Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: zeeks on April 13, 2011, 06:18:45 AM

Title: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 13, 2011, 06:18:45 AM
Anybody having same problem?
My regular browser is working fine but when I try to use safe zone, it directs to fake websites?!
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: ANHTHU5991 on April 13, 2011, 06:26:50 AM
Quote
My regular browser is working fine but when I try to use safe zone, it directs to fake websites?!
what browser do you use?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 13, 2011, 06:41:04 AM
Google Chrome
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: ANHTHU5991 on April 13, 2011, 07:34:40 AM
Quote
fake websites
What do you mean?
The Safezone browser is based on Chromium like google. So it seem to look like it?
But it will run without any additional components such as "plug-ins" which are often used to distribute spyware.

You can http://forum.avast.com/index.php?topic=73853.0
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Rave Kool on April 13, 2011, 07:50:01 AM
Reset your safe zone....

I think that works..... 8)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 13, 2011, 07:54:32 AM
I can't run snip screen capture, because safezone does not allow any plug ins to run
When i initially open safezone it says that it can't be reached, with the avast url in the web address.
Is it possible the virtual desktop as a virus? Looks like redirect virus but only when i use safezone.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: ANHTHU5991 on April 13, 2011, 07:57:16 AM
it looks like google because they have the same platform as i said above
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 13, 2011, 08:08:40 AM
here is a physical pic
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 13, 2011, 08:10:33 AM
another pic upon opening safezone
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 13, 2011, 08:13:04 AM
I couldn't be the first one to have safezone virtual virus?? Nobody else have the same symptoms
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 13, 2011, 08:22:09 AM
I'm going to bed, maybe somebody will have something by tomorrow, Thanks for any help in advance.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 10:52:47 AM
seriously, no idea how you're getting that ??? ... suspicious in every way
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: BTCentral on April 13, 2011, 11:23:01 AM
Are you sure your DNS and/or hosts file has not been hijacked?

For hosts you can check C:\Windows\System32\drivers\etc - open the hosts file in notepad.
It should look something like this (http://pastie.org/1790402). If you have anything under the localhost lines, then it may have been modified by a virus.

Checking if your DNS has been hijacked is harder, but I'd highly recommend you run a full system scan using both avast and MalwareBytes (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html).

After doing all of the above, open Avast, click Additional Protection then SafeZone and click the Reset SafeZone button.
Either logout of your Windows account, and log back in again - or restart your computer. Then open SafeZone and see if you still have the same problem.

If resetting the SafeZone still does not fix the issue, then I would highly recommend repairing avast (using the option on the program uninstaller) and resetting SafeZone again to see if that makes any difference.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 11:26:42 AM
yeah but if his DNS got hijacked, he'd be rerouted with his "normal browser" too... okay not really in fact, as the SafeZone uses its own Avast secured DNS server... and honestly I can hardly believe that there's any issue there...
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 11:31:11 AM
and honestly I can hardly believe that there's any issue there...

...and it better be not.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: BTCentral on April 13, 2011, 11:51:40 AM
yeah but if his DNS got hijacked, he'd be rerouted with his "normal browser" too... okay not really in fact, as the SafeZone uses its own Avast secured DNS server... and honestly I can hardly believe that there's any issue there...
I know, it's odd - but it's all I could possibly think of.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: NON on April 13, 2011, 12:31:51 PM
We should wait till pk check this out... maybe he want to see what's happening in this safezone.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 12:45:23 PM
I have the EXACT same problem!!!

Scanned with MBAM and SAS nothing got detected! I did some online banking also!!! (the homepage didnt load, the same as his screenshot. I went to my online banking site and it worked, but after seeing this post I went to see if I can goto google but no, I get redirected to the same site!!) I reset the safezone too nothing worked!
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 12:47:04 PM
I have the EXACT same problem!!!

what ??? okay if you got a digital camera, can you take a few pics of your screen (as you cannot use any screen shot utility from the SafeZone) ?

edit: unrelated here, but on a side note, would be nice if Avast updated the SZ chromium version more often. It shouldn't depend on a Avast update but be updated regularly. the current version 9 is particularly outdated ::) (and this should include a couple of unpatched vulnerabilities)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 12:51:54 PM
I edited my post, please check it. and to upload images, the file size is too big, i ll upload on an external site.

Edit: the images are uploaded on sendspace and the links are

http://www.sendspace.com/file/52vbys

http://www.sendspace.com/file/yo5mur
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 12:56:04 PM
thing is I'm not getting any redirection here... but okay, since you're the second poster to mention the issue, this has to be taken seriously I guess...
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 12:57:32 PM
Anything related to the FP desaster? Hard to imagine though..

Maybe do a repair installation and check again?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 12:58:47 PM
thing is I'm not getting any redirection here... but okay, since you're the second poster to mention the issue, this has to be taken seriously I guess...

Theres no redirection I think (atleast not visible) It says that its google.com but as you can see in the images it doesnt look like it.. and there are so many ads visible as well! So I'm pretty sure its not google and also I cant access the homepage (the default homepage which is Avsast safezone )
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 01:00:34 PM
Anything related to the FP desaster? Hard to imagine though..

Maybe do a repair installation and check again?

I'm certain that this was fine a few days ago.. The last time I accessed safeZone it was working fine.. Not sure if it has to do something with the update but if thats the case shouldnt you guys get it too ?

PS - did you see the pics I uploaded? do you think its a fake google site?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 01:04:47 PM
I'm not using AIS / PRO, thus no safezone.

The site on the pics is somewhat odd.

Did you browse through all your Avast settings and search for uncommon entries?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 01:06:10 PM
Ok I tried to goto Yahoo, Youtube, Bing - ALL of these take me to fake sites, no images, its actually the same site for Yahoo and Bing, and another site for Youtube.. For these sites I entered the full address, not just the name "yahoo"...

I tried searching for "facebook" by typing it on the address bar, it said URL not found.. But when I enter facebook.com it takes me to a site that seems like facebook ( not sure if its the real one or not but seems real)


Please get someone to look into this as I'm really worried because I just did some online banking a few hours ago!
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 01:06:49 PM
there's some hacking going on definitely (yes I saw your pics)... can't tell at what level it happens. Will have to wait until someone from Avast comes here...

edit: unrelated, I just attempted to clear private data in my SZ browser and that crashed it.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 01:07:18 PM

Did you browse through all your Avast settings and search for uncommon entries?

What do you mean uncommon entries?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 01:09:50 PM
there's some hacking going on definitely (yes I saw your pics)...

Now THAT would be a real catastrophe for Avast...


What do you mean uncommon entries?


Entries you have never seen before, entries that changed without reason, entries that you did not make... such things.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 01:10:33 PM
@DraKuL please wait until you clean your SZ browser (private data) or reset the safe zone, as I'm pretty sure that your current data will be needed to investigate.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 01:12:03 PM
I'm dazzeled about the fact that no Mod or Dev has turned to this thread up to now...  :o
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 01:13:01 PM
I'm dazzeled about the fact that no Mod or Dev has turned to this thread up to now...  :o

I emailed Vlk a few minutes ago...
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 01:15:30 PM
@DraKuL please wait until you clean your SZ browser (private data) or reset the safe zone, as I'm pretty sure that your current data will be needed to investigate.

I reset it a several times before reading your post.. Still get the same result though.. by the way I took more pics of Yahoo, youtube and what happens when I search facebook on the address bar.. When I access Bing.com I get the same result as Yahoo but the name is changed to Bing..

http://www.sendspace.com/file/9m78mu

http://www.sendspace.com/file/ese83y

http://www.sendspace.com/file/xrgiwt
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Asyn on April 13, 2011, 01:17:16 PM
I'm dazzeled about the fact that no Mod or Dev has turned to this thread up to now...  :o

Sorry, but me too..!! :(
Somebody should look at it, asap..!!!
Thanks,
asyn
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 01:18:44 PM
Ok now its back to normal  ???  ??? I reset it earlier and tried - got the same result.. but now it worked  :-\ which is good for me but doesnt seem to help with detecting what went wrong
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 01:19:40 PM
1000% a problem with the secured DNS at Avast.
Which is not good at all.

