Avast WEBforum
Other => Viruses and worms => Topic started by: ennosphere on April 03, 2012, 05:48:26 PM
-
We are looking into an issue where avast seems to be blocking Google.com and Bing.com in Firefox, Chrome, and Internet Explorer. Websites using Google Analytics are also being blocked.
Any assistance with this issue would be appreciated.
-
Hello,
try ping or wget for google.com and post the IP address, please.
Milos
-
This may be some sort of DNS redirection/hack as I can connect to google.com without problem. See image (click to expand) which shows a number of IP addresses for google.com.
If you use the ping command from a command window/prompt (from the Windows Key+R and type cmd to open a command window) what IP address is returned (see image2 example) ?
-
http://www.networksolutions.com/whois/results.jsp?ip=87.125.87.99
Google seems to have changed its name and moved to the Netherlands.
We've also run all of the programs in the log thread and are able to provide any which may be helpful.
-
Well it does look like there is something going on with your DNS server (may have been hacked or DNS Poisoning). The whois link you posted isn't conclusive as it doesn't resolve, all that is showing is the region of the Registrar who allocates IPs for the region.
I managed to get it resolved and it is a company in the UK 87.125.87.99 = Fubra Limited (not google.com) and going for that IP address results in an avast alert.
Fubra Limited develops websites which provide useful information and advice to help people in the UK to save money and find better information more quickly. The company was founded in 2000 and is based in Aldershot, United Kingdom.
Though going to fubra.com doesn't set off avast, as it has a slightly different IP 87.124.84.210. So I'm not sure what is going on with whomever provides the DNS server (usually ISP) that you use. Another possibility is that your HOSTS file could have been modified to redirect google.com to that IP (check c:\windows\HOSTS using notepad and see if there are any entries for google.com).
Hopefully Milos will get back to the topic.
-
The primary DNS server for this computer is a local domain server which forwards to Time Warner. I did start seeing a recurring error on the server where it looked like the Time Warner servers were resolving URLs to themselves. There was a DNS record that ended up as a static forward lookup that I'd never seen before with the hostname "win-9i9oeknr4p2" and the same IP as the local DNS server, which didn't make much sense.
The hosts file appears to be intact.
Another weird thing about this issue is that none of the other computers on the domain are experiencing any of the same issues as this one, and they all use the same DNS settings and all have avast installed and up to date.
-
It is weird that the other computers don't exhibit the same issues when using the same DNS.
You could try using a specific DNS server like using OpenDNS, http://www.opendns.com/
-
This is a redirect IP used by simda malware. There is dns hijack or some redirector running on the machine in question. I'm pretty sure that none of the computers around are resolving google to point to that ip. Also bing.com or yahoo.com are supposed to resolve to strange ips.
-
@ ennosphere
Given what kubecj said this needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
-
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.04.02.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
toconnor :: TOCONNOR [administrator]
4/3/2012 11:09:55 AM
mbam-log-2012-04-03 (11-09-55).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 260158
Time elapsed: 11 minute(s), 10 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
Essexboy is notified.......he is usually in here late UK time ;)
-
Not happy with the aswMBR reported locked file. Also do you get the redirect in all browsers ?
I see that at some stage you used Combofix, if it is still on your desktop delete it please
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - Reg Error: Value error. File not found
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - Reg Error: Value error. File not found
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
:Files
ipconfig /flushdns /c
:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
The redirect does happen in all browsers.
New logs are attached.
Avast is now blocking these same sites, but with the process as C:\ComboFix\CF16539.EXE instead of Firefox.exe or other browser executable.
-
Hmm this be something different
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Documents and Settings\administrator.CHEMISPHEREINC.000\Local Settings\Application Data\WavXMapDrive.bat
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
-
Hello, I'm also having the same problem.
Recently the computer was infected with the 2012 Internet Security malware, and I have manually removed it, and used avast-anti virus boot scan.
Now most websites I visit to, Avast report that google-analytics was blocked from being accessed.
Using another computer to post this since the verification image doesn't appear on the infected computer since it from google apparently.
-
Rexaar could you start your own topic please and post the necessary logs there
-
Now blocking CF8003.EXE
-
That is a combofix file
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Then could you run a fresh OTL quick scan selecting all users and let me know if the problem is still apparent
-
Ping still gets same result, no pages load.
-
OK lets check out the registry net settings
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL
(http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg)
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O3 - HKU\S-1-5-21-3690017174-2536532145-703111426-500\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 12-04-2012 at 02:07:46
Running from "C:\Documents and Settings\administrator.CHEMISPHEREINC.000\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
aswTdi(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.
**** End of log ****
-
Everything there appears OK, I notice that one of the IP adresses is a to school network. Do you use that a lot ?
Lets have a different look. With the Zip file produced at the end could you upload to a sharing site like Mediafire and post the sharing link
Download AVPTool from Here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
Click the cog in the upper right
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif)
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif)
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif)
On completion click the link to locate the zip file to upload upload to a file sharing site
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif)