Author Topic: "Malicious URL Blocked" keeps popping up  (Read 40137 times)

0 Members and 1 Guest are viewing this topic.

RX220

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #15 on: August 29, 2010, 05:08:41 PM »
As of right now:

Still blocking:

toolbar.zynga.com/game_switcher/component.php

Still broke....


Offline Sirmer

  • Avast team
  • Sr. Member
  • *
  • Posts: 324
Re: "Malicious URL Blocked" keeps popping up
« Reply #16 on: August 30, 2010, 12:16:05 AM »
Hello,
it will be in VPS 100830-0
sorry for delay i missed 100829-1.
Best regards
Jan Sirmer

Bert336

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #17 on: November 03, 2010, 01:12:55 PM »
Bringing this back from the dead. I installed Avast thinking my old Antivirus was buggy. Unfortunately i am getting the same problem and avast is picking it up. I have completely scanned the computer with malwarebytes and avast. Malwarebytes found 0 and Avast found a MEMORY.DMP under the System32 folder which the file was delete by Avast.  I really don't know what else i can do, the computer seems to be working totally fine, any help will be greatly appreciated.


Thank you for your time and help!

Bert336

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #18 on: November 03, 2010, 01:51:47 PM »
i meant to add, that this comes up when i go to Google, and do a search for example lets say Avast. something within those results triggers the alert. But if i was to go straight to avast.com no warnings come up at all.

mosconi

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #19 on: March 27, 2011, 03:59:00 AM »
This keeps happening to me and is getting very annoying now. It is popping up every 5 minutes.

How do i stop it?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: "Malicious URL Blocked" keeps popping up
« Reply #20 on: March 27, 2011, 04:01:02 AM »
This keeps happening to me and is getting very annoying now. It is popping up every 5 minutes.
How do i stop it?
Run a full scanning... something could be infected in your computer.

@ Bert336: please, consider http://forum.avast.com/index.php?topic=19387.msg607589#msg607589
The best things in life are free.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89323
  • No support PMs thanks
Re: "Malicious URL Blocked" keeps popping up
« Reply #21 on: March 27, 2011, 04:28:21 AM »
This keeps happening to me and is getting very annoying now. It is popping up every 5 minutes.

How do i stop it?

We are going to need more information, like posting an image of the alert window so we can check the site and process responsible for the connection, etc. ?

When does this happen, e.g. browsing, google search, what operating system and browser are you using, not browsing, etc. ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

scrapple

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #22 on: March 27, 2011, 08:03:12 AM »
This happening to me as well.  I tried posting this earlier but got an error saying my image attachment was too big.  Sorry if this posts multiple times...


I get this popup every two minutes.

I ran malwarebytes, GMER Rootkit Scanner, atf cleaner.  No malware found.

doktornotor

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #23 on: March 27, 2011, 09:56:19 AM »
This happening to me as well.  I tried posting this earlier but got an error saying my image attachment was too big.  Sorry if this posts multiple times...

1/ Disable proxy autoconfiguration in all your browsers. Do the alerts go away?

2/ Does the following sound familiar to you - like, is it your ISP?

Quote

# gwhois 68.178.232.99
Process query: '68.178.232.99'
Query recognized as IPv4.
Querying whois.arin.net:43 with whois.

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=68.178.232.99?showDetails=true&showARIN=false
#

NetRange:       68.178.128.0 - 68.178.255.255
CIDR:           68.178.128.0/17
OriginAS:
NetName:        GO-DADDY-SOFTWARE-INC
NetHandle:      NET-68-178-128-0-1
Parent:         NET-68-0-0-0-0
NetType:        Direct Allocation
RegDate:        2005-04-12
Updated:        2007-06-14
Ref:            http://whois.arin.net/rest/net/NET-68-178-128-0-1

OrgName:        GoDaddy.com, Inc.
OrgId:          GODAD
Address:        14455 N Hayden Road
Address:        Suite 226
City:           Scottsdale
StateProv:      AZ
PostalCode:     85260
Country:        US
RegDate:        2007-06-01
Updated:        2009-09-16
Comment:        Please send abuse complaints to abuse@godaddy.com
Ref:            http://whois.arin.net/rest/org/GODAD

3/ If not, who is your ISP?

4/ Also please run the following in command prompt and post the output here:

Code: [Select]
nslookup wpad
« Last Edit: March 27, 2011, 09:58:11 AM by doktornotor »

scrapple

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #24 on: March 27, 2011, 05:53:25 PM »
1) Yes, changing away from automatic proxy detection seems to have solved the problem.  Thanks!  Now I have to figure out how that got turned on between two days ago and yesterday.  I didn't install anything, could that be a sign of some other problem?

2) I used to use godaddy as the host for my web and ftp sites last year, but switched to a new host about 10 months ago.  The computer I'm using is only 2 months old and has never interacted with godaddy in any way.

3) Comcast is my isp

4) Server:  UnKnown
Address:  192.168.2.1

Non-authoritative answer:
Name:    wpad.<my employer>.org
Address:  68.178.232.99

This is my personal laptop but I asked the IT dept to put this laptop on the company domain a few weeks ago?  Could that be causing this?  If so, is it strange that it only started happening yesterday?

Thanks so much for your help!

doktornotor

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #25 on: March 27, 2011, 06:14:53 PM »
3) Comcast is my isp

Well, then your proxy obviously shouldn't point to GoDaddy. So is your employer using them (see below)?

4) Server:  UnKnown
Address:  192.168.2.1

Is the above router yours? Did your IT dept. configure it?

Non-authoritative answer:
Name:    wpad.<my employer>.org
Address:  68.178.232.99

This is my personal laptop but I asked the IT dept to put this laptop on the company domain a few weeks ago?  Could that be causing this?  If so, is it strange that it only started happening yesterday?

