Here's a weird one - avast site links

I found using my PC that I cannot connect to any Avast! site links that have ‘Avast’ in the html. ie. www.avast.com, etc. BUT - I can connect to any that have www.asw.cz in them!

How weird is that!

I can get: http://www.asw.cz/eng/skins.html
but can’t get: http://files.avast.com/files/eng/avast!-user-manual-home-edition.pdf
or: http://files.avast.com/files/skins/avist_by_szcraftec.aswcs

If fact, I could not get to this forum because the link is: http://forum.avast.com/.

I’m here now because I am using a PC I just built to try out the PUBLIC release of Windows 7, when it is officially released by Microsoft.

What could cause that do you think ???

Not weird, your HOSTS file might have been hijacked. This is a common trick to stop you getting help to remove malware and there may well be other security sites blocked.

HOSTS file redirect - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there. http://en.wikipedia.org/wiki/Hosts_file

If you can get to avast.com using this link http://75.125.223.2/ it is likely that the HOSTS file or possible DNS has been hijacked. This is one of the IP addresses so it is much harder to block IP addresses than domain names.

Thanks, I found the HOSTS file, and here it is below. It does not appear to block Avast… Also downloaded def. file on this PC and USB thumbed it to the problem PC, and installed it that way. It found 2 problems that are in the vault at present.

Now that Grisoft AVG 8 anti-virus Free version has BECOME a virus I tried out several AV programs before finding Avast!

In the vault…

av.dat
C:\Windows|System32
Win32:Lighty-B [Cryp]

boot.com
C:\resycled
Win32:Fabot [trj]

==================
HOSTS

Copyright (c) 1993-1999 Microsoft Corp.

This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

This file contains the mappings of IP addresses to host names. Each

entry should be kept on an individual line. The IP address should

be placed in the first column followed by the corresponding host name.

The IP address and the host name should be separated by at least one

space.

Additionally, comments (such as these) may be inserted on individual

lines or following the machine name denoted by a ‘#’ symbol.

For example:

102.54.94.97 rhino.acme.com # source server

38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
#127.0.0.1 update.bitdefender.com

Ensure that you have fully removed AVG from your system, first using add remove programs and reboot.

AVG Remover, download tool from here, http://www.grisoft.com/ww.download-tools there is a 32bit and 64 bit windows version, ensure you use the correct one. Run it and reboot.

Since I downloaded the 18 MB update for the latest download of the program I downloaded and transferred it to my Avast.com problem PC, the auto update has started working - ONE PROBLEM SOLVED.

Windows Firewall → allow Avast was always selected.

So, the downloaded huge update file seems to have fixed AUTO UPDATES. :stuck_out_tongue: Don’t ask … ???


But, anything with ‘Avast’ in the name still won’t show. Blank browser page below is Avast forum - home page is blank also, I’m here now with the other PC.


http://img255.imageshack.us/img255/579/avastforumnoshowxy1.jpg


http://img255.imageshack.us/img255/avastforumnoshowxy1.jpg/1/w838.png

*I’m thinking I may have got hit with this, in between changing anti-virus programs. :cry: (Had to remove AVG as it kept looping and popping up a notice that every file was infected, incl. AVG.) Even though I am using Vista SP1.

ntispyware 2008 XP a.k.a. Antispyware2008XP or AntispywareXP2008, is a vicious rogue anti-spyware program which is known to be installed undetected at times from a Trojan infection such as Vundo or Zlob. Antispyware 2008 XP was found to target Italian speaking areas of the world but can be installed on any computer that is connected to the internet.
http://forum.avast.com/index.php?topic=38157.0

Turning off auto backups may have helped… Plus now I’ve run every well known anti-spyware program. That Zlob sounds familiar in removal.

PS. I just downloaded that AVG removal tool and ran it … thanks.
Still no Avast site pages though…

Well this could be some other form of DNS attack/redirect.

You didn’t mention those anti-spyware apps you had used so here are a few;
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.
  2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
  3. RogueRemover, available here http://www.malwarebytes.org/rogueremover.php
  4. DrWeb CureIt! ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe (Free) Fairly effective against file infectors, Virut, more so when used in safe mode.

Thanks. I’m going to download what you listed now. I’m really weighted down now. ;D

Been using - up until the attack

Vista Windows Defender
Microsoft Malicious Software Removal Tool

antivirus and Windows Firewall.

