I´ve been searching for some explanations why Avast is blocking my access to google (docs, calendar, maps, web, etc.) for a couple of days now. It just started two days ago and since then every time I try to access google pages it sends a pop-up message telling me that google site is trying to downloading a malware (www.google.com/searcher.jar\inicio.class) which sounds strange since no website at all has published any report on problems with google so far (i´ve attached a file with a print screen of the message sent by avast).
When I scan my computer with avast and spyware terminator it can´t find any virus. Anybody here could tell me what is going on? Is this a problem with avast web shield? I ain´t no geek but I would appreciate some help now. I´ve lost precious time and can´t afford to be in this situation any longer.
Sorry to disappoint you but a) avast doesn’t block but scans and alerts to infection, b) avast isn’t a firewall. You should modify your link so that it isn’t active change the www to wxw.
So your problem is outside of avast, if that searcher.jar is trying to download malware then avast can’t do anything about that. The last part of the URL the \inicio.class is a JAVA element and not actually a page.
Are you sure that you are actually at google.com and not a site designed to look like google ?
The web page is shown as doesn’t exist (page 404 error) google.com/searcher.jar, although strictly it isn’t a web page (so I wouldn’t expect to be able to access it), but a JAVA file which would be called from another process.
What exactly were you doing when this happened e.g. what pages are you trying to access and from where are you trying to access them ?
You won’t find anything on your system as the detection was by the Web Shield and only gives the option to abort the connection, this stops the file being downloaded to your system.
answering you, either using safari or IE, when i type in www.google.com in the address bar, this happens. I do understand that this might be caused by another process (i can ‘hear’ my computer performing different when i press go), but i can’t detect what is causing it. Now that i have blocked the download, as proposed by avast, i can’t access any google related page (e.g., youtube - see attached file 2).
Do know if google is using any java applet on his web page? it is really strange…
Unfortunately the avast warning just confirms what we already know, it is intercepted by the web shield and the URL is the one given.
I don’t see the relevance of the second youtube image ?
How were you trying to access youtube (isn’t really google related), via a link, google, etc. how ?
This is just saying that the site can’t be found and no alert the same as you get in google.
I don’t use Safari and I avoid IE like the plague, so I can’t test anything on that side, have you tried to access it using firefox ?
I use firefox as my default browser and access to google.com with no problems. I have even tried accessing google.com with IE spit for you and again I access it with no alerts or problems.
So I don’t really understand what is going on with your system, but it would be worth running some other tools.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
David,
the image from youtube is to show that, after blocking the download of the malware, any site associated with google is “blocked” (i get that page from my browser), including youtube.
but in the last hours i’ve been running the programs you have sugested and attached is the log file i got from malwarebytes. the superspyware generated no log file i could find it.
but so far it’s not working. i keep getting the same message again.
Well from the MBAM log, Vundo could be responsible for things like this but no way to be certain. You should by now have rebooted (if not do so) as MBMA needs to do that to remove the vundo file.
In the SAS main screen click Preferences, then there is a Tab called Statistics/Logs (see image), check the options to keep a detailed log and the Save Empty/Clean logs.
I can’t recall if these options are enabled by default or not. If they are then there will be a window showing all the Scanner logs. Select a log and click View log, you can copy and paste the log.
Have you tried firefox ?
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.