Hoping for an explanation - soon.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 01:20:00 PM
jesus ;D ... guys I'm not sure if it will intercept the SZ browser traffic, but could try installing fiddler2 and see what you get in the log when you run SZ chromium, then if you got anything save the log and upload it here...

http://www.fiddler2.com/fiddler2/version.asp

edit: yes it works
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 01:23:27 PM
1000% a problem with the secured DNS at Avast.
Which is not good at all.

Hoping for an explanation - soon.

Yeah seems to me also that someone has been messing around with that..

By the way Logos didnt you experience this problem ? You also have AIS right ?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 13, 2011, 01:29:33 PM
OK, I checked and I'm also having this problem.  I used it a few days ago and it was fine.  Did some banking so I sure hope I didn't send personal info to hackers which is now all around the world.

One other thing is that SZ is a little dim and not as bright as normal. 
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 01:29:43 PM
I noticed a pretty big difference between "now" and "then".. Earlier the browser did not load automatically - I had to click the icon and wait for about 10seconds for it to pop up, and now it loads immediately, and as soon as I access the SZ the browser pops up..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 01:30:19 PM
By the way Logos didnt you experience this problem ? You also have AIS right ?

I already said I didn't get the problem.

 Okay don't know what that means, Fiddler intercepts the traffic from SZ Chromium and shows a few DNS requests failing

Quote
HTTP/1.1 502 Fiddler - DNS Lookup Failed
Content-Type: text/html
Connection: close
Timestamp: 13:20:50.607

Fiddler: DNS Lookup for mkbdypurya failed. No such host is known
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 01:31:57 PM
OK, I checked and I'm also having this problem.  I used it a few days ago and it was fine.  Did some banking so I sure hope I didn't send personal info to hackers which is now all around the world.

One other thing is that SZ is a little dim and not as bright as normal. 

Are you still having this problem? My SZ seems to be ok now.. And yeah it was a bit dimmer than normal (dont know if it has anything to do with whats going on though- the brightness I mean)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 01:44:33 PM
just mailed pk as well...
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: YoKenny on April 13, 2011, 01:46:05 PM
SafeZone works just fine on my XP Pro system.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 01:47:29 PM
Quote from Avast facebook community site:

"Community is our lifeline
Our avast! Forum has thousands of volunteers (avast! "evangelists") who, without any salary from us, handle about 60% of all technical support inquiries there."


..ATM you should add "or help" between "salary" and "from us"....  ;D
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Asyn on April 13, 2011, 01:47:43 PM
SafeZone works just fine on my XP Pro system.

So..??? >:(
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: BTCentral on April 13, 2011, 01:48:56 PM
I never had this problem either - but I wonder if it was the result of their secure DNS servers being hijacked?
If so that's quite concerning.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 01:49:28 PM
SafeZone works just fine on my XP Pro system.

thanks for being as helpful as usual ::)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 13, 2011, 01:50:21 PM
OK, I checked and I'm also having this problem.  I used it a few days ago and it was fine.  Did some banking so I sure hope I didn't send personal info to hackers which is now all around the world.

One other thing is that SZ is a little dim and not as bright as normal.  

Are you still having this problem? My SZ seems to be ok now.. And yeah it was a bit dimmer than normal (dont know if it has anything to do with whats going on though- the brightness I mean)

Yes, still having this problem.  Mine used to take time as well but now the browser opes fast, then I get this message:

This webpage is not available
The webpage at https://program.avast.com/api/?action=2&p_elm=15 might be temporarily down or it may have moved permanently to a new web address.
Error 102 (net::ERR_CONNECTION_REFUSED): Unknown error.

If I try google I get the fake site mentioned above.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 01:53:14 PM
Yes, still having this problem.  Mine used to take time as well but now the browser opes fast, then I get this message:

This webpage is not available
The webpage at https://program.avast.com/api/?action=2&p_elm=15 might be temporarily down or it may have moved permanently to a new web address.
Error 102 (net::ERR_CONNECTION_REFUSED): Unknown error.

Thats what I got too.. Please dont reset your SZ because they might find something helpful in the current settings as Logos said.. I reset mine before reading his post.. anyway All is well with mine now.. Weird though.. because only a few got this problem and they get it at different times  :-\
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 01:55:23 PM
I never had this problem either - but I wonder if it was the result of their secure DNS servers being hijacked?
If so that's quite concerning.

can't see anything else tbh... main thing differentiating the SZ browser from the others is that Avast DNS server... + we're seeing people reporting re-directions, which is typical of DNS poisoning.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 02:00:32 PM
I never had this problem either - but I wonder if it was the result of their secure DNS servers being hijacked?
If so that's quite concerning.

can't see anything else tbh... main thing differentiating the SZ browser from the others is that Avast DNS server... + we're seeing people reporting re-directions, which is typical of DNS poisoning.

Do you reckon I should inform my bank about a possibility of my online account being hacked? Going to change the password now but I did some online banking earlier when this problem was reported.. Like I said I got the error for the homepage, I didnt try opening google, I entered my bank's web address.. but at the time this problem was there..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 02:04:48 PM

Do you reckon I should inform my bank about a possibility of my online account being hacked? Going to change the password now but I did some online banking earlier when this problem was reported.. Like I said I got the error for the homepage, I didnt try opening google, I entered my bank's web address.. but at the time this problem was there..


Not sure.
If it was DNS-hacking / redirecting, wouldn't it be done in a way that users won't notice?
I mean it's too obvious somehow.

I tend to believe that some admin messed up the settings...

But surely you should close-watch your checkings-account movements in the next days and altering the passwords is never a wrong thing.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 02:14:40 PM

Not sure.
If it was DNS-hacking / redirecting, wouldn't it be done in a way that users won't notice?
I mean it's too obvious somehow.

I tend to believe that some admin messed up the settings...

But surely you should close-watch your checkings-account movements in the next days and altering the passwords is never a wrong thing.

Yeah will do that, already changed the password as well.. I just wanted to know if anything else could be done before something happens (IF the account details were hacked) before its too late? but like you said this seems to be too obvious..

I have a feeling that someone did it to get users to have doubts about SZ! (Its certainly working!!)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 02:38:51 PM
just some info...sounds like Avast uses mailshell.net servers for this DNS service
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 03:09:11 PM
Ok its messed up again.. Now also being redirected to the fake sites  :-\ No news from Avast mods yet?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 13, 2011, 03:15:56 PM
I've been informed of the following by a representative of Avast when I asked about this situation:
"Our technical guys are already monitoring what's going on ..thank you !"
Hopefully once resolved, we'll also get a response as to what caused the problem and how it was resolved.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 03:23:03 PM
I've been informed of the following by a representative of Avast when I asked about this situation:
"Our technical guys are already monitoring what's going on ..thank you !"
Hopefully once resolved, we'll also get a response as to what caused the problem and how it was resolved.

thx Bob... yeah hopefully... they can't just tell us that the issue was solved somehow (when it will be solved)... people are relying on the SafeZone for online banking etc... so we must absolutely know what happened exactly.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 03:25:34 PM
This
"Our technical guys are already monitoring what's going on"
somehow in my ears translates to
"We don't have a f...... clue what's wrong there at the moment."
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 13, 2011, 03:28:23 PM
It takes time to find a problem, but I agree.

I think they should do something disable the service until it's fixed so no one or no more get harmed by what might happen.  I little post-proactive action would be a good idea.

Not sure what the finial cause will be but I seriously question SZ now.  Think until it's proven itself I'll just use FF with Trusteer (free) safe connection for secure banking, etc.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 03:29:45 PM
Ok good. Also I would like to report a couple of more things, when this happened for the second time, as I mentioned earlier the browser didnt open automatically, but there was a browser icon on the taskbar, I have uploaded a picture  http://www.sendspace.com/file/sj1e5g << this is the link, check the bottom left, notice the taskbar.

Also I tried to switch back from SZ and got a BSOD!!! (don't know if they are related though)

The other thing, I cant access internet on my Chrome browser AND on IE! Using FF4 after the bsod.. both chrome and IE9 gives an error  about proxy..

IE9 error: I diagnosed the problems and it says,
 Problems found: The configured proxy server is not responding

Chrome also give out a similar error message but its also the same problem.. about the proxy.. but the thing is I DID NOT configure a proxy!! Could this be related to the SZ problem?  ???
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Gopher John on April 13, 2011, 03:29:54 PM
Yesterday was Microsoft Patch Tuesday.  Those experiencing problems may have updated and restarted their machines.  One patch was for a DNS vulnerability.  Just a guess, as I'm using Avast Free which has no SafeZone browser.

