Avast WEBforum
Other => Viruses and worms => Topic started by: WhyIsThisHappeningToMe on July 12, 2011, 08:35:21 PM
-
Ok, I am really angry. This has been going on for a week now, Avast, get your **** together >:(.
As you can see, when ever I search something in google, images or text it shows up as a virus, and on images some pictures dont load.
I know this cannot but a real virus, but is this a real virus?
Why is this happening?
Someone tell me how to fix this, or I'm going to stop using avast.
(http://img69.imageshack.us/img69/6332/searchsomethingrecievev.png)
(http://img221.imageshack.us/img221/3350/unledyddc.png)
-
Bump, Someone please help, now I can't even access pages that are connected to google (like news.google.com )
because avast keeps blocking it. >:(
-
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI
Essexboy will look at the logs when posted....
-
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI
Essexboy will look at the logs when posted....
is it maleware or is it just an error?
-
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI
Essexboy will look at the logs when posted....
is it maleware or is it just an error?
It seems that you are infected.
-
Heres the OST thing, someone please help me :(
Also, how did I get this infection!? Avast is suppose to keep me from getting such infections!!
-
No security program have 100% detection....and never will
Essexboy is notified..
-
No security program have 100% detection....and never will
Essexboy is notified..
Yes but Avast is said to be the best free anti-virus out there!
Or am I wrong?
False marketing !?
-
the bad guys have access to the same AV tools you have, and they test there new malware before they release it, so AV companys will always be one step behind. And if lucky, you are the first one to meet this new malware ;)
-
Currently I am working on systems using - to name a few, ESET, Trend, Norton, AVG, Kaspersky and CA all infected
The majority of infections are via social engineering, where you are tricked into running the malware
I believe you have an MBR type infection
Download ComboFix from one of these locations:
Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
THEN
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)
-
Okay, im currently doing the scan combofix, how many stages are there?
right now im on stage 48.
Also how do you guys think I got this infection?
-
this thing has created tons of files!??! why ?
-
They will be removed once we have finished with it, I will not leave them on your system
Could I have the aswMBR next. As to how you got it I have no idea as there are no evident files showing in the log
-
ok now im just waiting for the aswMBR to finish. Do you think this is a serious infeciton :/ ??
-
here is the aswMBR log
-
Don't worry about the suspicious files which the .sys.mui ones we feel are due to an overly sensitive heuristics, seeing the double file extension; an old trick used to try and hide what the true file extension/purpose is.
The C:\Windows\System32\drivers\wimmount.sys we suspect is a false positive.
####
I think there is definitely something there but probably not an MBR Rootkit as aswMBR is reporting a Windows 7 default MBR code. But it is showing an Unknown hook. So this may be a TDL rootkit.
However, you may want wait for instructions form essexboy on how to proceed.
I think Essxeboy may well recommend that you run TDSSKiller to see if that can deal with it, but he may not be back on-line until tomorrow evening as it is now 11:57pm in the UK and he has to be up for work tomorrow.
~~~~
I leave the choice up to you if you wish to wait:
Please read carefully and follow these steps.
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
-
**Snap** ;D
Looks like it is an older variant - on completion of this run can you let me know what problems remain
Please read carefully and follow these steps.
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
-
TDSSKiller only found suspicious file, none infected.
so am I safe now?
-
Bear with me just rechecking the logs
-
Ok thanks. :)
-
Could you go to virustotal and within the browse box at the top locate the mbr.dat file on your desktop and upload that please
http://www.virustotal.com/
Could you then post the result
-
http://www.virustotal.com/file-scan/report.html?id=4afd954989067ffc6ffc2f3ba21ada07b2f66f2fb04b76d7678094baf47726fd-1310590951
heres the page
-
Do you use a router ? And do any other computers using it suffer from redirects as well ?
Download MBRCheck.exe (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe) to your Desktop. Run the application.
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
If an infection is found, you will be presented with the following dialog:
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
-
Do you use a router ? And do any other computers using it suffer from redirects as well ?
Download MBRCheck.exe (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe) to your Desktop. Run the application.
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
If an infection is found, you will be presented with the following dialog:
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
I think you misunderstand, my problem is not redirect, its that when ever I search stuff on google, avast says theres a virus on everything from images.
Yes I do use a router and no none of my computers have a redirect problem.
