Author Topic: Avast is blocking my access to google  (Read 19842 times)

0 Members and 1 Guest are viewing this topic.

r9rafael

  • Guest
Avast is blocking my access to google
« on: October 01, 2008, 03:30:40 PM »
I´ve been searching for some explanations why Avast is blocking my access to google (docs, calendar, maps, web, etc.) for a couple of days now. It just started two days ago and since then every time I try to access google pages it sends a pop-up message telling me that google site is trying to downloading a malware (www.google.com/searcher.jar\inicio.class) which sounds strange since no website at all has published any report on problems with google so far (i´ve attached a file with a print screen of the message sent by avast).
When I scan my computer with avast and spyware terminator it can´t find any virus. Anybody here could tell me what is going on? Is this a problem with avast web shield? I ain´t no geek but I would appreciate some help now. I´ve lost precious time and can´t afford to be in this situation any longer.

Thks!


Rafael

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86815
  • No support PMs thanks
Re: Avast is blocking my access to google
« Reply #1 on: October 01, 2008, 04:41:30 PM »
Sorry to disappoint you but a) avast doesn't block but scans and alerts to infection, b) avast isn't a firewall. You should modify your link so that it isn't active change the www to wxw.

So your problem is outside of avast, if that searcher.jar is trying to download malware then avast can't do anything about that. The last part of the URL the \inicio.class is a JAVA element and not actually a page.
Are you sure that you are actually at google.com and not a site designed to look like google ?

The web page is shown as doesn't exist (page 404 error) google.com/searcher.jar, although strictly it isn't a web page (so I wouldn't expect to be able to access it), but a JAVA file which would be called from another process.

What exactly were you doing when this happened e.g. what pages are you trying to access and from where are you trying to access them ?

You won't find anything on your system as the detection was by the Web Shield and only gives the option to abort the connection, this stops the file being downloaded to your system.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

r9rafael

  • Guest
Re: Avast is blocking my access to google
« Reply #2 on: October 01, 2008, 04:50:39 PM »
Sorry to disappoint you but a) avast doesn't block but scans and alerts to infection, b) avast isn't a firewall. You should modify your link so that it isn't active change the www to wxw.

So your problem is outside of avast, if that searcher.jar is trying to download malware then avast can't do anything about that. The last part of the URL the \inicio.class is a JAVA element and not actually a page.
Are you sure that you are actually at google.com and not a site designed to look like google ?

The web page is shown as doesn't exist (page 404 error) google.com/searcher.jar, although strictly it isn't a web page (so I wouldn't expect to be able to access it), but a JAVA file which would be called from another process.

What exactly were you doing when this happened e.g. what pages are you trying to access and from where are you trying to access them ?

You won't find anything on your system as the detection was by the Web Shield and only gives the option to abort the connection, this stops the file being downloaded to your system.

answering you, either using safari or IE, when i type in www.google.com in the address bar, this happens. I do understand that this might be caused by another process (i can 'hear' my computer performing different when i press go), but i can't detect what is causing it. Now that i have blocked the download, as proposed by avast, i can't access any google related page (e.g., youtube - see attached file 2).

Do know if google is using any java applet on his web page? it is really strange...

attached is a print screen of the avast warning.
« Last Edit: October 01, 2008, 05:00:27 PM by r9rafael »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86815
  • No support PMs thanks
Re: Avast is blocking my access to google
« Reply #3 on: October 01, 2008, 06:42:15 PM »
Unfortunately the avast warning just confirms what we already know, it is intercepted by the web shield and the URL is the one given.

I don't see the relevance of the second youtube image ?
How were you trying to access youtube (isn't really google related), via a link, google, etc. how ?

This is just saying that the site can't be found and no alert the same as you get in google.

I don't use Safari and I avoid IE like the plague, so I can't test anything on that side, have you tried to access it using firefox ?

I use firefox as my default browser and access to google.com with no problems. I have even tried accessing google.com with IE spit for you and again I access it with no alerts or problems.

So I don't really understand what is going on with your system, but it would be worth running some other tools.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version.

2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.


Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

r9rafael

  • Guest
Re: Avast is blocking my access to google
« Reply #4 on: October 02, 2008, 08:24:44 PM »
Unfortunately the avast warning just confirms what we already know, it is intercepted by the web shield and the URL is the one given.

I don't see the relevance of the second youtube image ?
How were you trying to access youtube (isn't really google related), via a link, google, etc. how ?

This is just saying that the site can't be found and no alert the same as you get in google.

I don't use Safari and I avoid IE like the plague, so I can't test anything on that side, have you tried to access it using firefox ?

I use firefox as my default browser and access to google.com with no problems. I have even tried accessing google.com with IE spit for you and again I access it with no alerts or problems.

So I don't really understand what is going on with your system, but it would be worth running some other tools.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version.

2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

David,
the image from youtube is to show that, after blocking the download of the malware, any site associated with google is "blocked" (i get that page from my browser), including youtube.

but in the last hours i've been running the programs you have sugested and attached is the log file i got from malwarebytes. the superspyware generated no log file i could find it.

but so far it's not working.  i keep getting the same message again.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86815
  • No support PMs thanks
Re: Avast is blocking my access to google
« Reply #5 on: October 02, 2008, 10:24:47 PM »
Well from the MBAM log, Vundo could be responsible for things like this but no way to be certain. You should by now have rebooted (if not do so) as MBMA needs to do that to remove the vundo file.

In the SAS main screen click Preferences, then there is a Tab called Statistics/Logs (see image), check the options to keep a detailed log and the Save Empty/Clean logs.

I can't recall if these options are enabled by default or not. If they are then there will be a window showing all the Scanner logs. Select a log and click View log, you can copy and paste the log.

Have you tried firefox ?

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

r9rafael

  • Guest
Re: Avast is blocking my access to google
« Reply #6 on: October 03, 2008, 02:29:31 PM »
Well from the MBAM log, Vundo could be responsible for things like this but no way to be certain. You should by now have rebooted (if not do so) as MBMA needs to do that to remove the vundo file.

In the SAS main screen click Preferences, then there is a Tab called Statistics/Logs (see image), check the options to keep a detailed log and the Save Empty/Clean logs.

I can't recall if these options are enabled by default or not. If they are then there will be a window showing all the Scanner logs. Select a log and click View log, you can copy and paste the log.

Have you tried firefox ?

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.

first of all, thank you very much indeed for your help.

Here goes the log file from SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/02/2008 at 10:54 AM

Application Version : 4.21.1004

Core Rules Database Version : 3584
Trace Rules Database Version: 1543

Scan type       : Complete Scan
Total Scan Time : 01:17:57

Memory items scanned      : 171
Memory threats detected   : 0
Registry items scanned    : 5333
Registry threats detected : 3
File items scanned        : 26092
File threats detected     : 39

Browser Hijacker.Internet Explorer Zone Hijack
   HKU\S-1-5-21-2965474531-2246540-2294081685-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ticketsforfun.com.br
   HKU\S-1-5-21-2965474531-2246540-2294081685-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ticketsforfun.com.br\www
   HKU\S-1-5-21-2965474531-2246540-2294081685-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ticketsforfun.com.br\www#http

Adware.Tracking Cookie
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@doubleclick[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@media.adrevolver[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@adopt.euroclick[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@avgtechnologies.112.2o7[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@statcounter[2].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@ad.adnetwork.com[2].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@ads.revsci[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@ad.yieldmanager[2].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@fastclick[2].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@advertising[2].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@adrevolver[2].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@ads.sun[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@2o7[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@burstnet[2].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@apmebf[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@zedo[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@msnportal.112.2o7[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@atdmt[2].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@realmedia[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@adopt.specificclick[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@tribalfusion[2].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@pandasoftware.112.2o7[1].txt
   C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@msnservices.112.2o7[1].txt
   server.lon.liveperson.net [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   server.lon.liveperson.net [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   server.lon.liveperson.net [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .valueclick.net [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .mediaplex.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .bs.serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .doubleclick.net [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .ehg-asco.hitbox.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   .hitbox.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
   statse.webtrendslive.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]

r9rafael

  • Guest
Re: Avast is blocking my access to google
« Reply #7 on: October 03, 2008, 02:30:31 PM »
Well from the MBAM log, Vundo could be responsible for things like this but no way to be certain. You should by now have rebooted (if not do so) as MBMA needs to do that to remove the vundo file.

In the SAS main screen click Preferences, then there is a Tab called Statistics/Logs (see image), check the options to keep a detailed log and the Save Empty/Clean logs.

I can't recall if these options are enabled by default or not. If they are then there will be a window showing all the Scanner logs. Select a log and click View log, you can copy and paste the log.

Have you tried firefox ?

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.

here is the first part of HJT log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:58, on 3/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe
C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exe
C:\Arquivos de programas\Intel\Wireless\Bin\WLKeeper.exe
C:\Arquivos de programas\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Antivirus\Avast\aswUpdSv.exe
C:\Arquivos de programas\Antivirus\Avast\ashServ.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Intel\Wireless\Bin\1XConfig.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe
C:\ARQUIV~1\SPYWAR~1\sp_rsser.exe
C:\Arquivos de programas\Antivirus\Avast\ashMaiSv.exe
C:\Arquivos de programas\Antivirus\Avast\ashWebSv.exe
C:\Arquivos de programas\Apoint\Apoint.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe
C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Arquivos de programas\Dell\QuickSet\quickset.exe
C:\Arquivos de programas\Apoint\Apntex.exe
C:\Arquivos de Programas\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\ARQUIV~1\ANTIVI~1\Avast\ashDisp.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVO Touch-1 USB Phone.exe
C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVOUSBPhoneVolCtrl.exe
C:\Arquivos de programas\AirPort\APAgent.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Digital Line Detect\DLG.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Spyware_superantispyware\SUPERAntiSpyware.exe
C:\Arquivos de programas\Spyware_highjackthis\HJT202\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g1.globo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgstb.dll
O4 - HKLM\..\Run: [Apoint] C:\Arquivos de programas\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Arquivos de programas\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Arquivos de Programas\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Arquivos de programas\Arquivos comuns\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelliPoint] "C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [bgsmsnd.exe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
O4 - HKLM\..\Run: [VoipSkype] "C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVO Touch-1 USB Phone.exe"
O4 - HKLM\..\Run: [VoipSkypeVolCtrl] "C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVOUSBPhoneVolCtrl.exe"
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Arquivos de programas\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\Spyware_superantispyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

r9rafael

  • Guest
Re: Avast is blocking my access to google
« Reply #8 on: October 03, 2008, 02:31:11 PM »
Well from the MBAM log, Vundo could be responsible for things like this but no way to be certain. You should by now have rebooted (if not do so) as MBMA needs to do that to remove the vundo file.

In the SAS main screen click Preferences, then there is a Tab called Statistics/Logs (see image), check the options to keep a detailed log and the Save Empty/Clean logs.

I can't recall if these options are enabled by default or not. If they are then there will be a window showing all the Scanner logs. Select a log and click View log, you can copy and paste the log.

Have you tried firefox ?

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.


the second part of HJT log file:

O8 - Extra context menu item: &Google Search - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Arquivos de programas\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134059275296
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by113fd.bay113.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify:  GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\Spyware_superantispyware\SASWINLO.dll
O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Antivirus\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Antivirus\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Antivirus\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Antivirus\Avast\ashWebSv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Arquivos de programas\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\ARQUIV~1\SPYWAR~1\sp_rsser.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12940 bytes

r9rafael

  • Guest
Re: Avast is blocking my access to google
« Reply #9 on: October 03, 2008, 02:36:20 PM »
Well from the MBAM log, Vundo could be responsible for things like this but no way to be certain. You should by now have rebooted (if not do so) as MBMA needs to do that to remove the vundo file.

In the SAS main screen click Preferences, then there is a Tab called Statistics/Logs (see image), check the options to keep a detailed log and the Save Empty/Clean logs.

I can't recall if these options are enabled by default or not. If they are then there will be a window showing all the Scanner logs. Select a log and click View log, you can copy and paste the log.