Microsoft Security Bulletin MS11-030 - Critical
Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
http://www.microsoft.com/technet/security/Bulletin/MS11-030.mspx (http://www.microsoft.com/technet/security/Bulletin/MS11-030.mspx)

The patch is for all versions of Windows.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 03:33:56 PM
I resolved the IE / Chrome issue, there were proxy settings added but the fields were blank..  :-\
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 03:34:04 PM
Yesterday was Microsoft Patch Tuesday.  Those experiencing problems may have updated and restarted their machines.  One patch was for a DNS vulnerability.  Just a guess, as I'm using Avast Free which has no SafeZone browser.

Microsoft Security Bulletin MS11-030 - Critical
Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
http://www.microsoft.com/technet/security/Bulletin/MS11-030.mspx (http://www.microsoft.com/technet/security/Bulletin/MS11-030.mspx)

The patch is for all versions of Windows.

Damn! You are right... yesterday was MS patchday.
That might well be the reason.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 03:35:55 PM
Yesterday was Microsoft Patch Tuesday.  Those experiencing problems may have updated and restarted their machines.  One patch was for a DNS vulnerability.  Just a guess, as I'm using Avast Free which has no SafeZone browser.

Microsoft Security Bulletin MS11-030 - Critical
Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
http://www.microsoft.com/technet/security/Bulletin/MS11-030.mspx (http://www.microsoft.com/technet/security/Bulletin/MS11-030.mspx)

The patch is for all versions of Windows.

Damn! You are right... yesterday was MS patchday.
That might well be the reason.

But how could this lead to SZ redirecting to fake sites?  :-\
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 13, 2011, 03:37:39 PM


But how could this lead to SZ redirecting to fake sites?  :-\
[/quote]

And not affect non SZ connections?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: disPlay on April 13, 2011, 03:38:54 PM
Yesterday was Microsoft Patch Tuesday.  Those experiencing problems may have updated and restarted their machines.  One patch was for a DNS vulnerability.  Just a guess, as I'm using Avast Free which has no SafeZone browser.

Microsoft Security Bulletin MS11-030 - Critical
Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
http://www.microsoft.com/technet/security/Bulletin/MS11-030.mspx (http://www.microsoft.com/technet/security/Bulletin/MS11-030.mspx)

The patch is for all versions of Windows.

Damn! You are right... yesterday was MS patchday.
That might well be the reason.

But how could this lead to SZ redirecting to fake sites?  :-\


Good Question.
We will have to wait for the avast team to explore the issue.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Asyn on April 13, 2011, 03:39:03 PM
But how could this lead to SZ redirecting to fake sites?  :-\

Sorry, we have no idea either, as we didn't get any (useable) feedback now. :(
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 03:39:15 PM


But how could this lead to SZ redirecting to fake sites?  :-\


And not affect non SZ connections?

exactly... this said, Chrome/Chromium uses all IE/Windows network settings (as opposed to Firefox), but again, just the SZ browser being affected, I seriously doubt MS updates has anything to do with that.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 03:44:07 PM
hmm so the bsod and the change in proxy settings were not related to this? could the bsod have caused the proxy settings change? I got the bsod right when I switched off SZ.. but do you guys reckon that it might be a random bsod?

Edit: the browsers(outside the SZ) were working fine till I got the bsod.. So I'm guessing it triggered the change in proxy settings.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: pk on April 13, 2011, 03:46:34 PM
DraKuL, please follow these steps:

1. Disable avast self protection
2. If SafeZone was actived (i.e. you used it after reboot), switch to SafeZone and use Turn Off button (=> it'll terminate all running processes in SafeZone)
3. Download http://public.avast.com/~kurtin/x7.zip (14Mb)
4. Backup (= delete from original location) \Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exe (+ SafeZoneBrowser.dll, dnshttp.dll)
5. Unpack x7.zip into \sfzone folder
6. Switch to SafeZone, was it fixed or not?

Thanks.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 03:46:49 PM
hmm so the bsod and the change in proxy settings were not related to this? could the bsod have caused the proxy settings change? I got the bsod right when I switched off SZ.. but do you guys reckon that it might be a random bsod?

blue screens are related to drivers... no idea why you had one... not sure if Avast loads drivers for virtualization.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: pk on April 13, 2011, 03:48:53 PM
DraKuL, you can send me the latest minidump (\Windows\Minidump folder) to my email, I'll see if it was already fixed or not.

Quote
blue screens are related to drivers... no idea why you had one... not sure if Avast loads drivers for virtualization.
aswSnx.sys
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Asyn on April 13, 2011, 03:52:29 PM
DraKuL, please follow these steps:

1. Disable avast self protection
2. If SafeZone was actived (i.e. you used it after reboot), switch to SafeZone and use Turn Off button (=> it'll terminate all running processes in SafeZone)
3. Download http://public.avast.com/~kurtin/x7.zip (14Mb)
4. Backup (= delete from original location) \Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exe (+ SafeZoneBrowser.dll, dnshttp.dll)
5. Unpack x7.zip into \sfzone folder
6. Switch to SafeZone, was it fixed or not?

pk, I hope you have a shorter/easier fix at hand...!!
Not every user is able to do this. ;)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 03:55:01 PM
DraKuL, please follow these steps:

5. Unpack x7.zip into \sfzone folder


Windows wont let me delete/overwrite SZ folder.. Folder/File access denied.. Tried running windows explorer as admin still wont let me overwrite the files..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: k.u.r.t on April 13, 2011, 03:57:40 PM
Windows wont let me delete/overwrite SZ folder.. Folder/File access denied.. Tried running windows explorer as admin still wont let me overwrite the files..

1. Disable avast self protection
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 03:58:08 PM
DraKuL, you can send me the latest minidump (\Windows\Minidump folder) to my email, I'll see if it was already fixed or not.

Quote
blue screens are related to drivers... no idea why you had one... not sure if Avast loads drivers for virtualization.
aswSnx.sys

the minidump folder is empty  :-\
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Gopher John on April 13, 2011, 03:59:30 PM


But how could this lead to SZ redirecting to fake sites?  :-\

And not affect non SZ connections?
[/quote]

Since SafeZone uses a different DNS server than Windows has configured, perhaps the patch now considers it as hijacked.  However, why it would redirect to the wrong (fake) site instead of Windows putting up an alert is weird.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 04:00:31 PM
Windows wont let me delete/overwrite SZ folder.. Folder/File access denied.. Tried running windows explorer as admin still wont let me overwrite the files..

1. Disable avast self protection

I'm assuming you mean all the real-time shields by self protection which I did.. right click Avast icon on taskbar >> disable all shields
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: disPlay on April 13, 2011, 04:02:44 PM
Open Settings>Troubleshooting>Disable self protection 
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 13, 2011, 04:06:37 PM
Open Settings>Troubleshooting>Disable self protection 
Or simply do the procedure in Safe Mode. :)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 04:07:06 PM
Ok did all the steps and the issue is fixed. However, 30mins ago it was fine too.. I experienced the problem a few hours ago, then after sometime it worked, then again it was redirecting.. So anyway now its fine but not sure if its because of the patch or whether its like what happened earlier..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: disPlay on April 13, 2011, 04:07:24 PM
Open Settings>Troubleshooting>Disable self protection 
Or simply do the procedure in Safe Mode. :)

Yeah another quick and easy method.  :D
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 04:16:44 PM
Ok so I just copy pasted the old files and still it works fine.. So I'm not sure if it was resolved because I patched the files.. Like I said this happens on and off I think..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: pk on April 13, 2011, 04:18:46 PM
DraKuL, remember that before switching files, you have to click on "Turn Off" button in SafeZone. Please use downloaded version (where mailshell's DNS is disabled), then we can be sure if it's caused by mailshell DNS or somewhere else.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: pk on April 13, 2011, 04:20:44 PM
Ok so I just copy pasted the old files and still it works fine.. So I'm not sure if it was resolved because I patched the files.. Like I said this happens on and off I think..

DNS records are usualy cached, you can use: "ipconfig /flushdns"
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 04:21:42 PM
DraKuL, remember that before switching files, you have to click on "Turn Off" button in SafeZone. Please use downloaded version (where mailshell's DNS is disabled), then we can be sure if it's caused by mailshell DNS or somewhere else.

