Avast.com doesn,t work

General Topics
1

Hi :slight_smile:

How are you?

I cant visit the official website of Avast?

Thx for you help.

2

Well theoretically you are on the avast.com site, just a sub-domain of it, forum.avast.com.

So you can’t connect to this link, www.avast.com ?

What about this http://174.123.201.114 which is the same but using the IP address ?

Both links are working for me albeit they are loading quite slowly, even for me on dial-up.

3

Working for me :smiley:

May have to do with your network connection settings

4

I highly doubt network connections, or it would be likely to effect all sites rather than specific sites, hence my questions above…

5

Thx :slight_smile:

Works with 174.123…

6

If it works with the IP address but not the domain name, then there is a possibility that your Hosts file has been modified maliciously.

– HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there.

Once open you are looking for entries with avast.com on the line, you may well see other AV sites, post the contents of the hosts file. http://en.wikipedia.org/wiki/Hosts_file

So effectively you are looking for avast.com in the hosts file and probably other security related sites.

7

I sent C:\WINDOWS\system32\drivers\etc\hosts to VirusTotal…http://www.virustotal.com/analisis/5b7a3494baab5f7d0e6957c020bb4f0f0b992797b43fd4432e1fb3260fc0a2a7-1262621692


http://www4.slikomat.com/09/0104/kig-1-4-20_thumb.png

Have a nice day. :slight_smile:

8

Looking at the image, I’d say that your hosts file was definitely hacked into.

Every security site is being redirected to your computer, which basically means that all security websites are blocked.

You’ll need to either delete all of entries in your hosts file manually, except for “127.0.0.1 localhost” or download a hosts file from the internet (such as the one listed here: http://www.mvps.org/winhelp2002/hosts.htm) and replace your hosts file with it. The benefit of that one is that it blocks bad sites from ever loading on your computer.

9

There is little point in sending the Hosts file to virustotal, as it in itself isn’t the problem, what is the problem is what changed it. So you need to run some other scans, see below.

It has most certainly been got at, so you need to remove all those entries in it as mentioned.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

10

Malwarebytes’ Anti-Malware 1.43
Razlièica baze: 3492
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/4/2010 8:16:36 PM
mbam-log-2010-01-04 (20-16-25).txt

Tip pregleda: Polni pregled (C:|F:|)
Preverjenih objektov: 204507
Preteèen èas: 1 hour(s), 22 minute(s), 8 second(s)

Okuženih spominskih procesov: 0
Okuženih spominskih modulov: 0
Okuženih kljuèev registra: 0
Okuženih vrednosti registra: 0
Okuženih vnosov v register: 1
Okuženih map: 0
Okuženih datotek: 1

Okuženih spominskih procesov:
(Ni bilo najdenih zlonamernih objektov)

Okuženih spominskih modulov:
(Ni bilo najdenih zlonamernih objektov)

Okuženih kljuèev registra:
(Ni bilo najdenih zlonamernih objektov)

Okuženih vrednosti registra:
(Ni bilo najdenih zlonamernih objektov)

Okuženih vnosov v register:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) → Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\Juninhoslo\Local Settings\Temp\svchost.exe) Good: (Userinit.exe) → No action taken.

Okuženih map:
(Ni bilo najdenih zlonamernih objektov)

Okuženih datotek:
C:\Documents and Settings\Juninhoslo\My Documents\Prenosi\Haoe2.3_setup.exe.part (Adware.Agent) → No action taken.

11

looks like you have a rootkit on your “userinit.exe” file. I’d say remove it with malwarebytes, but I’d be afraid that your computer won’t let you log on afterwards.

I’d try something like http://www.gmer.net/ and see if it finds anything.

Or, listen for others suggestions.

12

Can I open Hosts file with notepad and replace all IPs-s with 127.0.0.1 localhost

Have a nice day. :slight_smile:

13

Make the HOSTS file only one line:
127.0.0.1 localhost

Why did you not let Malwarebytes remove the infection?

14

Aside from not allowing MBAM to deal with the registry issue, there is a reference to another file not found in the scan by MBAM or avast:
C:\Documents and Settings\Juninhoslo\Local Settings\Temp\svchost.exe

Check if this file is present and if so:

  1. Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

  1. Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

@ scythe944
It isn’t actually on the userint.exe file, the registry key is effectively redirecting userint.exe calls to the svchost.exe file in the docs & settings Temp folder. But yes an anti-rootk scan wouldn’t be a bad idea.

15

I didn,t find Svchost.exe in C:\Documents and Settings\Juninhoslo\Local Settings\Temp.

I create folder Suspect in C drive and sent to Standard Shield. Do you still recommended scan with Anti-rootkit? (GMER)

Right now I can visit Avast.com. :smiley:

Thank you very much for you help and have a nice day.

16

Creating the folder was really if you found the suspect svchost.exe file, leave it there for now if you have need of it in the future.

Yes run the GMER anti-rootkit.

Being able to visit avast.com is only one part of this issue, what we are trying to ensure is that whatever modified it is found.

17

Must have missed it, thanks!

18

I did scan with Anti-rootkit and everything was fine.

19

OK, if you have edited the hosts file, run MBAM and SAS plus GMER and they didn’t find anything else, you may well have dodged a bullet.

Just keep monitoring your system for anything out of the ordinary.