from an e-mail..?
-
Hi L' arc
I got the installer from the official website and I've successfully used it for a long time, this is a recent issue as for what I've noticed.
Maybe my Avast has been hijacked / infected itself?
Thanks again,
Frank
-
Have you run any scans with Avast or other ?
Download these programs, HijackThis,run , choose, scan and save logfile, copy/paste the txt log
http://filehippo.com/download_hijackthis/ (http://filehippo.com/download_hijackthis/)
Download,install,updateand run ' quick' scans with MBAM and SAS, copy/paste the logs
http://filehippo.com/download_malwarebytes_anti_malware/ (http://filehippo.com/download_malwarebytes_anti_malware/)
http://filehippo.com/download_superantispyware/ (http://filehippo.com/download_superantispyware/)
-
I don't think that it is avast which is infected... maybe your browser was hijacked, maybe the hosts file compromised.
I suggest:
1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use MBAM (http://malwarebytes.org/mbam.php) (or SUPERantispyware (http://www.superantispyware.com) or even Spyware Terminator (http://www.spywareterminator.com/)) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan (http://www.abelhadigital.com) tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
9. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
-
Thank you very much everybody for your pointers, I'll check to see if I can solve the issue following your directions and I'll get back here once I'll be done with those steps.
Some additional information meanwhile: again during the update process, it says it is checking some files on my hard-disk, they are all called ".vbs" and they seem to be on the root folder of each partition - but I've checked and there are no such files - at least, Windows doesn't show them even if I tell it to display hidden/system files.
Thanks again for your help,
cheers,
Frank
-
it says it is checking some files on my hard-disk, they are all called ".vbs" and they seem to be on the root folder of each partition
Whom is "it" here? avast update?
It does not call any .vbs file to update... seems really a malware behavior.
-
@ entu
One crucial thing not mentioned is your firewall ?
As this is an important part of your systems security - It should be capable of blocking unauthorised outbound Internet Connections.
-
Hi again everybody, some update.
I've run a complete scan with avast! (4.8 home edition). I've had to run it manually with the system already started, because I wasn't able to find an option to schedule the scan at startup. Anyway, it didn't find anything.
I've run avast antirootkit and no threat was found.
Then I've run MBAM and it found some files and some folders infected by backdoor.bot.
When it asked me what to do with those files and folders, I've told it to quarantine the files and to take no action against the folders - those folders contain several sub-folders filled with documents I need to keep.
I was unsure about what my actions could lead to, anyway, I've restarted the system as MBAM asked me to do and I rerun MBAM to check if those folders resulted still infected - that surprised me: those folders passed the check and no further infection was found.
By the way I have no idea how a folder could get infected - but I'm no expert, you can guess.
@ DavidR: my OS is WinXP SP2, the firewall is active and fully working - afaik.
I've just ran the avast update option and it still goes on displaying stuff like "confirm file: C:\.vbs" (btw, "confirm file" is my translation of the Italian string "conferma file:") also it still goes on connecting to those adult sites - btw, shall I remark the domain of that website here or somewhere else? it is always the same domain and the same addresses.
I'm going to try all the other steps given by Tech.
Thank you all again for your time and please excuse me for these step-by-step posts.
All the best,
Frank.
-
I suggest an installation from the scratch:
1. Uninstall avast from Control Panel first.
2. Boot.
3. Download the latest version of Avast Uninstall (http://www.avast.com/eng/avast-uninstall-utility.html) and use it for complete uninstallation. If, for any reason, you can't run it, try booting in Safe Mode (http://www.pchell.com/support/safemode.shtml) and doing it from there.
4. Boot.
5. Download, save and install the latest avast! (http://www.avast.com/eng/programs.html) version. It will be good to accept the boot time scanning on next boot.
6. Boot.
7. Check and post the results.
-
Thank for your new directions Tech, I'm going to follow them and I'll get back here once I'll be done.
-
Thank for your new directions Tech, I'm going to follow them and I'll get back here once I'll be done.
I was thinking better... something is weird in your hosts file... follow steps I've posted before.
-
All right, I'm going to do the hosts check & restore stuff.
-
<snip>
@ DavidR: my OS is WinXP SP2, the firewall is active and fully working - afaik.
I've just ran the avast update option and it still goes on displaying stuff like "confirm file: C:\.vbs" (btw, "confirm file" is my translation of the Italian string "conferma file:") also it still goes on connecting to those adult sites - btw, shall I remark the domain of that website here or somewhere else? it is always the same domain and the same addresses.