Yeah I did that. It works fine. Then I used the old files I had, still works fine.. So I'm not sure whether it was fixed by the patching of files or not..

Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 04:24:31 PM
Ok so I just copy pasted the old files and still it works fine.. So I'm not sure if it was resolved because I patched the files.. Like I said this happens on and off I think..

DNS records are usualy cached, you can use: "ipconfig /flushdns"

Sadly I lost the backup files.. I drag and dropped them to the SZ folder, and repatched the new files.. So when I drag and dropped they were moved.. Is it possible to post a link to download the old files for the SZ ?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: pk on April 13, 2011, 04:27:34 PM
Quote
Sadly I lost the backup files.. I drag and dropped them to the SZ folder, and repatched the new files.. So when I drag and dropped they were moved.. Is it possible to post a link to download the old files for the SZ ?

http://public.avast.com/~kurtin/x7_old.zip
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 04:32:26 PM
flushed DNS, patched the old files, SZ works fine..  :-\
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 04:37:12 PM
just noticed that the dnshttp.dll file you sent is larger than the one I had.. Only a small difference in the file size though, just wanted to mention it..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: pk on April 13, 2011, 04:41:44 PM
One more thing: sometimes click on "Reset SafeZone" button (when no process is running on SafeZone -- use "Turn Off" button to terminate them). This will cleanup SafeZone data and reset to default state.

Quote
just noticed that the dnshttp.dll file you sent is larger than the one I had.. Only a small difference in the file size though, just wanted to mention it..

latest version is: dnshttp.dll (617,284 bytes), signed on Friday March 4
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 04:45:28 PM
DraKuL, please follow these steps:

1. Disable avast self protection
2. If SafeZone was actived (i.e. you used it after reboot), switch to SafeZone and use Turn Off button (=> it'll terminate all running processes in SafeZone)
3. Download http://public.avast.com/~kurtin/x7.zip (14Mb)
4. Backup (= delete from original location) \Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exe (+ SafeZoneBrowser.dll, dnshttp.dll)
5. Unpack x7.zip into \sfzone folder
6. Switch to SafeZone, was it fixed or not?

pk, I hope you have a shorter/easier fix at hand...!!
Not every user is able to do this. ;)


hmm Asyn, they first have to know if mailshell DNS is the faulty link or not, so they're just experimenting with the patch right now... once they know for sure where the network issue comes from, they'll probably send an update for everyone through Avast updater ;)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 04:50:36 PM
One more thing: sometimes click on "Reset SafeZone" button (when no process is running on SafeZone -- use "Turn Off" button to terminate them). This will cleanup SafeZone data and reset to default state.

Quote
just noticed that the dnshttp.dll file you sent is larger than the one I had.. Only a small difference in the file size though, just wanted to mention it..

latest version is: dnshttp.dll (617,284 bytes), signed on Friday March 4

After resetting the SZ, flushing DNS, with the OLD files - and with the old DLL file I had - I get redirected.. Then I reset SZ, flushed dns, patched ONLY the dll file then it works fine!

the dll file I have is  605,096bytes..

PS - I referred to dnshttp.dll as the dll file.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: pk on April 13, 2011, 04:58:28 PM
please rephrase the answer ???
you got redirected with 605 or 617 version?

605,096bytes version is beta5 (don't know when it was released, maybe in old avast beta version)
617,384bytes is final version

not sure if it's the main reason -- could you still play with those two DLL versions and verify it?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 04:59:08 PM
anyway... this is a serious blow thrown at SafeZone security... not sure how it's gonna be possible to trust it in the future. I may be wrong but Avast does't seem to control the DNS server, hosted and maybe also managed by mailshell. The issue will be solved I'm sure, but what tells that it can't happen again...
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 05:02:53 PM
please rephrase the answer ???
you got redirected with 605 or 617 version?

605,096bytes version is beta5 (don't know when it was released, maybe in old avast beta version)
617,384bytes is final version

not sure if it's the main reason -- could you still play with those two DLL versions and verify it?

I never used a beta version of Avast and I update my AV  daily.. I have now patched SZ folder with 605(the older version) it shows as 590KB where as the new one is 603KB.. Anyway the weird part is, I flushed dns, reset SZ several times with the old patch files and the old dll file(605) sometimes I get redirected and sometimes its working fine..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 05:13:31 PM
Well earlier it was reproducable, 5 out of 10 times I was redirected.. but not anymore.. I played around with the 2 dll files - swapping them but still couldnt reproduce it..

EDIT: there was an avast update a few minutes ago, after that, the issue is back..

EDIT*:
AFTER the update, OLD patch, OLD DLL file, dns flushed, SZ reset - proplem persists.

Then OLD patch, NEW DLL file, dns flushed, SZ reset - problem persists.

Then NEW patch, removed dll file, dns flushed, SZ reset - working fine.

Again OLD patch, New DLL, dns flushed SZ reset - working fine..

Atleast we know that its not caused by the old dll file..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 13, 2011, 05:29:26 PM
DraKuL, thanks for trying all this to help avast fix the problem.  I just don't have time to fool with all this tinkering around today.  I'll wait for the patch, but thanks for all your work on testing.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 05:29:52 PM
Also I just noticed that whenever I manually update Avast, the patch file is replaced to the old file.. New one - 602KB, OLD - 591KB.. Everytime I update it downloads that old dll file and replaces the new one..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 13, 2011, 05:32:22 PM
DraKuL, thanks for trying all this to help avast fix the problem.  I just don't have time to fool with all this tinkering around today.  I'll wait for the patch, but thanks for all your work on testing.

Well I wanted this to be resolved asap and since only a few people are experiencing this I did all this.. Anyway its pretty late now, I'm off to sleep, hope they come up with a solution..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Nesivos on April 13, 2011, 07:09:19 PM
Ok so I just copy pasted the old files and still it works fine.. So I'm not sure if it was resolved because I patched the files.. Like I said this happens on and off I think..

DNS records are usualy cached, you can use: "ipconfig /flushdns"

Here is a link to a little more information about "ipconfig /flushdns" and How to Flush DNS

Quote
How to Flush DNS in Microsoft Windows

Turning Off DNS Caching under Microsoft Windows

Tuning DNS Caching under Microsoft Windows

http://www.tech-faq.com/how-to-flush-dns.html

Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: BTCentral on April 13, 2011, 07:16:03 PM
One more thing: sometimes click on "Reset SafeZone" button (when no process is running on SafeZone -- use "Turn Off" button to terminate them). This will cleanup SafeZone data and reset to default state.

Quote
just noticed that the dnshttp.dll file you sent is larger than the one I had.. Only a small difference in the file size though, just wanted to mention it..

latest version is: dnshttp.dll (617,284 bytes), signed on Friday March 4
Though I am not having this (DNS) issue, I can confirm the "x7_old.zip" file contains a different version of dnshttp.dll to the one installed when you run the AVIS 6.0.1000 setup.

The dll included with the AVIS installer is version 1.0.0.0 - 590 KB (605,096 bytes), was signed on 23 February 2011 and has an MD5 hash of B9F9E6D7D1DD21440690049CD604BF33
The dll in x7_old.zip is version 1.1.0.0 - 602 KB (617,384 bytes), was signed on 04 March 2011 and has an MD5 hash of 44E5566011ECBCD6D7EE2D2D945807D7
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: pk on April 13, 2011, 07:31:11 PM
There's no problem with different dnshttp.dll versions (official build 1000 uses beta5: 605Kb version), beta 1044 uses final version (607kb). Both versions should work. There were only minor changes in 607kb version.

We're still waiting for mailshell guys' reply.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 13, 2011, 07:39:41 PM

We're still waiting for mailshell guys' reply.

From the Mailshell site:
Key Features & Benefits
Why Use Mailshell DNS SDK?

   "First DNS service with military-grade encryption."

Somebodies military is unsafe!  ;)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Nesivos on April 13, 2011, 07:40:15 PM
Press release on new new Mailshell DNS Service

Quote
Mailshell’s New Encrypted DNS Service Secures Online Banking and Password Security
Mailshell today introduced Mailshell DNS, the first DNS service with military-grade encryption.

