Google blocked, exceptions ignored

Hello,
I use Avast free for a few years, and recomend it to all of my friends and family.
Today it started to block google (Infektion: URL:Mal), and even for the registration here I had to disable the real time web shield for a minute as the captcha avast uses is from Google’s services :wink:
The same problem occurs with google, firefox, internet explorer.

Program and database are updated to the recent version.
Putting http://.google.com/ (and https) into the exclusion list did not solve the problem either.
With fixed subdomain http://www.google.com/* it did not work either.
Re-installing avast did not solve it either.

Please help! :slight_smile:
Thank you.

-Marcus

could you attach a screen shot of the avast warning ?

Monitoring

Hello,
thank you for your quick reply!

I attached a screenshot of one of the popups (when loading the captcha of this forum) and in the background the detail info from avast’s website.
This is only an example, it will block any www.google.com URL (so mail.google.com is not affected for some reason).

//EDIT
Sorry for the double attachment. Corrected, added the screenshot of the exlude-list entries

Hi again,
I now used the uninstall utility in safe mode (XP) as mentioned on another thread, re-installed it once again, but the problem remains.

I checked the host textfile to make sure google is not beeing redirected, but that’s not causing the issue either.
I thought this might be the cause as only http*://www.google.* and http*://google.* is beeing blocked, while encryptet/mail/maps/.google.* and 209.85.148.94 works without problems.
Sure, I could use a different search engine, but as many forums and websites use ressources from google (ads, captchas, authentifications…) I get an error on every other website.

Heck, Avast even alerts from google.com/favicon.ico ?
I see no alternative but to switch to a different virus protection if the problem persists. Any more ideas? I give up.

-Marcus

Avast is telling you that you have a problem, changing AV’s will not make the problem go away. It just may not be evident anymore

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
%systemdrive%$Recycle.Bin|@;true;true;true
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Thank you for the advice!
Here are the textfiles.
I edited three lines where email adresses where shown in the filenames and removed a couple of lines that showed images I created/edited, and I had to upload the files across two posts, as the file upload limit caused problems.

4 per post, maximum total size 192KB, maximum individual size 200KB
:slight_smile:

Could you let me know if this is across all browsers or just one

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
IE - HKU\S-1-5-21-2538481707-3083153203-1291856630-1007\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2737658
[2010.03.08 07:38:08 | 000,102,896 | ---- | M] ( ) -- C:\Programme\mozilla firefox\plugins\nplyinux.dll
O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No CLSID value found.

:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thank you for your quick reply!
The problem occurs with google, firefox, internet explorer (see first post).

I understand the ipconfig/flushdns, but what does the rest do (at :OTL)?

looks as he is removing some toolbar crap

Never hurts :slight_smile: As I use Opera I never checked if & what toolbars are installed for IE or Firefox.

OK once that has run let me know if you still have the problem

Sorry for the delay, I’ve been sick.

The fix did not solve the problem.
I included the OTL.txt that opned after the reboot, as well as a quickscan log after that.

Before I proceeed I would like a quick look at the MBR

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

Just a quick question: What does the MBR have to do with Avast ignoring the exception list and blocking just google? Couldn’t it be some setting/configuration problem after all?

I never used Roguscanner, what info do you need?
I also tried to reset the dns & hosts.

Log

RogueKiller V8.0.4 [09/19/2012] durch Tigzy
mail: tigzyRK<at>gmail<dot>com
Kommentare: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Betriebssystem: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Gestartet in : Normal Modus
Benutzer : Muk [Admin Rechte]
Funktion : Repariert Hosts-Datei -- Datum : 09/19/2012 20:42:13

¤¤¤ Böswillige Prozesse : 2 ¤¤¤

¤¤¤ Registry-Einträge : 0 ¤¤¤

¤¤¤ Treiber : [GELADEN] ¤¤¤

¤¤¤ Infektion :  ¤¤¤

¤¤¤ Hosts-Datei: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

ÿþ1

¤¤¤ Zurückgesetzt Hosts-Datei: ¤¤¤
127.0.0.1	localhost

Abgeschlossen : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Terminated 2 x c:\windows\notepad.exe …

MBR

¤¤¤ MBR überprüfen: ¤¤¤

+++++ PhysicalDrive0: ST9160314AS +++++
--- User ---
[MBR] 57c0b583ab24ac6e6898d4de5df0f1d8
[BSP] f321c63d5e6d9e38e7d5808515224b65 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 73790 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 151123455 | Size: 73782 Mo
2 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 302230845 | Size: 5004 Mo
3 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 312480315 | Size: 47 Mo
User = LL1 ... OK!
User = LL2 ... OK!

The hidden partition is the XP restore partition of the netbook.

I need to check out areas where malware resides to rule that out as a cause

Could you remove the exceptions from Avast and then try all browsers and let me know which ones alert

I removed all exceptions, even though it seems to have no effect anyway, and the alerts occur with all browsers I have installed (IE, FF, O…) as mentioned before.

The alert is still the Network-shield (not webshield, so I suppose that explains why it ignores the exceptions), and is anything from http*://www.google.*, sometimes a URL, sometimes the favico…

Network shield would tend to suggest it is something on your computer as opposed to an external element …

All I have to do now is determine where

Firstly I would like to try and see if it is something within the browser. We can check that out by using safe mode in firefox as that is the quickest and easiest way

Details here http://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode

Then try a google search … do you still get the alert

Thanks, I tried in FF safe mode, but the problem remains.
As it is in all browsers (an none of them uses a proxy setting atm) I think it’s not something from within the browser.

I just tried to ping google using cmd, time out, no alert. Does time out even when all shields are temporary disabled.
Pinging mail.google.com works though.
google.com resolves to 87.125.87.103…

A quick search (via encrypted google :slight_smile: ) brought up http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Simda.F

Yikes. Backdoor:Win32/Simda?

In HKCU\Software\Microsoft\Windows\Currentversion\RunOnce I can’t find anything though.
Two exe in %appdata%, neither avast nor malwarebytes find anything in them. They don’t show up in the regestry, and not in any other or registry or autostart location (msconfig…). The only one I can’t make any sense of is svtrev.exe but could be renamed.

A little confusing is that there’s no evidence of a changed host file either.

Changing DNS to 8.8.8.8 for a moment brings the same result, so no router issue.
Odd, nothing changes even if using the roguekiller hosts/dns fix option. Just localhost/127.0.0.1 in the host-file anyway. It’s location still is %SystemRoot%\System32\drivers\etc, i checked HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

Odd.