Avast WEBforum
Other => Viruses and worms => Topic started by: Skip H on March 25, 2011, 03:22:43 PM
-
Is there a list of recent false positives?
-
Hi Skip H,
Not that I know of, but you can search this forum for FP or False Positives. Normally they are rather short lived issues, they seldom outlive the next virus definition update, so notifying FP's is far more important than searching lists,
polonus
-
Is there a list of recent false positives?
Aside from what Polonus said - Why would you need to ask such a question ?
If you have a detection that you consider might be a false positive, then what is it ?
e.g. malware name, file name, location (C:\windows\system32\infected-file-name.xxx) and why you think it is a false positive.
Then we can help you confirm/deny the detection and what actions to take, etc.
-
Yes, I fully agree here with DavidR, that it is important to know why you asked this question. Be more specific to reveal your reasons for asking this. With such a kind of cryptic question, you will only get likewise answers,
polonus
-
I got what I think is a false positive.
hxxp://www.google-analytics.com/ga.js|>{gzip}
infection HTML:Iframe-INF
It even pops up for the avast forum.
-
Kindly update your virus defs.
-
My virus data is up to date :(
-
My virus data is up to date :(
What is the version of definitions you have?
-
110325-0
-
Cannot reproduce your problem at all.
-
ga.js
http://www.virustotal.com/file-scan/report.html?id=716d388a41888b9f461d2afa9f40a87b7aa6c7409e7ccdcf233f5be1135aef97-1301076408
-
I have avast 6.
Could there be a problem on my end?
-
Can you show us a screenshot, we are all using avast 6 and can't see the problem you are having...
-
http://i55.tinypic.com/2ns84dl.png
-
Eh... What does
nslookup www.google-analytics.com
produce on your box? (Run that in command prompt.)
-
http://i.imgur.com/5pSwa.png
-
http://i.imgur.com/5pSwa.png
I meant
nslookup www.google-analytics.com
Also, please use the additional options - attach feature here for screenshots.
-
85.10.195.196 - Geo Information
IP Address 85.10.195.196
Host static.85-10-195-196.clients.your-server.de
Location DE, Germany
City Nürnberg, 02 -
Organization Hetzner Online AG
ISP Hetzner Online AG
AS Number AS24940 Hetzner Online AG RZ
You clearly are infected by something and your DNS is hijacked.
-
Here
-
Yeah, as said - your DNS is not sane. Set it to 8.8.8.8 and 8.8.4.4 (Google public DNS) so that you stop this temporarily and try the nslookup again. Anyway, we will need MBAM and OTS logs (see the stickies here).
IP Address 173.193.227.124
Host 173.193.227.124-static.reverse.softlayer.com
Location US, United States
City Dallas, TX 75207
Organization Hosting Services
ISP SoftLayer Technologies
AS Number AS36351 SoftLayer Technologies Inc.
-
The DNS change fixed the alert problem, but What does OTS mean?
I have malwarebytes running, as well as avast.
-
Abuse of service reported to SoftLayer Technologies and Hetzner Online AG.
The DNS change fixed the alert problem, but What does OTS mean?
I have malwarebytes running, as well as avast.
Please read the sticky posts on this forum.
-
***
Try looking here ... http://forum.avast.com/index.php?topic=53253.msg451454#msg451454 ... follow the instructions in the first post by Essexboy, and then post the logs in this thread that you started.
[BTW, OTS = Old Timer Scan]
***
-
https://docs.google.com/document/pub?id=1kexwLx5dqITog5LIfqQd3HyQZa_DGY6rla1fer9gxXk
https://docs.google.com/document/pub?id=1-bhrkKejtsnNPAKp1mSgPYLp3syZU8nH48ByCBp5F5U
The files were too big to upload
Edit: I made the OTS file a little more readable, before word somehow screwed up the formatting.
-
Edit: I made the OTS file a little more readable, before word somehow screwed up the formatting.
Word? :o ??? Use notepad (TXT) for similar things.
-
I was using word to replace all the personally identifying stuff.
Not paranoid, just that it makes no difference whether you know that info or not.
-
I was using word to replace all the personally identifying stuff.
Ctrl+H in Notepad. :P
-
I've noticed sudden growth of this in our logs.
We don't know if this is mitm/mitb attack (BHO/local proxy) or DNS hijack (modified hosts file?). Is only one browser doing this?
The logs we have say that it's iframe pointing to whereismypeoplexy.com, which we block from 110314
-
I've noticed sudden growth of this in our logs.