San Francisco, CA (PRWEB) February 13, 2011

Mailshell, the leading provider of Internet security engines for OEMs, today introduced Mailshell DNS, the first DNS service with military-grade encryption. This new DNS service closes DNS’ primary security hole and strengthens the security of all web sites. It relies on secure AES 256-bit encryption that would, according to Verisign, require trillions of years to crac


http://www.prweb.com/releases/2011/02/prweb5064014.htm (http://www.prweb.com/releases/2011/02/prweb5064014.htm)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 13, 2011, 08:03:34 PM
Press release on new new Mailshell DNS Service

Quote
Mailshell’s New Encrypted DNS Service Secures Online Banking and Password Security
Mailshell today introduced Mailshell DNS, the first DNS service with military-grade encryption.

It relies on secure AES 256-bit encryption that would, according to Verisign, require trillions of years to crac


http://www.prweb.com/releases/2011/02/prweb5064014.htm (http://www.prweb.com/releases/2011/02/prweb5064014.htm)

Or a couple weeks whichever comes first! ;D

If this was the problem, might as well have some fun to add to the pain.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 08:12:59 PM
just wrote that to a friend:

"DNS poisoning is pretty rare,and bad - well I never saw it happen, neither with my ISP, nor with a third party DNS, and seeing it happening precisely with a supposed to be so secure tool - ie the safezone - not even sure if that's funny... but that's ridiculous"

 May be an option for the future >>> leave to the user the choice of the DNS server used in the SZ ;)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 08:14:13 PM
Logos, mon ami,
you are neglecting your french forum badly...  ;D
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 08:15:54 PM
Logos, mon ami,
you are neglecting your french forum badly...  ;D

I never really took care of it, it's not "my" forum ;D

edit: glad to see you're doing a good job there ;)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 13, 2011, 09:04:03 PM
SZ is working for me now.  I don't now why.  I did just install the massive MS patch update, but don't know that this had anything to do with it.  Still won't be doing any banking with it anytime soon even if it keeps working.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 09:51:27 PM
SZ is working for me now.  I don't now why.  I did just install the massive MS patch update, but don't know that this had anything to do with it.  Still won't be doing any banking with it anytime soon even if it keeps working.

yeah that is just what I meant, even if it works fine again...that's Avast SafeZone security versus your bank account safety... who wants to take the risk... and I'm going to take it a step further, Avast should remove the safe zone from AIS... at least for a while... a matter of respect for the users, and a matter of saving the company's reputation. What happened is not good.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: disPlay on April 13, 2011, 09:55:35 PM
SZ is working for me now.  I don't now why.  I did just install the massive MS patch update, but don't know that this had anything to do with it.  Still won't be doing any banking with it anytime soon even if it keeps working.

yeah that is just what I meant, even if it works fine again...that's Avast SafeZone security versus your bank account safety... who wants to take the risk... and I'm going to take it a step further, Avast should remove the safe zone from AIS... at least for a while... a matter of respect for the users, and a matter of saving the company's reputation. What happened is not good.
Agree with you Logos.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: pk on April 13, 2011, 10:04:26 PM
Mailshell DNS guys confirmed that they have already fixed the problem:

Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 13, 2011, 10:10:01 PM
Mailshell DNS guys confirmed that they have already fixed the problem:

    We've tracked the problem down to a corrupt DNS cache on one DNS HTTP servers.
    This is why it was seen by some users but not others.  We have disabled the bad server and the DNS HTTP service should now be returning correct data.

    I again apologize for the trouble this has caused your users and we will take steps to ensure this does not happen again

Good news!
No hijacking or DNS poisoning.
This has to be communicated widely in order to re-establish trust.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 13, 2011, 10:14:16 PM
Mailshell DNS guys confirmed that they have already fixed the problem:

    We've tracked the problem down to a corrupt DNS cache on one DNS HTTP servers.
    This is why it was seen by some users but not others.  We have disabled the bad server and the DNS HTTP service should now be returning correct data.

    I again apologize for the trouble this has caused your users and we will take steps to ensure this does not happen again

Good news!
No hijacking or DNS poisoning.
This has to be communicated widely in order to re-establish trust.

oh just a corrupt cache? ;D  http://en.wikipedia.org/wiki/DNS_cache_poisoning

what was the nature of the corruption?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 13, 2011, 10:49:01 PM
Quote
"To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source (for example by using DNSSEC) the server will end up caching the incorrect entries locally and serve them to other users that make the same request.
This technique can be used to direct users of a website to another site of the attacker's choosing. For example, an attacker spoofs the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls. He then creates files on the server he controls with names matching those on the target server. These files could contain malicious content, such as a computer worm or a computer virus. A user whose computer has referenced the poisoned DNS server would be tricked into accepting content coming from a non-authentic server and unknowingly download malicious content."
Considering the nature of the service offered, shouldn't measures have been in place to make sure that couldn't happen ???
This reminds me of building a Nuclear Power plant on a fault zone. Not a wise move.  :'(

I will still use SafeZone because I think that Avast will now be making doubly sure this sort of thing never happens again as I hope Comodo learned from their mistake.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Jack 1000 on April 13, 2011, 11:08:29 PM
I don't have a Pro version of Avast, but have a security question about this issue,

Would a HiJackThis log file be able to assist in this situation or not?

Jack
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: YoKenny on April 13, 2011, 11:11:45 PM
I don't have a Pro version of Avast, but have a security question about this issue,

Would a HiJackThis log file be able to assist in this situation or not?
Not on Vista nor Windows 7 systems as HijackThis is obsolete!
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 14, 2011, 02:24:16 AM

Considering the nature of the service offered, shouldn't measures have been in place to make sure that couldn't happen ???
This reminds me of building a Nuclear Power plant on a fault zone. Not a wise move.  :'(

I will still use SafeZone because I think that Avast will now be making doubly sure this sort of thing never happens again as I hope Comodo learned from their mistake.

exactly!
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Rednose on April 14, 2011, 02:35:30 AM
Well, the problem was not with Avast! but with Mailshell DNS. But ofcource this shouldn't happen.

Greetz, Red.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 14, 2011, 02:43:23 AM
Well, the problem was not with Avast! but with Mailshell DNS. But ofcource this shouldn't happen.

Greetz, Red.
I'd like to know if the rest of their partners (http://mailshell.com/mail/client/oem2.html/step/partners) where also affected or infected which ever way you want to interpret this. :(
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 14, 2011, 03:03:00 AM
Just got off work, I'm the original poster didn't have a chance to go thru the whole thread. Can anybody bring me up to speed?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: scythe944 on April 14, 2011, 03:04:57 AM
I guess you could read the other pages, but if you're lazy like me, here's a brief synopsis.

Avast uses mailshelldns for their Safe Zone DNS lookups, and apparently mailshell's "military-grade encrypted" DNS service is having some problems and they're trying to figure out what's going on.

Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Rednose on April 14, 2011, 03:07:07 AM
Mailshell DNS guys confirmed that they have already fixed the problem:

    We've tracked the problem down to a corrupt DNS cache on one DNS HTTP servers.
    This is why it was seen by some users but not others.  We have disabled the bad server and the DNS HTTP service should now be returning correct data.

    I again apologize for the trouble this has caused your users and we will take steps to ensure this does not happen again

Greetz, Red.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 14, 2011, 03:08:22 AM
Fashiiiizall Can anybody with some authoratative knowledge tell me if I have to change my 20 passwords. Last night I accessed my e-mail which had over 3,000 messages with sensitive info. I'm only worried about keyloggers?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 14, 2011, 03:09:50 AM
P.s Thanks for the synopsis. (Lazy)me
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: scythe944 on April 14, 2011, 03:11:34 AM
meh... I wouldn't be.  Just because you got "shoved" over to a different website than you originally planned, doesn't mean that there were malicious scripts running on the websites that you actually landed on.

I guess there's a good possibility, but if you do a scan on your hard drives with avast and don't find anything, then I'd say there's a good chance that nothing was "harvested" from you.  More of an inconvenience than anything.