Are you actually connecting at work when you have this problem? The above points to a parked webpage at GoDaddy, not really to a proxy at all. (At least for me.)

Quote
# nslookup 68.178.232.99
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
99.232.178.68.in-addr.arpa      name = parkwebwin-v02.prod.mesa1.secureserver.net.

Authoritative answers can be found from:
232.178.68.in-addr.arpa nameserver = CNS3.secureserver.net.
232.178.68.in-addr.arpa nameserver = CNS1.secureserver.net.
232.178.68.in-addr.arpa nameserver = CNS2.secureserver.net.

# nslookup 68.178.232.99 CNS1.secureserver.net.
Server:         CNS1.secureserver.net.
Address:        208.109.255.100#53

99.232.178.68.in-addr.arpa      name = parkwebwin-v02.prod.mesa1.secureserver.net.

Also, attach the OTS log here.
« Last Edit: March 27, 2011, 06:18:13 PM by doktornotor »

doktornotor

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #26 on: March 27, 2011, 07:18:03 PM »
Well, whatever. What is going on is basically that:

- you have DHCP enabled
- your browser searches for proxy configuration via proxy autodiscovery, doing that, they query wpad hostname for configuration file location. The file is - per RFC - called wpad.dat
- the domain name your IT added your machine to is appended to the lookup, so that you get wpad.<my employer>.org query
- your employer has a wildcard DNS record that points to the GoDaddy webhosting (mkay, wildcard records are bad...  :P)
- the webhosting for whatever reason happily serves the same parking index page no matter what your try to GET - instead of proper 404 Not Found ::)

Quote
# wget http://68.178.232.99/dfdfsdfsdfewretretretre
--2011-03-27 19:14:33--  http://68.178.232.99/dfdfsdfsdfewretretretre
Connecting to 68.178.232.99:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24363 (24K) [text/html]
Saving to: dfdfsdfsdfewretretretre

100%[==============================>] 24,363      41.1K/s   in 0.6s

2011-03-27 19:14:34 (41.1 KB/s) - dfdfsdfsdfewretretretre

- avast! dislikes that page for whatever reason. Beyond the advert links, I do not see anything suspicious in the source of the parking page.

Outta here. Someone might want to look at the source of the page. If it is clean, report as false positive. I do not think there is any infection on your machine. I also think that GoDaddy sucks.
« Last Edit: March 27, 2011, 07:22:32 PM by doktornotor »

scrapple

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #27 on: March 28, 2011, 05:02:00 AM »
Rats, disabling auto detect proxy settings didn't solve the problem.  I'm still getting the message.  It's not happening as often, but I just got the message as I was using my browser at evenue.net, confirming the purchase of some soccer tickets.

3) Comcast is my isp

Well, then your proxy obviously shouldn't point to GoDaddy. So is your employer using them (see below)?

As far as I know, my employer does not use godaddy.com for their ISP.  This is happening to me at home rather than at work.

4) Server:  UnKnown
Address:  192.168.2.1

Is the above router yours? Did your IT dept. configure it?

Yes, my home router.  Same one I've been using for 1.5 years, no recent changes to configuration.


Non-authoritative answer:
Name:    wpad.<my employer>.org
Address:  68.178.232.99

This is my personal laptop but I asked the IT dept to put this laptop on the company domain a few weeks ago?  Could that be causing this?  If so, is it strange that it only started happening yesterday?

Are you actually connecting at work when you have this problem? The above points to a parked webpage at GoDaddy, not really to a proxy at all. (At least for me.)

No, I was at home when this started happening.



Quote
# nslookup 68.178.232.99
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
99.232.178.68.in-addr.arpa      name = parkwebwin-v02.prod.mesa1.secureserver.net.

Authoritative answers can be found from:
232.178.68.in-addr.arpa nameserver = CNS3.secureserver.net.
232.178.68.in-addr.arpa nameserver = CNS1.secureserver.net.
232.178.68.in-addr.arpa nameserver = CNS2.secureserver.net.

# nslookup 68.178.232.99 CNS1.secureserver.net.
Server:         CNS1.secureserver.net.
Address:        208.109.255.100#53

99.232.178.68.in-addr.arpa      name = parkwebwin-v02.prod.mesa1.secureserver.net.

Also, attach the OTS log here.
[/quote]

Will do

scrapple

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #28 on: March 28, 2011, 05:04:44 AM »

- avast! dislikes that page for whatever reason. Beyond the advert links, I do not see anything suspicious in the source of the parking page.

Outta here. Someone might want to look at the source of the page. If it is clean, report as false positive. I do not think there is any infection on your machine. I also think that GoDaddy sucks.

Ok, just confirming, it's safe for me to ignore that message when it pops up?

doktornotor

  • Guest
Re: "Malicious URL Blocked" keeps popping up
« Reply #29 on: March 28, 2011, 08:30:10 AM »
As said, attach the OTS log here.

As for your employer, they should really scratch the wildcard DNS record or at minimum point it somewhere else than the GoDaddy hosting. It's appears rather dangerous in combinations when morons like GoDaddy are involved who serve their landing page no matter what you ask for. Just imagine the page had something like this: http://www.theregister.co.uk/2011/03/25/spotify_malvertisement_attack/ and your AV missed it.

Meanwhile, edit C:\windows\system32\drivers\etc\hosts (Notepad, right-click and select "Run as Administrator") and stick the following there:

Code: [Select]
127.0.0.1 wpad
127.0.0.1 wpad.<my_employer>.org
::1 wpad
::1 wpad.<my_employer>.org

Note: this will break proxy autodiscovery for you when connecting at work.
« Last Edit: March 28, 2011, 08:45:00 AM by doktornotor »