Author Topic: Avast update connects to adult site  (Read 9073 times)

0 Members and 1 Guest are viewing this topic.

entu

  • Guest
Re: Avast update connects to adult site
« Reply #15 on: July 11, 2009, 08:27:19 PM »
Uhm, excuse me but I'm a bit confused.

First of all, let me tell one thing that maybe should be taken in account: I'm connecting to the Internet via a proxy server that accepts connections only on port #80.

For your information, this proxy is completely out of my reach - that is, I must keep it as it is, I have no hope to contact the maintainers and ask them to change any setting whatsoever, I already tried and they plainly replied me that their service is cheap and set into the stone, I must cope with that.

So then, I've set the proxy address in HostsMan's settings, and when I tell it to update the hosts list it returns the following:

-----------------
Checking for updates:
 - MVPS Hosts... check failed (Server response: ).
 - hpHosts... check failed (Server response: ).
 - Mike's Ad Blocking Hosts... check failed (Server response: ).
 - Peter Lowe's AdServers List... check failed (Server response: ).

No new updates available.
----------------

@ DavidR: I will check out those firewalls and I will set one of them up - but I'd like to solve this avast issue first. Or should I start by installing one of those firewalls first?

@ Micky77: I will post those logs (MBAM and HJT) but I fear I won't be able to get SuperAntispyware (that's SAS, that's it?) - I cannot get that due to my proxy which for some obscure reason refuses to deliver me large executables.

Kudos to all of you for your precious time people, I'll be back soon.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Avast update connects to adult site
« Reply #16 on: July 11, 2009, 08:37:03 PM »
I'm connecting to the Internet via a proxy server that accepts connections only on port #80.
Proxy at port 80? Are you sure? This is the default http port...
Did you add the server address and the port number into avast proxy settings?
The best things in life are free.

entu

  • Guest
Re: Avast update connects to adult site
« Reply #17 on: July 11, 2009, 08:52:11 PM »
I'm connecting to the Internet via a proxy server that accepts connections only on port #80.
Proxy at port 80? Are you sure? This is the default http port...
Did you add the server address and the port number into avast proxy settings?
Of course I did, and everything worked fine for a long time - avast correctly updated itself every time.

I've just checked it right now again, the address and the port are still correctly set.

Everything on my system passes through that proxy (well, Firefox, Avast, FlashGet and a couple of other programs that need to get to the Internet) and everything works fine (except that "large executables" issue I mentioned before).

I've had a look to the MBAM log and I'm not posting it because it is plain useless - apart from the infected files/folders which report only the "Backdoor.bot" notice, everything else reads zero (no infected processes/modules/registry keys an so on)

Here is the HJT log:
Code: [Select]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.30.28, on 11/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Programmi\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = [guess numbers here ;-) : 80]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FLASHGET\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Programmi\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Programmi\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra 'Tools' menuitem: &Impostazioni di Google Gears - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7977801F-1950-46BE-8985-64EF0270924F}: NameServer = 83.224.65.134
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Programmi\LizardTech\Express View\expressview.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Programmi\LizardTech\Express View\expressview.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6044 bytes

I'm going to wait for some while for any eventual reply, then I'll try to reinstall avast from scratch.

Please let me know if the HostsMan report I've posted in my previous message is OK or not.

More to come, thanks again.
« Last Edit: July 12, 2009, 12:07:26 AM by entu »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Avast update connects to adult site
« Reply #18 on: July 11, 2009, 09:51:00 PM »
Please let me know if the HostsMan report I've posted in my previous message is OK or not.
No. It's not ok. It should allow the updates, at least, the two firsts on the list and you need not only to update your host but replace it completely.
Do you have Windows Defender updated? It should monitor the hosts file... maybe an infection passed through it also.
The best things in life are free.

YoKenny

  • Guest
Re: Avast update connects to adult site
« Reply #19 on: July 11, 2009, 11:04:58 PM »
Quote
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
You're using Windows SP2 that has several security vunerablilities and Windows SP3 has been available for over a year that has perfomance enhancements and several Critical Security Updates so in IE go to Tools then Windows Update then download and install all updates.

Go to Control Center then Security Center then set it to Automatic Updates (Recommended) or at least Notify me about updates but do not download nor install them.

IE8 is now available and it has more security than IE6:
http://www.microsoft.com/windows/Internet-explorer/default.aspx

The Sun Java is way down level and has security exposures so go to Add/Remove Programs and un-install all Sun Java installs.

Get and install Java Runtime Environment:
http://filehippo.com/download_java_runtime

Run Secunia Online Software Inspector to see what other applications have vulnerabilities:
http://secunia.com/vulnerability_scanning/online

entu

  • Guest
Re: Avast update connects to adult site
« Reply #20 on: July 12, 2009, 12:03:46 AM »
I have no Defender installed, I suppose it is included in SP3... I don't know if I'll be able to download it and get all the updates after that... at least I never used IE and I'll never use it, I think I could (well, must) cope with that.

I'm downloading the Italian installer within the setup wizard, it will take a long time because I had to switch back to the dial-up connection - the proxy connection is faster but fails to download large executables... once more :-/ ...hope that it will solve the main issue of this topic, at least...

I'll let you know.

In any case I'll try to take on any possible security check & upgrade as suggested here so far - after getting a working installation of avast to my system.

By the way, can I assume to be safe without installing any different firewall since I usually surf behind such a wonderful (awful) 80-port-only proxy?

Well, that's a bit off topic here but anyway, that's just an informative question, I'll set up a firewall in any case - I've read something about that and I'd like to have an opinion from hands-on people.

Thank a lot once more, have a nice weekend,
Frank
« Last Edit: July 12, 2009, 12:43:00 AM by entu »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Avast update connects to adult site
« Reply #21 on: July 12, 2009, 03:12:28 AM »
By the way, can I assume to be safe without installing any different firewall since I usually surf behind such a wonderful (awful) 80-port-only proxy?
No. Both things aren't related. You need a firewall, but first, you need your computer clean. After that we can make firewall suggestions and help you.
The best things in life are free.

entu

  • Guest
Re: Avast update connects to adult site
« Reply #22 on: July 12, 2009, 04:08:44 PM »
Hi everybody,
problem solved, avast does not connect to that adult site any more during the update process, also those ".vbs" files do not appear any more in the update messages.

During the boot-time scan avast found three viruses:
Code: [Select]
07/12/2009 01:42
Controllo di tutti i drives locali

File E:\System Volume Information\_restore{4845F5C9-A05A-47D7-9371-C4CB905DB49C}\RP56\A0054917.exe e infetto da Win32:Buttons [Joke], Spostato nel Cestino
File E:\System Volume Information\_restore{4845F5C9-A05A-47D7-9371-C4CB905DB49C}\RP56\A0054957.exe e infetto da Win32:Trojan-gen {Other}, Spostato nel Cestino
File E:\System Volume Information\_restore{4845F5C9-A05A-47D7-9371-C4CB905DB49C}\RP56\A0054975.exe e infetto da Win32:Trojan-gen {Other}, Spostato nel Cestino
Numero di cartelle cercate: 16536
Numero files controllati: 216771
Numero files infetti: 3
(sorry for the Italian messages. "Spostato nel cestino" means, literally, "Moved to the basket". Now I understand also that note about disabling system restore)

I've been able to update my hosts list using the dial-up connection, now I'm not so sure which step actually solved the problem... shall I edit the first post of this topic mentioning the steps I took? Which is the custom here about solved issues' threads?

Another question: into the avast recycled basket (or quarantine basket, I ignore its name in English), there are the three files reported above and also three system libraries: kernel32.dll, winsock.dll and wsock32.dll. All of them have been transferred to the basket at the end of the boot-time scan (at least it seems so, looking at their transfer times). Is it normal for such files to appear there?

By the way, thank you Tech for your explanation about proxy/firewall. In my mind I thought that the proxy could, at least, forbid connections to an eventual backdoor that could infect my system, that was what I meant with the word "safe". I'm going to set up a firewall asap, and I'll try to update my OS too.

Thanks again everybody, your help has been precious.

All the best,
Frank

YoKenny

  • Guest
Re: Avast update connects to adult site
« Reply #23 on: July 12, 2009, 05:37:31 PM »
entu, you can order a SP3 update CD for a small shipping charge and will arrive fairly quickly:
https://om2.one.microsoft.com/opa/Validation.aspx?StoreID=7b7aa929-bd0a-487a-bc7e-df7631fee660&LocaleCode=en-us

I keep one handy for when I need to update a system quickly.

To get rid of the indications in the System Restore files:
How to turn off and turn on System Restore in Windows XP
http://support.microsoft.com/kb/310405

entu

  • Guest
Re: Avast update connects to adult site
« Reply #24 on: July 12, 2009, 07:35:56 PM »
Thank you for your suggestions YoKenny, I think I'll follow them.

Have fun,
Frank