Of course, you could always be safe than sorry, so it's up to you if you want to change your 20 passwords or not.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: disPlay on April 14, 2011, 03:11:45 AM
If the page was not redirected to a scam site due to DNS poisoning I don't see a problem.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 14, 2011, 03:16:29 AM
Check this out, Last night I was thinking that If I was a hacker I would target avast safezone, make them think it is insecure so they use there regular desktop to access there email and avast tech support, them bam pickup there passwords on keylogger. the perfect way to push you out of safezone to get your info.
Sure enough I had to access my email just to register for this forum!
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 14, 2011, 03:19:04 AM
That's hillarious The only reason I bought avast was because just a few weeks ago I Got hit with Google redirect virus and avast was the only thing that picked it up on scan, so I said hey they must be doing something right. That virus was nasty! couldn't get rid of it for nothing. OH WEll back to square one I guess
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 14, 2011, 03:20:47 AM
I have to split will check back later for update, Thanks! for all the Help
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: scythe944 on April 14, 2011, 03:23:44 AM
That's hillarious The only reason I bought avast was because just a few weeks ago I Got hit with Google redirect virus and avast was the only thing that picked it up on scan, so I said hey they must be doing something right. That virus was nasty! couldn't get rid of it for nothing. OH WEll back to square one I guess

Well, that's where you're wrong.  Whatever was wrong with safezone had nothing to do with a virus, it had everything to do with some screwed up DNS entries that another company controls.  Since this is a new product from avast and probably the first time dealing with mailshell DNS, I'm pretty sure they didn't think that this could ever happen, and their claims that it's the first military-grade secure DNS service lured Avast into using them.

Anyway, it wasn't a virus on your computer, as Avast probably would have picked it up again.  It was a simple DNS problem where your browser thought that the website you were trying to visit existed somewhere else and your computer landed in the wrong place.  It doesn't mean that you or your computer were infected or in danger.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Rednose on April 14, 2011, 03:54:12 AM
Yep, SafeZone it self is a very good product, but this issue brings up some questions. That said, I am looking forward to it's further development. A little speculation from me : I think that a password manager ( also ) will be added in SafeZone. Btw the keyword here is " also " ;)

Greetz, Red.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 14, 2011, 04:25:45 AM
Greetz, Red.
[/quote]
I'd like to know if the rest of their partners (http://mailshell.com/mail/client/oem2.html/step/partners) where also affected or infected which ever way you want to interpret this. :(

[/quote]

Mailshell DNS guys confirmed that they have already fixed the problem:

    We've tracked the problem down to a corrupt DNS cache on one DNS HTTP servers.
    This is why it was seen by some users but not others.  We have disabled the bad server and the DNS HTTP service should now be returning correct data.

    I again apologize for the trouble this has caused your users and we will take steps to ensure this does not happen again

Greetz, Red.
Well, the problem was not with Avast! but with Mailshell DNS. But ofcource this shouldn't happen.

Was that supposed to answer my question ???

Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Rednose on April 14, 2011, 04:33:22 AM
Bob,

I really don't know ( why do you expect me to know this  ??? )  but I can ask Petr if you like ;)  Btw my reaction was to Zeeks post below yours.

Greetz, Red.

Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 14, 2011, 04:38:24 AM
I only asked because my question directly related to your post and you seemed
to skirt that post.
I can also ask Petr.  :)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Rednose on April 14, 2011, 04:54:08 AM
I can also ask Petr.  :)

Yes I know that ;)

The only thing I know is that Mailshell DNS was added just shortly before the official release of Avast! 6.  But they are new for me, so I have no real opinion about them.

Greetz, Red.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 14, 2011, 07:04:37 AM
Hey, I don't want to Hammer on Avast. I think it is a Good product. I really haven't had any bad viruses in the last ten years, I had one where a seinfield episode and radio came on out of no where, while browsig internet. But free avg picked it up. I just recently after getting the "Google redirect virus" decided to actually pay for a virus program. I tried everything and couldn't get rid of it, it looks like I picked it up by having an old version of java! Because I couldn't stand that stinkin "please update javA every 5 seconds" Avast picked it up on a scan but couldn't get rid of it. I eventually killed it with Kap lab tdss killer, after some research. But avast picked it up When it was trying to activate. Apparentlly it hides, then pops up and that's why it's so hard to pick up on scans. Definitley impressed with Avast But A little weirded out after The first time I pay for Antivrus in ten years and this happens virtually days later.
That and Avast billed me three times on credit card:) Is it possible to get a prize or something for being the first to report this on the forum or what, somebody hook me up with future discount..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 14, 2011, 10:38:40 AM
@Rednose when you're saying that's not Avast, that's mailshell... not sure this makes the whole thing sound less ugly ;)

 
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Vlk on April 14, 2011, 11:27:00 AM
Hi all,

first, I'd like to thank zeeks and a few others who reported the issue and helped us track down what's going on and ultimately fix the problem.

I have to confirm that one of the servers we use for the SafeZone DNS lookups was serving incorrect data. The problem was fixed a few hours after you notified us about the problem. I'm not able to say exactly how long the invalid data were there before you noticed. But given that it included high-profile sites such as google.com and yahoo.com, I assume it couldn't be too long before someone noticed. Please also note that this was not a targetted attack whose reason would be to redirect access to banking/shopping sites etc. The problem only affected 1 server (out of about 10 that we use), hence it didn't happen to everyone and every time.

Of course, the responsibility is all ours - it shouldn't matter to you, as a user, what infrastructure partners we use on our backend systems (if any).

We have taken all precaution to prevent this from happening in the future.


Thanks
Vlk
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 14, 2011, 11:36:14 AM


I have to confirm that one of the servers we use for the SafeZone DNS lookups was serving incorrect data....

......Please also note that this was not a targetted attack whose reason would be to redirect access to banking/shopping sites etc. The problem only affected 1 server


Vlk

okay, how did it happen, how come this particular server was affected, what triggered the corruption... ? not mentioning that re-directions (according to the screen shots posted here by two users) were taking the users to porn/gambling/"medicines" ads...
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 14, 2011, 11:55:48 AM
no answer ??? ::)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 14, 2011, 12:02:26 PM

okay, how did it happen, how come this particular server was affected, what triggered the corruption... ? not mentioning that re-directions (according to the screen shots posted here by two users) were taking the users to porn/gambling/"medicines" ads...

My guess is Avast mods have no idea about it since the servers belonged to mailshell.. But more importantly, like Bob asked, didnt it affect any other organization/product that uses mailshell ? is it ONLY avast that was affected?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 14, 2011, 12:04:58 PM
is it ONLY avast that was affected?

I think so. It was one of Avast's DNS servers. Not anyone else's.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 14, 2011, 12:07:46 PM

okay, how did it happen, how come this particular server was affected, what triggered the corruption... ? not mentioning that re-directions (according to the screen shots posted here by two users) were taking the users to porn/gambling/"medicines" ads...

My guess is Avast mods have no idea about it since the servers belonged to mailshell.. But more importantly, like Bob asked, didnt it affect any other organization/product that uses mailshell ? is it ONLY avast that was affected?

they rented the server and the service, so it's up to them (Avast) to investigate, find out, and tell us.

ps: Vlk is not a mod. The Avast team do the moderation here off and on but mainly, they're developers ;)

edit: does the fact that they don't know (because that was on mailshell servers etc...)- if they actually don't - make you feel better about SafeZone security? ;D
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 14, 2011, 12:10:20 PM


they rented the server and the service, so it's up to them (Avast) to investigate, find out, and tell us.

ps: Vlk is not a mod. The Avast team do the moderation here off and on but mainly, they're developers ;)

Agreed, hope they investigate this and comeback with more info :)

Yeah I know that Vlk is a developer and the CTO, but I thought the other guys (pk and them) were mods  ;D my bad!  ;D
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 14, 2011, 12:12:52 PM
@drakul just for your info, pk is in charge of the virtualization module development @Avast, so this includes the sandbox, the auto-sandbox, and the safe zone ;)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 14, 2011, 12:15:47 PM
@drakul just for your info, pk is in charge of the virtualization module development @Avast, so this includes the sandbox, the auto-sandbox, and the safe zone ;)

 :o ok thanks for the info :)!
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 14, 2011, 12:20:54 PM
I'd like to know if the rest of their partners (http://mailshell.com/mail/client/oem2.html/step/partners) where also affected or infected which ever way you want to interpret this. :(

I'd still like to get this question answered.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 14, 2011, 01:32:17 PM
I'm glad Vlk posted and I'm sure avast will do what they can to keep users safe.  It serves them only if things like this do not happen, so I imagine they are as hot about this as us users who were at risk.  We may have had personal info stolen and they may lose market share and credibility over this kind of thing (though it was a 3rd party that was the actual source). 