-
Is it still doing that - sorry I have redirects on the brain at the moment
-
Is it still doing that - sorry I have redirects on the brain at the moment
Right now its not, but its really weird, sometimes it will show up and others it will be working fine.
-
Well there is no malware on the system - so I would think that some of the images you are trying to view have been poisoned.. Especially as it is erratic
Could you let me know next time it happens and give the link to the page (broken please )
-
Have you checked your hosts file?
Usually in c:\windows\system32\drivers\etc\
Are there any google-like records?
How does the mentioned google site resolve to you?
Ie. open cmd, and run command
nslookup XXX
where XXX is the site making you the problems.
-
Host file is empty according to OTS
-
this is such irritating, I am 1000% sure this is not a virus, but an error.
I've had viruses before and usually there would be symptoms like my PC acting up but so far there is no sign of a virus
(http://img59.imageshack.us/img59/9214/hmmbr.png)
its like one day i'll search something and everything will be fine, and the next I'd search something and avast keeps telling me malicious malware was found.
edit: I've realized this will stop at any time.. because it just did.
edit2: okay, Ive realized that this doesnt just stop, it seems to be that when ever I search something new that I havent searched before the warning shows up, and if I refresh the page, it doesnt show up anymore, and if I scroll down and new images load the warning shows up again
http://www.google.com/search?hl=en&q=hmm&gs_sm=e&gs_upl=9530l9763l0l9932l3l2l0l0l0l0l130l218l1.1l2&bav=on.2,or.r_gc.r_pw.&biw=1920&bih=979&um=1&ie=UTF-8&tbm=isch&source=og&sa=N&tab=wi
heres the search link
-
Works for me, but I expected that. This is not widespread, we would see it.
What is the output of the nslookup command I asked few messages back?
-
At this point im just about to remove avast because it is only annoying me with "Threat has been detected" sounds and not warning my about real viruses
-
At this point im just about to remove avast because it is only annoying me with "Threat has been detected" sounds and not warning my about real viruses
Do it and you may have further problems.Can't you wait for Essexboy?He will figure out what's going on.
-
I really enjoy these double monologs. <g>
I'm trying to 'fix' your problem but you simply don't reply to any of my questions. What do you expect then? ???
-
sorry kubecj, I missed your question, heres whats in C:\Windows\System32\drivers\etc
hosts
lmhosts.sam
networks
protocol
services
-
How does the mentioned google site resolve to you?
Ie. open cmd (command-line), and run command
nslookup t0.gstatic.com
or
nslookup t2.gstatic.com
Post here the results. For me it returns something like this
Name: t0.gstatic.com
Addresses: 74.125.79.147
74.125.79.99
74.125.79.104
but it will differ because Google has geoip-based replies.
-
How does the mentioned google site resolve to you?
Ie. open cmd (command-line), and run command
nslookup t0.gstatic.com
or
nslookup t2.gstatic.com
Post here the results. For me it returns something like this
Name: t0.gstatic.com
Addresses: 74.125.79.147
74.125.79.99
74.125.79.104
but it will differ because Google has geoip-based replies.
Yes mine shows up the same with a Non-Authoritive answer thing.
-
Really? The same IP addresses? The addresess I posted were from Europe. I'm getting different IPs for USA based server.
-
the IPs I got is
74.125.226.116
74.125.226.112
74.125.226.113
74.125.226.114
etc.
-
OMG. These are computers, they don't work with etc. ::)
One of the ips in the 74.125.226.x range was wrongly blocked. The badguys do this as a decoy, they put good addresses amongst the bad to slow us down or embarass us when we block something like google.
I removed it, will be in the next update. We'll see if it'll be fixed or not.
-
OMG. These are computers, they don't work with etc. ::)
One of the ips in the 74.125.226.x range was wrongly blocked. The badguys do this as a decoy, they put good addresses amongst the bad to slow us down or embarass us when we block something like google.
I removed it, will be in the next update. We'll see if it'll be fixed or not.
oh my... how did they changed it ?!
-
I don't understand.
They have in their malware the list of domains I blocked. In midst of them they put the mentioned google address and I blindly blocked it too. Now it's fixed.
-
So everyone in my area had it?
Thank you very much by the way, much appreciated.
-
Probably yes, but it seems to be very rare - google has many servers and only one of them was affected by this - we'd spot it sooner otherwise.