Browser Hijacker.Internet Explorer Zone Hijack
HKU\S-1-5-21-2965474531-2246540-2294081685-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ticketsforfun.com.br
HKU\S-1-5-21-2965474531-2246540-2294081685-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ticketsforfun.com.br\www
HKU\S-1-5-21-2965474531-2246540-2294081685-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ticketsforfun.com.br\www#http
Adware.Tracking Cookie
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@doubleclick[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@media.adrevolver[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@adopt.euroclick[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@statcounter[2].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@ad.adnetwork.com[2].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@ads.revsci[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@ad.yieldmanager[2].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@fastclick[2].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@advertising[2].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@adrevolver[2].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@ads.sun[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@2o7[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@burstnet[2].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@apmebf[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@zedo[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@msnportal.112.2o7[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@atdmt[2].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@realmedia[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@adopt.specificclick[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@tribalfusion[2].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\Bia_e_Rafa\Cookies\bia_e_rafa@msnservices.112.2o7[1].txt server.lon.liveperson.net [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ] server.lon.liveperson.net [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ] server.lon.liveperson.net [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.valueclick.net [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.ehg-asco.hitbox.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
.hitbox.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ] statse.webtrendslive.com [ C:\Documents and Settings\Bia_e_Rafa\Dados de aplicativos\Mozilla\Firefox\Profiles\avbopbfo.default\cookies.txt ]
here is the first part of HJT log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:58, on 3/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe
C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exe
C:\Arquivos de programas\Intel\Wireless\Bin\WLKeeper.exe
C:\Arquivos de programas\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Antivirus\Avast\aswUpdSv.exe
C:\Arquivos de programas\Antivirus\Avast\ashServ.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Intel\Wireless\Bin\1XConfig.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe
C:\ARQUIV~1\SPYWAR~1\sp_rsser.exe
C:\Arquivos de programas\Antivirus\Avast\ashMaiSv.exe
C:\Arquivos de programas\Antivirus\Avast\ashWebSv.exe
C:\Arquivos de programas\Apoint\Apoint.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe
C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Arquivos de programas\Dell\QuickSet\quickset.exe
C:\Arquivos de programas\Apoint\Apntex.exe
C:\Arquivos de Programas\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\ARQUIV~1\ANTIVI~1\Avast\ashDisp.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVO Touch-1 USB Phone.exe
C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVOUSBPhoneVolCtrl.exe
C:\Arquivos de programas\AirPort\APAgent.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Digital Line Detect\DLG.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Spyware_superantispyware\SUPERAntiSpyware.exe
C:\Arquivos de programas\Spyware_highjackthis\HJT202\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g1.globo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgstb.dll
O4 - HKLM..\Run: [Apoint] C:\Arquivos de programas\Apoint\Apoint.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM..\Run: [IntelWireless] C:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [ATIPTA] C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [Dell QuickSet] C:\Arquivos de programas\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [DVDLauncher] “C:\Arquivos de Programas\CyberLink\PowerDVD\DVDLauncher.exe”
O4 - HKLM..\Run: [UpdateManager] “C:\Arquivos de programas\Arquivos comuns\Sonic\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [avast!] C:\ARQUIV~1\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [ISUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [IntelliPoint] “C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [bgsmsnd.exe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
O4 - HKLM..\Run: [VoipSkype] “C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVO Touch-1 USB Phone.exe”
O4 - HKLM..\Run: [VoipSkypeVolCtrl] “C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVOUSBPhoneVolCtrl.exe”
O4 - HKLM..\Run: [AirPort Base Station Agent] “C:\Arquivos de programas\AirPort\APAgent.exe”
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Arquivos de programas\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Arquivos de programas\iTunes\iTunesHelper.exe”
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [updateMgr] “C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” AcRdB7_1_0 -reboot 1
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\Spyware_superantispyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
StartupList report, 3/10/2008, 09:38:27
StartupList version: 1.52.2
Started from : C:\Arquivos de programas\Spyware_highjackthis\HJT202\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe
C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exe
C:\Arquivos de programas\Intel\Wireless\Bin\WLKeeper.exe
C:\Arquivos de programas\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Antivirus\Avast\aswUpdSv.exe
C:\Arquivos de programas\Antivirus\Avast\ashServ.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Intel\Wireless\Bin\1XConfig.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe
C:\ARQUIV~1\SPYWAR~1\sp_rsser.exe
C:\Arquivos de programas\Antivirus\Avast\ashMaiSv.exe
C:\Arquivos de programas\Antivirus\Avast\ashWebSv.exe
C:\Arquivos de programas\Apoint\Apoint.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe
C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Arquivos de programas\Dell\QuickSet\quickset.exe
C:\Arquivos de programas\Apoint\Apntex.exe
C:\Arquivos de Programas\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\ARQUIV~1\ANTIVI~1\Avast\ashDisp.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVO Touch-1 USB Phone.exe
C:\Arquivos de programas\IPEVO USB Phone\Touch-1\IPEVOUSBPhoneVolCtrl.exe
C:\Arquivos de programas\AirPort\APAgent.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Digital Line Detect\DLG.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Spyware_superantispyware\SUPERAntiSpyware.exe
C:\Arquivos de programas\Spyware_highjackthis\HJT202\HijackThis.exe
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar]
Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Digital Line Detect.lnk = ?
Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
End of report, 9.863 bytes
Report generated in 0,078 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Browser Hijacker.Internet Explorer Zone Hijack
HKU\S-1-5-21-2965474531-2246540-2294081685-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ticketsforfun.com.br
Did you manage getting rid of it through HijackThis?
General cleaning procedures are:
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use SUPERantispyware, MBAM (that you’ve already done) or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
First the SAS log if you allowed it to get rid of the ticketsforfun.com.br (probably did as there is no reference to it in your HJT log) some of those types of site also generate adware based on your browsing activity. Though I don’t know if this would be causing the issues with google.
Also the location in registry for this is probably a BHO (Browser Helper Object) your question about firefox not being vulnerable to this type of attack, it doesn’t use BHOs not activeX.
The tracking cookies are a minor privacy issue but not a security one, I would recommend that you a) don’t allow third party cookies, those not for the site you are browsing and b) periodically clear out your cookies.
Have you used G-Buster Browser Defense previously or did you remove it, if so FIX these entries in HJT as according to this the files are missing:
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)
Remnants of Norton ???
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe (file missing)
So did you try to remove Norton system works (and AV, etc.) ?
If so these elements are reported as firewall components and the files are missing, so effectively you don’t have a firewall.
So what are you using for a firewall (XP firewall, etc.) ?
Your JAVA version is out of date, which can leave you vulnerable.
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp
thank you very much indeed once again. It seems that the problem is gone. I’ve followed your instructions and Tech’s and no more alerts from avast when accessing google.
Regarding your question about a firewall, i’m using the windows xp firewall (which now i thing is the same as no firewall at al). Do you have any recomendation about a freeware firewall?
Sorry I can’t give a specific recommendation to a firewall that I don’t use and mine Outpost firewall pro 2009 is a paid for option.
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
unfortunately the relief lasted little, i.e., the problem returned after a few google searches and browsing youtube. I did everyting all over again and haven’t find anything this time. even using firefox the problem remains.
the interesting is that i’m accessing google directly thru an ip address i found on yahoo (64.233.169.147) and it doesn’t download the malware.
therefore, i have no clue what may be causing the problem (i’ve keep getting the same alert from avast! i’ve posted before when accessing www.google.com).
If you don’t suffer this problem when using an IP address then this could be either a DNS redirect or HOSTS file redirect (but this would not stop and start but be on all the time) .
HOSTS file redirect - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there. http://en.wikipedia.org/wiki/Hosts_file
When you type in a domain name like google.com it has to look up what the IP address is and to do this it uses a DNS server, so it could be that this function is being intercepted so you could try this service http://www.opendns.com/.
This could well be from your forays into youtube as it is rife with malware the same as facebook and other social web sites.
Please modify the URLs in your last post change http to hXXP so links to suspect sites aren’t active an expose people to malware.
The first IP does belong to google, but it will just be used to make it look like the genuine site.
The second IP is com.br as is the third IP com.br.
So the wrapper is the genuine google but the body/content of the page comes from com.br