I'd like to hear from Mailshell on this.  Do they know if personal info has been taken or was it just a redirection with not much else involved.  I think we all should hear from mailshell on this.  Maybe we should email them directly, I don't know. 

I still have great confidence in the avast team and the program (but likely won't be using SZ for a while--a sandboxed FF and Trusteer for me).  It's clearly in there best interest to get good answers to this as the perception of protection is also important in seeking to grow security company.

Nevertheless, I'm glad I have LifeLock!
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 14, 2011, 01:41:11 PM
I'm glad Vlk posted and I'm sure avast will do what they can to keep users safe.  It serves them only if things like this do not happen, so I imagine they are as hot about this as us users who were at risk.  We may have had personal info stolen and they may lose market share and credibility over this kind of thing (though it was a 3rd party that was the actual source). 

I'd like to hear from Mailshell on this.  Do they know if personal info has been taken or was it just a redirection with not much else involved.  I think we all should hear from mailshell on this.  Maybe we should email them directly, I don't know. 

I still have great confidence in the avast team and the program (but likely won't be using SZ for a while--a sandboxed FF and Trusteer for me).  It's clearly in there best interest to get good answers to this as the perception of protection is also important in seeking to grow security company.


Totally agree,hope they will findout more info and get back to us. As for MailShell, they still havent said anything else other than that short message have they?  :-\

Even I have great confidence in the team, the program and the SZ too but they have to do something about the DNS (I'm sure everyone whose aware of what happened will stay off SZ for a while  ;D ) but the idea of an isolated desktop + browser is amazing.. if only there is a way to secure the connection as well..

Its hard to trust MailShell again  :-\ its not at all secure as they claim it to be.. and their fault caused a lot of damage to Avast..
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 14, 2011, 01:53:46 PM
Now all slow down a bit.

The first word from Vlk was: it was not a triggered attack or a hack.

So calm down and wait for deeper explanation. There are many reasons for anything getting corrupted, beginning with hardware failure etc. etc...

When you all say "I trust Avast", well then trust in Vlk as well. Don't blow this up more than neccessary. It was communicated that nothing harmful happened and that we should believe for now.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 14, 2011, 02:00:48 PM

So calm down and wait for deeper explanation. There are many reasons for anything getting corrupted, beginning with hardware failure etc. etc...

When you all say "I trust Avast", well then trust in Vlk as well. Don't blow this up more than neccessary.

yeah yeah I just said that I want to hear more about it, and want to hear what MailShell admins/developers have to say as well.. Also as Bob says is Avast the only partner that got affected and if so, why ?

Also I there were redirects to completely fake sites that had various links to what we can assume - "other malicious sites"..

I totally trust in Vlk  8) hope he will findout more and get back soon.. Just curious about this...
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Vlk on April 14, 2011, 02:10:43 PM
Give me a few hours guys, I have a bunch of meetings today... I will get back to you asap on this.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 14, 2011, 02:11:06 PM
Now all slow down a bit.
I haven't seen any hard flaming or anger in the thread so far

The first word from Vlk was: it was not a triggered attack or a hack.
So calm down and wait for deeper explanation.
still waiting... agree this could take a while, if it ever happens ( ??? )


There are many reasons for anything getting corrupted, beginning with hardware failure etc. etc...
sure, a hardware failure leading to porn/gambling etc... ads, that's very common ;D ... most likely HDD magnetic zones interfering unexpectedly at server level ??? ... hmm... what's in "etc... etc"... ?

When you all say "I trust Avast", well then trust in Vlk as well. Don't blow this up more than neccessary. It was communicated that nothing harmful happened and that we should believe for now.
the fact that many here has been trusting Avast so far doesn't give a green light to anyone from Avast, and certainly doesn't imply that someone - or anyone - from Avast should be blindly trusted.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 14, 2011, 02:11:27 PM
Give me a few hours guys, I have a bunch of meetings today... I will get back to you asap on this.

okay...
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 14, 2011, 02:14:28 PM

still waiting... agree this could take a while, and most likely never happen

Give me a few hours guys, I have a bunch of meetings today... I will get back to you asap on this.
... most likely HDD magnetic zones interfering unexpectedly at server level ???


Exactly.  8)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 14, 2011, 04:45:58 PM

still waiting... agree this could take a while, and most likely never happen

Give me a few hours guys, I have a bunch of meetings today... I will get back to you asap on this.
... most likely HDD magnetic zones interfering unexpectedly at server level ???


Exactly.  8)

Zyndstoff,
Since when is asking a question and expecting an answer considered an attack ???
And yes, I would still like an answer to my question but will wait till someone is able to give me that answer.
Remember, I'll be asked for an explanation for this and the last VPS update problem sometime during one of the seminars. It's always nice to have an answer before the question is asked and very embarrassing to not have an answer on a vital issue.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 14, 2011, 04:55:36 PM

still waiting... agree this could take a while, and most likely never happen

Give me a few hours guys, I have a bunch of meetings today... I will get back to you asap on this.
... most likely HDD magnetic zones interfering unexpectedly at server level ???


Exactly.  8)

Zyndstoff,
Since when is asking a question and expecting an answer considered an attack ???
And yes, I would still like an answer to my question but will wait till someone is able to give me that answer.
Remember, I'll be asked for an explanation for this and the last VPS update problem sometime during one of the seminars. It's always nice to have an answer before the question is asked and very embarrassing to not have an answer on a vital issue.

Bob, I'm sorry, I think I made myself misunderstood.
I did not intend to call anything an attack, what I was trying to express (poorly, as I know see) was that we should calm down in terms of making up rumors about what happened and who or what else was affected but instead wait rather patiently for the already announced explanation from Avast.
Sorry if I found only the wrong words.  ::)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 14, 2011, 05:13:12 PM
thing is everybody's quite calm here ;D .. in this thread at least. There hasn't been any report of hijacked bank account or anything along the lines, explaining this calm :)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 14, 2011, 05:14:53 PM
thing is everybody's quite calm here ;D .. in this thread at least. There hasn't been any report of hijacked bank account or anything along the lines, explaining this calm :)

Takes more than 1 day for the money-transfers to be completed...  ;D
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Asyn on April 14, 2011, 05:37:04 PM
thing is everybody's quite calm here ;D .. in this thread at least. There hasn't been any report of hijacked bank account or anything along the lines, explaining this calm :)

Takes more than 1 day for the money-transfers to be completed...  ;D

Uh.. Hope not..!! :-\
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: street_lethal on April 14, 2011, 06:28:22 PM
Well earlier it was reproducable, 5 out of 10 times I was redirected.. but not anymore.. I played around with the 2 dll files - swapping them but still couldnt reproduce it..

EDIT: there was an avast update a few minutes ago, after that, the issue is back..



That's not good. This happening a few days after the bogus update incident doesn't bolster people's confidence in Avast. Being a security conscience person it makes me speculate if the update servers were compromised as well. It's probably all unrelated but a bunch of unfortunate coincidences strung together looks bad either way.




oh just a corrupt cache? ;D  http://en.wikipedia.org/wiki/DNS_cache_poisoning

what was the nature of the corruption?

Corrupt cache sending you to fake sites. Sounds like poisoning to me but that's just an assumption.

Also, what is getting old is forum members telling the Avast developers there's an issue with their product/service and getting a sometimes very delayed response. I understand a team of developers can't catch everything but stuff like this should be heavily monitored. Especially when it's part of a product that's supposed to increase security. It doesn't look good in my opinion. The end user shouldn't have to come on here and troubleshoot something like this, that's what paid employees are for.

My hat is off to the senior members here who volunteer their time to support users.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Asyn on April 14, 2011, 06:34:19 PM
1. Being a security conscience person it makes me speculate if the update servers were compromised as well.
2. My hat is off to the senior members here who volunteer their time to support users.

1. Not in any way related to this issue...! ;)
2. Big +1 from me, especially to Drakul..!! :)
asyn
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Nesivos on April 14, 2011, 09:39:34 PM
I'm glad Vlk posted and I'm sure avast will do what they can to keep users safe.  It serves them only if things like this do not happen, so I imagine they are as hot about this as us users who were at risk.  We may have had personal info stolen and they may lose market share and credibility over this kind of thing (though it was a 3rd party that was the actual source).  

I'd like to hear from Mailshell on this.  Do they know if personal info has been taken or was it just a redirection with not much else involved.  I think we all should hear from mailshell on this.  Maybe we should email them directly, I don't know.  