<snip>
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
- There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Online Armor and recently released, Outpost Firewall free 6.5 (2009)
See http://www.matousec.com/projects/firewall-challenge/results.php (http://www.matousec.com/projects/firewall-challenge/results.php).
Many forum users are using all of the above:
- PC Tools Firewall seems to have the least user headaches as it doesn't seem to be constantly asking the user questions about this and that.
- Online Armor for the most parts fine but it has caused some users grief after avast program updates and that is something you have to watch out for.
- Comodo is now a suite and you have to do a custom install so as not to install the antivirus element (or use the add remove programs to remove the AV element if already installed), of all the firewalls listed this seems to be the noisiest in asking questions, depending on settings and elements used, so it could be daunting for those not to familiar with firewalls or their systems.
- Outpost Firewall 2009 free, a cut down version of the Outpost Firewall Pro version, which should still provide good protection, http://free.agnitum.com/ (http://free.agnitum.com/). Download, http://www.filehippo.com/download_outpost_firewall/ (http://www.filehippo.com/download_outpost_firewall/)
I'm not convinced a clean reinstall of avast will make the slightest difference, I would be happy to be proven wrong though.
-
You should post ALL logs from MBAM, and SAS and HJT,( which you have yet to run ) HJT takes 10 seconds, yet can tell a lot
-
Uhm, excuse me but I'm a bit confused.
First of all, let me tell one thing that maybe should be taken in account: I'm connecting to the Internet via a proxy server that accepts connections only on port #80.
For your information, this proxy is completely out of my reach - that is, I must keep it as it is, I have no hope to contact the maintainers and ask them to change any setting whatsoever, I already tried and they plainly replied me that their service is cheap and set into the stone, I must cope with that.
So then, I've set the proxy address in HostsMan's settings, and when I tell it to update the hosts list it returns the following:
-----------------
Checking for updates:
- MVPS Hosts... check failed (Server response: ).
- hpHosts... check failed (Server response: ).
- Mike's Ad Blocking Hosts... check failed (Server response: ).
- Peter Lowe's AdServers List... check failed (Server response: ).
No new updates available.
----------------
@ DavidR: I will check out those firewalls and I will set one of them up - but I'd like to solve this avast issue first. Or should I start by installing one of those firewalls first?
@ Micky77: I will post those logs (MBAM and HJT) but I fear I won't be able to get SuperAntispyware (that's SAS, that's it?) - I cannot get that due to my proxy which for some obscure reason refuses to deliver me large executables.
Kudos to all of you for your precious time people, I'll be back soon.
-
I'm connecting to the Internet via a proxy server that accepts connections only on port #80.
Proxy at port 80? Are you sure? This is the default http port...
Did you add the server address and the port number into avast proxy settings?
-
I'm connecting to the Internet via a proxy server that accepts connections only on port #80.
Proxy at port 80? Are you sure? This is the default http port...
Did you add the server address and the port number into avast proxy settings?
Of course I did, and everything worked fine for a long time - avast correctly updated itself every time.
I've just checked it right now again, the address and the port are still correctly set.
Everything on my system passes through that proxy (well, Firefox, Avast, FlashGet and a couple of other programs that need to get to the Internet) and everything works fine (except that "large executables" issue I mentioned before).
I've had a look to the MBAM log and I'm not posting it because it is plain useless - apart from the infected files/folders which report only the "Backdoor.bot" notice, everything else reads zero (no infected processes/modules/registry keys an so on)
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.30.28, on 11/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Programmi\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = [guess numbers here ;-) : 80]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FLASHGET\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Programmi\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Programmi\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra 'Tools' menuitem: &Impostazioni di Google Gears - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7977801F-1950-46BE-8985-64EF0270924F}: NameServer = 83.224.65.134
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Programmi\LizardTech\Express View\expressview.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Programmi\LizardTech\Express View\expressview.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
--
End of file - 6044 bytes
I'm going to wait for some while for any eventual reply, then I'll try to reinstall avast from scratch.
Please let me know if the HostsMan report I've posted in my previous message is OK or not.
More to come, thanks again.
-
Please let me know if the HostsMan report I've posted in my previous message is OK or not.
No. It's not ok. It should allow the updates, at least, the two firsts on the list and you need not only to update your host but replace it completely.
Do you have Windows Defender updated? It should monitor the hosts file... maybe an infection passed through it also.
