I have been using the Avast! free antivirus for a short while now, and everything has run smoothly. Until now. Every time i try to visit websites like Cnet, engadget, and other tech review websites, Avast says it has “blocked a malicious URL”, then gives me a link to a website that seems to be an ad to upgrade to Avast! internet security suite. All the websites I try to visit have good ratings from WebReb. The only solution I have found is to turn off Network Shield, as that is what’s blocking it, and the “exclusions” list has no effect. My computer is running Windows 7 Enterprise.
EDIT: Problem solved. I had a redirect virus, and Avast! was blocking the sites it redirected me to.
Please post a screenshot, as I’ve no problem reaching e.g. Cnet…
Hmm. It seems to be a random thing, because after I rebooted Avast and the Network Shield, I can now visit websites normally. It looked like a regular Avast virus alert(red window in the bottom right) and it said “Malicious Website Blocked”. Under that it said the IP of the website, the URL, and the process(iexplorer.exe). There was a link in the bottom of the window that said “More Info”, and when I clicked on it, it sent me to a webpage that said something like “That was a close call, but upgrade to Avast! Security Suite now and you won’t have to worry about this again!” then told me all about the savings on the paid version. The More Info link gave me no info on why the site was blocked, just advertisements for the paid version. If it happens again, I’ll take screenshots and post them here, in this thread or a new one.
Ok, please do so.
I’m not sure if these are related, but I just fixed the redirect virus on Internet Explorer. Maybe Avast! was stopping it from redirecting? That’s probably what the problem was.
EDIT: I’m stupid, so I can’t figure out how to take a screenshot, but it came up again. Here’s a link to the page: http://www.avast.com/en-us/lp-security-information-fp?utm_campaign=Virus_alert&utm_source=prg_fav_60_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-us%2Fvirus-alert-champion2&p_vir=al&p_prc=file://C:\Windows\System32\sppobjs32.exe&p_obj=91.217.153.48/bc840551717&p_var=.%2Ffa%2Fen-us%2Fvirus-alert-champion2&p_pro=0&p_vep=6&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=335&p_lng=en&p_lid=en-us&p_elm=7
How did you think you fixed it ?
The link you gave relating to the alert, gives the C:\Windows\System32\sppobjs32.exe file as being responsible for the connection attempt to the malicious site, a domain in the Ukraine, see image.
A google search for sppobjs32.exe (looks like a randomly generated file name) returns zero hits and for something in the system32 folder highly suspicious.
So unless the sppobjs32.exe was dealt with the problem could still be present, so needs further investigation.
Here is an analysis tool that will help to identify the cause:
Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file (this is also how images are attached to posts).
Here is the file it gave me.
I will contact someone to analyse this and create a fix.
Hi there on completion of this run could you upload the following files to Avast, or if you are not sure how to do that. Could you locate the Zip file within C:_OTS\Moved files and upload to Mediafire and post the sharing link. I will then upload to Avast
C:\ProgramData\api-ms-win-core-debug-l1-1-032.exe C:\Windows\System32\sppobjs32.exe C:\Windows\System32\api-ms-win-core-debug-l1-1-032.dll
On completion could you let me know if the alerts cease
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Processes - Safe List]
YY -> sppobjs32.exe -> C:\Windows\System32\sppobjs32.exe
YY -> api-ms-win-core-debug-l1-1-032.exe -> C:\ProgramData\api-ms-win-core-debug-l1-1-032.exe
[Win32 Services - Safe List]
YY -> (CertPropSvc32) Certificate Propagation [Auto | Running] -> C:\Windows\System32\sppobjs32.exe
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > ->
YN -> HKEY_USERS\S-1-5-19\: Main\\"XMLHTTP_UUID_Default" -> 87 07 91 11 73 79 44 48 9D 12 1B 0F A5 40 A6 2E [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > ->
YN -> HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> 87 07 91 11 73 79 44 48 9D 12 1B 0F A5 40 A6 2E [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-418879597-753732764-3325164317-1006\] > ->
YN -> HKEY_USERS\S-1-5-21-418879597-753732764-3325164317-1006\: Main\\"XMLHTTP_UUID_Default" -> 87 07 91 11 73 79 44 48 9D 12 1B 0F A5 40 A6 2E [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-418879597-753732764-3325164317-500\] > ->
YN -> HKEY_USERS\S-1-5-21-418879597-753732764-3325164317-500\: Main\\"XMLHTTP_UUID_Default" -> 87 07 91 11 73 79 44 48 9D 12 1B 0F A5 40 A6 2E [binary data]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {11910787-7973-4844-9D12-1B0FA540A62e} [HKLM] -> C:\Windows\System32\api-ms-win-core-debug-l1-1-032.dll [Reg Error: Value error.]
[Files/Folders - Created Within 30 Days]
NY -> api-ms-win-core-debug-l1-1-032.exe -> C:\ProgramData\api-ms-win-core-debug-l1-1-032.exe
NY -> sppobjs32.exe -> C:\Windows\System32\sppobjs32.exe
NY -> api-ms-win-core-debug-l1-1-032.dll -> C:\Windows\System32\api-ms-win-core-debug-l1-1-032.dll
NY -> .jagex_cache_32 -> C:\.jagex_cache_32
NY -> Portal Prelude 1.1.5 -> C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Portal Prelude 1.1.5
[Files/Folders - Modified Within 30 Days]
NY -> 2122106182 -> C:\Windows\System32\2122106182
NY -> api-ms-win-core-debug-l1-1-032.dll -> C:\Windows\System32\api-ms-win-core-debug-l1-1-032.dll
NY -> sppobjs32.exe -> C:\Windows\System32\sppobjs32.exe
[Files - No Company Name]
NY -> 2122106182 -> C:\Windows\System32\2122106182
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
My desktop did disappear, including the taskbar. From what you said, this isnt abnormal though. However, Avast! blocked the process as a Trojan Horse and OTS stopped responding. Two questions:
1: How do I get my desktop to reappear?
2: How do I get Avast! to not register the process as a Trojan?
OK easy peasy (ish) ;D
Reboot the computer and all will be back
Set Avast > File Shield > Autosandbox to ask
Rerun the fix and when the sandbox pops up select run normally
1: Thanks, I figured that would work.
2: It’s not registering OTS itself as a Trojan(besides, I already have sandbox on ask). Its registering the Fix script as a Trojan. Any solution for this(advanced settings?).
EDIT: Never mind, when I rebooted to get my desktop back, it ran fine. Didn’t change any settings or anything. Also rebooted at the end of the fix when it prompted. Checking if it worked as I type.
EDIT EDIT: Worked like a charm. Thanks guys That redirect virus was getting annoying.
Redirects gone ?