Author Topic: URL:Mal http://www.google.com  (Read 11859 times)

0 Members and 1 Guest are viewing this topic.

ennosphere

  • Guest
URL:Mal http://www.google.com
« on: April 03, 2012, 05:48:26 PM »
We are looking into an issue where avast seems to be blocking Google.com and Bing.com in Firefox, Chrome, and Internet Explorer. Websites using Google Analytics are also being blocked.

Any assistance with this issue would be appreciated.

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: URL:Mal http://www.google.com
« Reply #1 on: April 03, 2012, 06:02:13 PM »
Hello,
try ping or wget for google.com and post the IP address, please.

Milos

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: URL:Mal http://www.google.com
« Reply #2 on: April 03, 2012, 06:06:50 PM »
This may be some sort of DNS redirection/hack as I can connect to google.com without problem. See image (click to expand) which shows a number of IP addresses for google.com.

If you use the ping command from a command window/prompt (from the Windows Key+R and type cmd to open a command window) what IP address is returned (see image2 example) ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

ennosphere

  • Guest
Re: URL:Mal http://www.google.com
« Reply #3 on: April 03, 2012, 07:29:35 PM »
http://www.networksolutions.com/whois/results.jsp?ip=87.125.87.99

Google seems to have changed its name and moved to the Netherlands.

We've also run all of the programs in the log thread and are able to provide any which may be helpful.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: URL:Mal http://www.google.com
« Reply #4 on: April 03, 2012, 08:04:16 PM »
Well it does look like there is something going on with your DNS server (may have been hacked or DNS Poisoning). The whois link you posted isn't conclusive as it doesn't resolve, all that is showing is the region of the Registrar who allocates IPs for the region.

I managed to get it resolved and it is a company in the UK 87.125.87.99 = Fubra Limited (not google.com) and going for that IP address results in an avast alert.

Quote
Fubra Limited develops websites which provide useful information and advice to help people in the UK to save money and find better information more quickly. The company was founded in 2000 and is based in Aldershot, United Kingdom.

Though going to fubra.com doesn't set off avast, as it has a slightly different IP 87.124.84.210. So I'm not sure what is going on with whomever provides the DNS server (usually ISP) that you use. Another possibility is that your HOSTS file could have been modified to redirect google.com to that IP (check c:\windows\HOSTS using notepad and see if there are any entries for google.com).

Hopefully Milos will get back to the topic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

ennosphere

  • Guest
Re: URL:Mal http://www.google.com
« Reply #5 on: April 03, 2012, 09:21:20 PM »
The primary DNS server for this computer is a local domain server which forwards to Time Warner. I did start seeing a recurring error on the server where it looked like the Time Warner servers were resolving URLs to themselves. There was a DNS record that ended up as a static forward lookup that I'd never seen before with the hostname "win-9i9oeknr4p2" and the same IP as the local DNS server, which didn't make much sense.

The hosts file appears to be intact.

Another weird thing about this issue is that none of the other computers on the domain are experiencing any of the same issues as this one, and they all use the same DNS settings and all have avast installed and up to date.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: URL:Mal http://www.google.com
« Reply #6 on: April 03, 2012, 10:02:08 PM »
It is weird that the other computers don't exhibit the same issues when using the same DNS.

You could try using a specific DNS server like using OpenDNS, http://www.opendns.com/
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

kubecj

  • Guest
Re: URL:Mal http://www.google.com
« Reply #7 on: April 04, 2012, 01:44:02 AM »
This is a redirect IP used by simda malware. There is dns hijack or some redirector running on the machine in question. I'm pretty sure that none of the computers around are resolving google to point to that ip. Also bing.com or yahoo.com are supposed to resolve to strange ips.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: URL:Mal http://www.google.com
« Reply #8 on: April 04, 2012, 02:17:52 AM »
@ ennosphere
Given what kubecj said this needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

ennosphere

  • Guest
Re: URL:Mal http://www.google.com
« Reply #9 on: April 04, 2012, 08:19:46 AM »
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.02.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
toconnor :: TOCONNOR [administrator]

4/3/2012 11:09:55 AM
mbam-log-2012-04-03 (11-09-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 260158
Time elapsed: 11 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: URL:Mal http://www.google.com
« Reply #10 on: April 04, 2012, 08:29:45 AM »
Essexboy is notified.......he is usually in here late UK time    ;)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal http://www.google.com
« Reply #11 on: April 04, 2012, 08:35:27 PM »
Not happy with the aswMBR reported locked file. Also do you get the redirect in all browsers ?

I see that at some stage you used Combofix, if it is still on your desktop delete it please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - Reg Error: Value error. File not found
    O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - Reg Error: Value error. File not found
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - Reg Error: Value error. File not found
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - Reg Error: Value error. File not found
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - Reg Error: Value error. File not found
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

    :Files
    ipconfig /flushdns /c

    :Commands
    [resethosts]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

ennosphere

  • Guest
Re: URL:Mal http://www.google.com
« Reply #12 on: April 06, 2012, 05:39:19 AM »
The redirect does happen in all browsers.

New logs are attached.

Avast is now blocking these same sites, but with the process as C:\ComboFix\CF16539.EXE instead of Firefox.exe or other browser executable.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal http://www.google.com
« Reply #13 on: April 06, 2012, 11:30:43 AM »
Hmm this be something different

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Quote
File::
C:\Documents and Settings\administrator.CHEMISPHEREINC.000\Local Settings\Application Data\WavXMapDrive.bat
Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Rexaar

  • Guest
Re: URL:Mal http://www.google.com
« Reply #14 on: April 06, 2012, 10:43:40 PM »
Hello, I'm also having the same problem.
Recently the computer was infected with the 2012 Internet Security malware, and I have manually removed it, and used avast-anti virus boot scan.
Now most websites I visit to, Avast report that google-analytics was blocked from being accessed.

Using another computer to post this since the verification image doesn't appear on the infected computer since it from google apparently.