Is this mitm/mitb (BHO/local proxy) ... Is only one browser doing this?
Hello, I am afraid you are right. His OTS log shows the malicious DNS server is configured by DHCP. Then again, it might be the DHCP server being compromised as well. And no, not one browser, I asked him to do a nslookup, so... the whole machine has DNS hijacked pointing to the malicious DNS server hosted at SoftLayer Technologies
I have reported this to whois contacts for both hosters, got only an automated ticket answer from the Germans, nothing from US. If you officially contact them, it might speed thing up.
If you PM me your email, I will forward the mail I sent them.
-
I've probably overlooked something? The DNS set by DHCP is imo quite normal in DSL and such environments - but I still don't know how do you know that the google's address he recevied is bad? Google definitely has tons of servers with multiple ips.
For example from my home it's
Name: google.com
Addresses: 74.125.87.99, 74.125.87.104
F:\x4>nslookup 74.125.87.99
Name: hb-in-f99.1e100.net
Address: 74.125.87.99
-
For example from my home it's
Name: google.com
Addresses: 74.125.87.99, 74.125.87.104
F:\x4>nslookup 74.125.87.99
Name: hb-in-f99.1e100.net
Address: 74.125.87.99
Yeah, and guess what - owned by Google. Not some third-party ISP/hoster.
# gwhois 74.125.87.99
Process query: '74.125.87.99'
Query recognized as IPv4.
Querying whois.arin.net:43 with whois.
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=74.125.87.99?showDetails=true&showARIN=false
#
NetRange: 74.125.0.0 - 74.125.255.255
CIDR: 74.125.0.0/16
OriginAS:
NetName: GOOGLE
NetHandle: NET-74-125-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-03-13
Updated: 2007-05-22
Ref: http://whois.arin.net/rest/net/NET-74-125-0-0-1
OrgName: Google Inc.
OrgId: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2000-03-30
Updated: 2009-08-07
Ref: http://whois.arin.net/rest/org/GOGL
OrgTechHandle: ZG39-ARIN
OrgTechName: Google Inc
OrgTechPhone: +1-650-253-0000
OrgTechEmail: arin-contact@google.com
OrgTechRef: http://whois.arin.net/rest/poc/ZG39-ARIN
If you replace the www.google-analytics.com part of the URL with the IP returned by the malicious DNS server, you will get happily served with infected ga.js; are you suggesting that Google got infected? :P
# nslookup www.google-analytics.com 173.193.227.124
Server: 173.193.227.124
Address: 173.193.227.124#53
Name: www.google-analytics.com
Address: 85.10.195.196
-
Edit: I made the OTS file a little more readable, before word somehow screwed up the formatting.
Unfortunately I use a special parsing tool which reads the first blank line as end of report, so I could spend 20 minutes or so removing all the blank lines or I could ask you to repost it as a text file attachment
-
Also now I have read the entire thread - the solution is simple, add the following to your host file
# [Google Inc]
127.0.0.1 www.google-analytics.com
-
If you replace the www.google-analytics.com part of the URL with the IP returned by the malicious DNS server, you will get happily served with infected ga.js; are you suggesting that Google got infected? :P
nslookup www.google-analytics.com 173.193.227.124
Server: 173.193.227.124-static.reverse.softlayer.com
Address: 173.193.227.124
Sry, not for me, getting only 401's? I'd like to see that 'infected' ga.js
-
Sry, not for me, getting only 401's?
Well, then the Germans might have shut down the webserver already, however, as you can see, the malicious DNS is still running there in US.
-
Heh, lookin at wrong line. I've got ga.js from the german server now.
-
Also now I have read the entire thread - the solution is simple, add the following to your host file
Not really a solution, just a temporary workaround. And might as well get ignored since some malware alters the HOSTS file location in registry (yet, it is configurable).
Heh, lookin at wrong line. I've got ga.js from the german server now.
Heh, OK.
-
To original poster: what country are you from? This faked GA is not working for me and our stats only show couple of countries...
-
Wisconsin?
-
Yeah, I'm from Wisconsin.
The problem is gone now, but I don't know how it got there in the first place.
The whereismypeoplexy.com thing has popped up before,
I blocked a few things in the host file, and avast seems to have taken care of some of the redirect stuff, but I have no idea where the problem is.
-
I have this exact problem on my pc. How did you get rid of it?
My avast and AM does not pick it up yet every website I visit has this same popup you had on your screenshot.