Have you tried firefox ?

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.


at last, but not least, why do you think firefox would help me? it's not vulnerable to this kind of threat?

r9rafael

  • Guest
Re: Avast is blocking my access to google
« Reply #10 on: October 03, 2008, 02:40:20 PM »
Well from the MBAM log, Vundo could be responsible for things like this but no way to be certain. You should by now have rebooted (if not do so) as MBMA needs to do that to remove the vundo file.

In the SAS main screen click Preferences, then there is a Tab called Statistics/Logs (see image), check the options to keep a detailed log and the Save Empty/Clean logs.

I can't recall if these options are enabled by default or not. If they are then there will be a window showing all the Scanner logs. Select a log and click View log, you can copy and paste the log.

Have you tried firefox ?

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.


here goes the first part of the startuplist log

StartupList report, 3/10/2008, 09:38:27
StartupList version: 1.52.2
Started from : C:\Arquivos de programas\Spyware_highjackthis\HJT202\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe
C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exe
C:\Arquivos de programas\Intel\Wireless\Bin\WLKeeper.exe
C:\Arquivos de programas\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Antivirus\Avast\aswUpdSv.exe
C:\Arquivos de programas\Antivirus\Avast\ashServ.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Intel\Wireless\Bin\1XConfig.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe
C:\ARQUIV~1\SPYWAR~1\sp_rsser.exe
C:\Arquivos de programas\Antivirus\Avast\ashMaiSv.exe
C:\Arquivos de programas\Antivirus\Avast\ashWebSv.exe
C:\Arquivos de programas\Apoint\Apoint.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe
C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Arquivos de programas\Dell\QuickSet\quickset.exe
C:\Arquivos de programas\Apoint\Apntex.exe
C:\Arquivos de Programas\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\ARQUIV~1\ANTIVI~1\Avast\ashDisp.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVO Touch-1 USB Phone.exe
C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVOUSBPhoneVolCtrl.exe
C:\Arquivos de programas\AirPort\APAgent.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Digital Line Detect\DLG.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Spyware_superantispyware\SUPERAntiSpyware.exe
C:\Arquivos de programas\Spyware_highjackthis\HJT202\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar]
Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Digital Line Detect.lnk = ?
Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE


r9rafael

  • Guest
Re: Avast is blocking my access to google
« Reply #11 on: October 03, 2008, 02:40:53 PM »
Well from the MBAM log, Vundo could be responsible for things like this but no way to be certain. You should by now have rebooted (if not do so) as MBMA needs to do that to remove the vundo file.

In the SAS main screen click Preferences, then there is a Tab called Statistics/Logs (see image), check the options to keep a detailed log and the Save Empty/Clean logs.

I can't recall if these options are enabled by default or not. If they are then there will be a window showing all the Scanner logs. Select a log and click View log, you can copy and paste the log.

Have you tried firefox ?

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.


here goes the second part of the startuplist log:

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apoint = C:\Arquivos de programas\Apoint\Apoint.exe
SunJavaUpdateSched = "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
(Default) =
IntelWireless = C:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
ATIPTA = C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
Dell QuickSet = C:\Arquivos de programas\Dell\QuickSet\quickset.exe
DVDLauncher = "C:\Arquivos de Programas\CyberLink\PowerDVD\DVDLauncher.exe"
UpdateManager = "C:\Arquivos de programas\Arquivos comuns\Sonic\Update Manager\sgtray.exe" /r
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
avast! = C:\ARQUIV~1\ANTIVI~1\Avast\ashDisp.exe
TkBellExe = "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe"  -osboot
ISUSPM Startup = C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
ISUSScheduler = "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
IntelliPoint = "C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe"
bgsmsnd.exe = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
VoipSkype = "C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVO Touch-1 USB Phone.exe"
VoipSkypeVolCtrl = "C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVOUSBPhoneVolCtrl.exe"
AirPort Base Station Agent = "C:\Arquivos de programas\AirPort\APAgent.exe"
AppleSyncNotifier = C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
QuickTime Task = "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
updateMgr = "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
SUPERAntiSpyware = C:\Arquivos de programas\Spyware_superantispyware\SUPERAntiSpyware.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
(no name) - c:\arquivos de programas\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
G-Buster Browser Defense - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing) - {C41A1C0E-EA6C-11D4-B1B8-444553540000}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
Microsoft_Hardware_Launch_IPoint_exe.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Adobe\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134059275296