I still have great confidence in the avast team and the program (but likely won't be using SZ for a while--a sandboxed FF and Trusteer for me).  It's clearly in there best interest to get good answers to this as the perception of protection is also important in seeking to grow security company.

Nevertheless, I'm glad I have LifeLock!

Your statement about possibly having personal info stolen is true.  To greatly mitigate this risk my suggestion is with respect to websites where you log in for any reason like this one you log in at the HTTPS URL.   This should prevent login information from being stolen during the login process.  In addition it is wise not to use the same username and password for multiple websites where you do any kind of financial activity.

Avast is great but it doesn't hurt to have simple additional safety nets to help prevent identity theft.

Some people use LastPass Password Manager to aid in preventing ID theft.  I don't use it because I am not comfortable with storing any data out in the cloud.  Just me :)



Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 14, 2011, 10:16:10 PM
My suggestion is to always store a strong master password on a
sticky note pasted on your refrigerator.
Cyber criminals may steal information from your computer however they are not likely
to raid your refrigerator.

Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 14, 2011, 10:21:13 PM
My suggestion is to always store a strong master password on a
sticky note pasted on your refrigerator.
Cyber criminals may steal information from your computer however they are not likely
to raid your refrigerator.


+1 wise words from a wise man. I back that.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Vlk on April 15, 2011, 12:45:49 AM
OK, a few more details on this case:

- the incorrect data was there for 14 hours and 21 minutes (during the day of April, 13)
- it affected just a fairly limited number of domains
- it affected only one server
- no https sites were affected
- no password and/or personal information stealing, malware or any other dangerous/malicious redirections were involved

Once we confirmed the problem, the server was brought offline. The other servers in the cluster (as well as the one that was affected) were thoroughly checked and precautions have been taken to prevent this, or similar incidents from happening in the future.


I fully understand that this is actually a second time this week our backend systems were having a problem, and that this may threaten your confidence in our products. Please note that we take these incidents very seriously and are working hard on making absolutely sure you, our users, stay safe.


Thanks
Vlk
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Charyb on April 15, 2011, 01:05:45 AM
Thanks for the info. No confidence lost here. Just some disappointment with the x2 thing. Makes me wonder how people handled their banking before safezone was developed? My only question would be how did the incorrect data get there in the first place?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Vlk on April 15, 2011, 01:07:02 AM
Thanks for the info. No confidence lost here. Just some disappointment with the x2 thing. Makes me wonder how people handled their banking before safezone was developed? My only question would be how did the incorrect data get there in the first place?

It was replicated from some other (external) server that had the problem.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 15, 2011, 01:08:05 AM
@vlk okay thanks, so:

1 I'd still like to know how the incorrect data landed on the server
2 this doesn't change anything concerning the trust I have in Avast
>>> 1st issue happens (VPS error)
>>> second issue was likely caused by a lack of good maintenance and security checks on the server side (mailshell)...you're not the owner and the issue was probably unpredictable for you. Not sure how you'll be able to monitor that in the future to prevent a similar issue in real time...let me repeat again, even if I'm very unlikely to use the SZ again, I still do consider Avast as a very serious company. I guess you're bringing the details about the incident as you get them, and that's appreciated.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: logos on April 15, 2011, 01:10:36 AM
Thanks for the info. No confidence lost here. Just some disappointment with the x2 thing. Makes me wonder how people handled their banking before safezone was developed? My only question would be how did the incorrect data get there in the first place?

It was replicated from some other (external) server that had the problem.

okay... that's already the beginning of an answer
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 15, 2011, 01:30:14 AM
@ Vlk,
It was never a question of trust but rather a need for an explanation that I
would be able to pass on to those that will be questioning me about what happened
and what's being done to prevent a re-occurrence.  :)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 15, 2011, 02:02:14 AM
1. Being a security conscience person it makes me speculate if the update servers were compromised as well.
2. My hat is off to the senior members here who volunteer their time to support users.

1. Not in any way related to this issue...! ;)
2. Big +1 from me, especially to Drakul..!! :)
asyn


Thanks :) Glad I could help  :)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: DraKuL on April 15, 2011, 02:04:27 AM
@ Vlk,
It was never a question of trust but rather a need for an explanation that I
would be able to pass on to those that will be questioning me about what happened
and what's being done to prevent a re-occurrence.  :)


Eagerly waiting for this reply :) but again, I think its what MailShell is doing to prevent this, not Avast.. right? Since its upto them to keep their servers safe?
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 15, 2011, 03:19:49 AM
So I finally got a response from the ticket I opened up last night, About browser being hijacked...
Senoir tech xxxxxx in support writes "open avast and run scan.... your computer should now be virus free!! Thank you for opening a ticket" Yes those are quotes and I Did write Senoir
Glad they jumped right on that
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Charyb on April 15, 2011, 03:22:31 AM
So I finally got a response from the ticket I opened up last night, About browser being hijacked...
Senoir tech xxxxxx in support writes "open avast and run scan.... your computer should now be virus free!! Thank you for opening a ticket" Yes those are quotes and I Did write Senoir
Glad they jumped right on that
I am a firm believer that you get better and quicker help on this forum.  :)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 15, 2011, 03:27:53 AM
I had the issue but my confidence in avast is not diminished.  Unfortunately such things happen and all that can be done is seek to minimize them and the damage as much as possible.  If it were a perfect world we humans simply wouldn't fit it.

I appreciate the answers and the sincerity in which they are given.  I'm a paying user and have every intention to purchase another years license when the current one is up.  (I believe in supporting good companies and their products.  In fact I wish more people would financially support avast as this can only help to provide capital for better products in the future and reward those who create those products.  I guess that's another topic though.)  I said all that to say I'm still a satisfied paying avast user.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: zeeks on April 15, 2011, 03:30:42 AM
You guys are pimps yes, I was a little setback by the response from official tech support, almost sounds like generated response. Whereas here you have 150 replies. Maybe this is normal with ticket? I'm a newb here
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 15, 2011, 03:35:04 AM
No doubt about it--support is slow at times and I don't like it either.  The forum is quicker.  Some of the guys here who offer solid advice should get a check every once in a while for doing the job of support.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 15, 2011, 04:06:56 AM
No doubt about it--support is slow at times and I don't like it either.  The forum is quicker.  Some of the guys here who offer solid advice should get a check every once in a while for doing the job of support.
Thanks but support in here is given freely because those that are able to help a fellow user
enjoy doing it. :)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 15, 2011, 07:58:27 AM
No doubt about it--support is slow at times and I don't like it either.  The forum is quicker.  Some of the guys here who offer solid advice should get a check every once in a while for doing the job of support.
Thanks but support in here is given freely because those that are able to help a fellow user
enjoy doing it. :)

Yeah, Bob is absolutely right. Most of the helpers do this because of their own passion.
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: dagrev on April 15, 2011, 05:41:48 PM
No doubt about it--support is slow at times and I don't like it either.  The forum is quicker.  Some of the guys here who offer solid advice should get a check every once in a while for doing the job of support.
Thanks but support in here is given freely because those that are able to help a fellow user
enjoy doing it. :)

Yeah, Bob is absolutely right. Most of the helpers do this because of their own passion.

I know, but just wanted to express my gratitude as much as anything for the sage advice offered here.  Check not forthcoming from me, however!  ;D
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 15, 2011, 05:50:18 PM
Check not forthcoming from me, however!  ;D

No problem, money wire transfer will do fine...  8)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 15, 2011, 06:18:46 PM
Check not forthcoming from me, however!  ;D

No problem, money wire transfer will do fine...  8)
Pypal also works....  ;D ;D ;D
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 15, 2011, 06:20:54 PM
Bob: Congratulations! (see screenshot)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob3160 on April 15, 2011, 06:24:28 PM
Thanks for the capture, Steven,
never noticed.   I captured the one when I hit 10000.  :)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: bob10000 on April 15, 2011, 06:26:35 PM
Thanks for the capture, Steven,
never noticed.   I captured the one when I hit 10000.  :)

He certainly did.  :) :)
Title: Re: MY safe zone browser hijacked! goes to fake google
Post by: Zyndstoff (aka Steven Gail) on April 15, 2011, 06:27:38 PM
Steven

Click (http://en.wikipedia.org/wiki/Anagram)  ;D