how did i still get infected?

using Avast 5 free, all shields on. surfing site and get a pop up threat detected from Avast. now thinking that everything is ok, as normal if threat detected it blocks it. 1 min later i see pop up for some rogue anti virus, pop up on screen starts scanning and new shield on systray.

i use rkill.exe to kill all known malware … then update and scan with anti malware (antimalware bytes). and it found 5 and removed all. restarted pc, internet not working. connected, IP fine, cannnot ping etc… found that proxy server was added to browser (google chrome and IE 8). removed that now all is fine again.

can someone tell me what the hell happened? why avast didnt stop this even though it looked like it did?!? here is a screenshot of the web sheild and reports from avast and rkill and antimalware.

rill.log

Processes terminated by Rkill or while it was running:

C:\Users\Name\AppData\Local\lavndtteh\mnvgievtssd.exe
C:\Users\Name\Documents\rkill.exe
C:\Windows\SysWOW64\conime.exe

Rkill completed on 09/04/2010 at 11:26:40.

avast webshield.txt

  • Started on: Friday, April 09, 2010 6:52:51 AM

09/04/2010 11:23:22 AM hxxp://gravlon.com/b/pdf/all.pdf|>{gzip} [L] JS:Pdfka-AAP [Expl] (0)

you should edit / make the link you posted non clickable ( hxxp instead of http ) as this is live Malware

VirusTotal 5/39 - all.pdf
http://www.virustotal.com/analisis/d50c08cc9fb9e51cd14d379ba15e8e8d73bc47f5737d0d55cabeb9b73305fe33-1270828009

I did just click. “Connection Aborted” :slight_smile:

ok i edited the post, sorry. so any idea why this happened?

ArminPasalic how did you get connection aborted? do you use Avast free? are there some setting I need to change other then its defaults for the web shield perhaps?

Sounds like Avast screwed up. No AV is perfect unfortunately. :frowning: On the bright side, I just attempted to load the all.pdf file and Avast instantly blocked it. I am currently using the trial version of Pro, but I do not know if this would make any difference. My settings are currently at default.

Personally I recommend that you run Immunet in addition to Avast. Immunet can be found here: http://www.immunet.com/ . It’s designed to work nicely with popular AV solutions, such as Avast. Immunet uses cloud-based virus definitions rather than storing that data on your PC, although it does have a small local definition file in case something takes out your 'net access. This approach allows it to have terabytes of data on tens of millions of malware. The catch is that you need an always-on net connection for it to work. It doesn’t upload every file, but I forget how it works exactly. I just care that it works.

You may also want to consider Threatfire http://www.threatfire.com/ , which is specifically designed to be complimentary to more powerful AV like Avast, so it’s easy on resources too though probably not as much so as Immunet.

@newtoavast: I assume ArminPasalic! meant that (s)he clicked on “Abort connection” on the Avast! Warning popup (in v4.8, but you’re using v5, so maybe it is different ?).

I found this thread when trying to discover whatever I could about gravlon.com because I had a popup warning from Avast! 4.8 Free regarding the exact same file (hxxp://gravlon.com/b/pdf/all.pdf{gzip}). As far as I can tell so far, I didn’t get infected by anything, and the suspicious file is not in my Google Chrome browser cache which I assume is because Avast! blocked it.

However, what is odd about my situation is that the Avast warning popped up overnight while I was not actively browsing at all. :o ??? I did leave my Google Chrome browser open, but with only 3 open tabs: one was the 1.FM Blues station recently played history (hxxp://www.1.fm/station/Blues/History.aspx), one was a “Session Buddy” extension for Google Chrome (to save/restore sessions), and one, ironically, was an Avast! forum page (hxxp://forum.avast.com/index.php?action=post;board=2.0) in which I had begun to compose another post to the Avast! forum (not yet submitted). AFAIK, only the first tab was actively interacting with the internet in any way. […but I often leave numerous tabs in more than one browser (including the 1.FM page) open 24/7, and have never before had an Avast! warning triggered except when I am actively browsing.

So basically my browser was sitting there passively overnight when the Avast! warning popped up. (Per the time stamp in the Avast! Warning.log, it occurred about an hour before I sat back down at my computer late this morning.)

The only thing I can figure is that the hxxp://gravlon.com/b/pdf/all.pdf{gzip} file was accessed in one of the several flash ads that run constantly in the 1FM side panels, but I’m wondering if anyone else knows some other way this could happen. ??? ???

NewToaster, I can show you a CLIP what settings I have on Avast! Free. ^^ Don’t worry, just give your Email and I send it over. I will not spam to you. :slight_smile:

I meant “newtoavast” Sorry man. xD

k sent you an email to the one in your profile.

Just a quick note here.

I have been setting all of my browsers to disable any built in PDF handling capability. This forces the browser to prompt me (open or save) whenever a PDF file is encountered rather than automatically opening it.

Of course, if you are in a business where you are frequently needing to view PDF in your browser, this might not be an option for you.

Adobe is having trouble finding a balance between function and security. For example: hxxp://isc.sans.org/diary.html?storyid=8599

McAfee released a threat prediction for 2010 hxxp://www.mcafee.com/us/local_content/white_papers/7985rpt_labs_threat_predict_1209_v2.pdf (I know, PDF, arf!) where they claim that Adobe products will exceed MS-Office apps as an attack vector.

Which browser did you use?

i was using google chrome when it happened.

Strange, since chrome is sandboxing everything - did you eventually turn sandboxing off?

dont know sandboxing … im using AVAST FREE edition, isnt that in the pro version?

No, i’m not talking about the avast sandboxing feature. :wink:
Google Chrome is usually sandboxing by default, but if you don’t know about it you wouldn’t have disabled it after all, i guess…!??

edit: link added — http://blog.chromium.org/2008/10/new-approach-to-browser-security-google.html

ya didn’t disable it in google chrome, no idea how to. and here i am reading how secure google chrome is and this happened. never an issue with IE! yet it gets trashed by everyone ???

Maybe Chrome isn’t that good, after all… ???
I read about problems in other forums but that’s second hand information, i never tried it, as i’m more than happy with firefox. :wink: If sandboxing is needed i use sandboxie. Sorry, that won’t help you much, but you could search the net if others have similar problems. Maybe there are exploits for google chrome, which can somehow be fixed.
asyn