[NanoInstaller Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\NanoInst.dll
CODEBASE = http://www.nanoscan.com/cabs/nanoinst.cab

[MSN Games - Installer]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[GbPluginObj Class]
InProcServer32 = C:\ARQUIV~1\GBPLUGIN\gbieh.dll
CODEBASE = https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://by113fd.bay113.hotmail.msn.com/activex/HMAtchmt.ocx

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Arquivos de programas\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 9.863 bytes
Report generated in 0,078 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67236
Re: Avast is blocking my access to google
« Reply #12 on: October 03, 2008, 02:47:10 PM »
This seems to be the problem...

Browser Hijacker.Internet Explorer Zone Hijack
   HKU\S-1-5-21-2965474531-2246540-2294081685-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ticketsforfun.com.br

Did you manage getting rid of it through HijackThis?
General cleaning procedures are:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM (that you've already done) or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site (that you've already done). Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86815
  • No support PMs thanks
Re: Avast is blocking my access to google
« Reply #13 on: October 03, 2008, 03:38:33 PM »
First the SAS log if you allowed it to get rid of the ticketsforfun.com.br (probably did as there is no reference to it in your HJT log) some of those types of site also generate adware based on your browsing activity. Though I don't know if this would be causing the issues with google.

Also the location in registry for this is probably a BHO (Browser Helper Object) your question about firefox not being vulnerable to this type of attack, it doesn't use BHOs not activeX.

The tracking cookies are a minor privacy issue but not a security one, I would recommend that you a) don't allow third party cookies, those not for the site you are browsing and b) periodically clear out your cookies.

Have you used G-Buster Browser Defense previously or did you remove it, if so FIX these entries in HJT as according to this the files are missing:
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)

Remnants of Norton ???
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe (file missing)

So did you try to remove Norton system works (and AV, etc.) ?
If so these elements are reported as firewall components and the files are missing, so effectively you don't have a firewall.

So what are you using for a firewall (XP firewall, etc.) ?

Your JAVA version is out of date, which can leave you vulnerable.
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp

After updating JAVA you should visit this site to ensure there aren't any other programs that need updated, http://secunia.com/software_inspector/.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

r9rafael

  • Guest
Re: Avast is blocking my access to google
« Reply #14 on: October 06, 2008, 02:42:14 PM »
First the SAS log if you allowed it to get rid of the ticketsforfun.com.br (probably did as there is no reference to it in your HJT log) some of those types of site also generate adware based on your browsing activity. Though I don't know if this would be causing the issues with google.

Also the location in registry for this is probably a BHO (Browser Helper Object) your question about firefox not being vulnerable to this type of attack, it doesn't use BHOs not activeX.

The tracking cookies are a minor privacy issue but not a security one, I would recommend that you a) don't allow third party cookies, those not for the site you are browsing and b) periodically clear out your cookies.

Have you used G-Buster Browser Defense previously or did you remove it, if so FIX these entries in HJT as according to this the files are missing:
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)

Remnants of Norton ???
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe (file missing)

So did you try to remove Norton system works (and AV, etc.) ?
If so these elements are reported as firewall components and the files are missing, so effectively you don't have a firewall.

So what are you using for a firewall (XP firewall, etc.) ?

Your JAVA version is out of date, which can leave you vulnerable.
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp

After updating JAVA you should visit this site to ensure there aren't any other programs that need updated, http://secunia.com/software_inspector/.

thank you very much indeed once again. It seems that the problem is gone. I've followed your instructions and Tech's and no more alerts from avast when accessing google.

Regarding your question about a firewall, i'm using the windows xp firewall (which now i thing is the same as no firewall at al). Do you have any recomendation about a freeware firewall?

Thks,

RR