Then added Avast! - from download site not advast.com which I am unable to get.

and the usual suspect…

AdAware
Spybot Search & Destroy
RootkitRevealer
Spyware Blaster
Hijack this

I’m pretty sure it came from a tiny ‘popup’ that I could not kill, with Task Manager or Autoruns and clicking OK to remove ofcourse launched the ‘get antispyware program’ or something that was closed immediately - but the damage must have been done! :cry:

I cleared all browser caches, ran CCleaner with unticked ‘leave temp files 48 hrs’, ran reg cleaners and download all antivirus software and ran, etc. Then after I turned off auto backup so nothing was replaced on reboot. (Probably should has ran a system restore!!!)

Think I have got rid of it (or most of it) just the puzzling ‘cannot access any avast.com name sites’.

I was using Firefox 3.0.3 (the latest) at the time also.

OK catch you tomorrow (UK time), it is now 1a.m. and I’m about to call it a night.

Well thank you very much DavidR, you fixed my problem! :slight_smile: :slight_smile: :slight_smile: :slight_smile: :slight_smile:

Those programs you recommended are great. The one that caught the crap was Malwarebytes.

Now I am logged into the Avast forum with my main PC, the one that could not get any Avast sites. Not only that, but when I installed the 3 programs (+ one other you listed - maybe DOS) I found I could not update the def. files. Even though I added them manually to Windows Firewall.

So, I scanned with what I downloaded and Malwarebytes still pick up the crap - after rebooting I was able to update all the programs - and connect to the Avast site and forum. The direct dns link worked by the way, I can’t remember it, something like http:/123.456.78.987 - probably because it did not have avast in the name. So this crap must be blocking anti-virus & anti-malware sites.

He’s an image below …


http://img47.imageshack.us/img47/841/malwarefoundmalwarebyteva6.jpg


http://img47.imageshack.us/img47/malwarefoundmalwarebyteva6.jpg/1/w839.png

These nasties kill any chance to get to the Avast site!

:frowning:

You’re welcome.

Yes this is a common tactic by malware stop you getting to the sites to get help in removing their c*** so it isn’t just avast’s site that would be blocked. This used to be done by hacking the hosts file, but that is to easy to detect and remove that they have improved how they intercept secutiy site domain requests.

Malwarebytes is one of the leading anti-malware programs and is a fine companion for avast I do a weekly update, followed by a scan with MBAM as part of my regular weekly system maintenance.

I take it that having selected all those in your image you clicked the remove Selected button and they are now history.

I take it that having selected all those in your image you clicked the remove Selected button and they are now history.

I did! ;D Thanks again… 8)

You’re welcome, another happy customer ;D

Yes indeed. Only one more thing to do! ;D

For some unfathomable reason, the Avast! forum requires that you make 20 posts before you can have an avatar and change setting like get rid of you e-mail display … ???

Now I was finished at 19 … :cry:

SO THIS MAKES 20 ;D 8) ;D 8)

I don’t know about the other two things you mention, but the 20 posts is part of the anti spamming. This came about by a spam attack on forum members via PMs.

So, if you make 20 posts you don’t get spammed in your PM ???

I guess it all makes sense if you know how the train works ;D

Usually, spammers use auto sign-up for an account and then auto post message…
:stuck_out_tongue:


The 20 posts is so that new forum members can not spam through the use of personal messages. Spammers usually will not post 20 times so that they can spam other users by using PMs … especially if it is automated posting. The same would be true for an avatar that might be “in bad taste.”

You can see your email and so can the moderators but the rest of us do not see your email. Click the image below to enlarge it and see what we see.


'Gday from up top.

I guess it all makes sense if you know how the train works
It make sense to me.

The mind of the spammer is more akin to a criminal than the general populace that believe in Thou Shalt Not Steal

No it means those that haven’t got 20 posts, can’t use the PM function to spam any forum members.

The same for denied access to the Profile settings stops signature link spamming, the practice of promoting objectionable, commercial, sites, etc.

There are measures to stop bots signing up (Captcha) but it doesn’t stop drive by sign ups (or very smart bots) to the forums to try and use these methods and that is a measure to stop that, unfortunately it hits the legitimate forum member until they have 20 posts an no longer a Newbie but a Jr Member.

Right. Yes I see, sort of.

I got the extra PM icon. Below is what I see.

What you see that is extra is the email icon and that is only visible to you as you have rightly chosen not to display your email address.