-
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
You're using Windows SP2 that has several security vunerablilities and Windows SP3 has been available for over a year that has perfomance enhancements and several Critical Security Updates so in IE go to Tools then Windows Update then download and install all updates.
Go to Control Center then Security Center then set it to Automatic Updates (Recommended) or at least Notify me about updates but do not download nor install them.
IE8 is now available and it has more security than IE6:
http://www.microsoft.com/windows/Internet-explorer/default.aspx
The Sun Java is way down level and has security exposures so go to Add/Remove Programs and un-install all Sun Java installs.
Get and install Java Runtime Environment:
http://filehippo.com/download_java_runtime
Run Secunia Online Software Inspector to see what other applications have vulnerabilities:
http://secunia.com/vulnerability_scanning/online
-
I have no Defender installed, I suppose it is included in SP3... I don't know if I'll be able to download it and get all the updates after that... at least I never used IE and I'll never use it, I think I could (well, must) cope with that.
I'm downloading the Italian installer within the setup wizard, it will take a long time because I had to switch back to the dial-up connection - the proxy connection is faster but fails to download large executables... once more :-/ ...hope that it will solve the main issue of this topic, at least...
I'll let you know.
In any case I'll try to take on any possible security check & upgrade as suggested here so far - after getting a working installation of avast to my system.
By the way, can I assume to be safe without installing any different firewall since I usually surf behind such a wonderful (awful) 80-port-only proxy?
Well, that's a bit off topic here but anyway, that's just an informative question, I'll set up a firewall in any case - I've read something about that and I'd like to have an opinion from hands-on people.
Thank a lot once more, have a nice weekend,
Frank
-
By the way, can I assume to be safe without installing any different firewall since I usually surf behind such a wonderful (awful) 80-port-only proxy?
No. Both things aren't related. You need a firewall, but first, you need your computer clean. After that we can make firewall suggestions and help you.
-
Hi everybody,
problem solved, avast does not connect to that adult site any more during the update process, also those ".vbs" files do not appear any more in the update messages.
During the boot-time scan avast found three viruses:
07/12/2009 01:42
Controllo di tutti i drives locali
File E:\System Volume Information\_restore{4845F5C9-A05A-47D7-9371-C4CB905DB49C}\RP56\A0054917.exe e infetto da Win32:Buttons [Joke], Spostato nel Cestino
File E:\System Volume Information\_restore{4845F5C9-A05A-47D7-9371-C4CB905DB49C}\RP56\A0054957.exe e infetto da Win32:Trojan-gen {Other}, Spostato nel Cestino
File E:\System Volume Information\_restore{4845F5C9-A05A-47D7-9371-C4CB905DB49C}\RP56\A0054975.exe e infetto da Win32:Trojan-gen {Other}, Spostato nel Cestino
Numero di cartelle cercate: 16536
Numero files controllati: 216771
Numero files infetti: 3
(sorry for the Italian messages. "Spostato nel cestino" means, literally, "Moved to the basket". Now I understand also that note about disabling system restore)
I've been able to update my hosts list using the dial-up connection, now I'm not so sure which step actually solved the problem... shall I edit the first post of this topic mentioning the steps I took? Which is the custom here about solved issues' threads?
Another question: into the avast recycled basket (or quarantine basket, I ignore its name in English), there are the three files reported above and also three system libraries: kernel32.dll, winsock.dll and wsock32.dll. All of them have been transferred to the basket at the end of the boot-time scan (at least it seems so, looking at their transfer times). Is it normal for such files to appear there?
By the way, thank you Tech for your explanation about proxy/firewall. In my mind I thought that the proxy could, at least, forbid connections to an eventual backdoor that could infect my system, that was what I meant with the word "safe". I'm going to set up a firewall asap, and I'll try to update my OS too.
Thanks again everybody, your help has been precious.
All the best,
Frank
-
entu, you can order a SP3 update CD for a small shipping charge and will arrive fairly quickly:
https://om2.one.microsoft.com/opa/Validation.aspx?StoreID=7b7aa929-bd0a-487a-bc7e-df7631fee660&LocaleCode=en-us
I keep one handy for when I need to update a system quickly.
To get rid of the indications in the System Restore files:
How to turn off and turn on System Restore in Windows XP
http://support.microsoft.com/kb/310405
-
Thank you for your suggestions YoKenny, I think I'll follow them.
Have fun,
Frank