Should i worry

Hello,
today as i started browsing avast informed me that it blocked a threat from URL. It happened 3 times and i got worried so i scanned all files with avast and then i downloaded malwaresbytes and scanned with it too. MAM found 1 problem but it was from an old installer that was long gone from my system and i’ve never had problems like that since. But i deleated it, restarted and re-scanned again and there were no problems found. So i left my room for a while and when i returned i saw that avast’s network shield has analyzed ~600 pages and 1 was blocked.
One of the first messages i received was like the one i attached as an image. It’s in Bulgarian unfortunately (i changed to english later) but it says that my network shield has blocked an url, then “maps.gstatic” is the object, URL:MAL is the threat and the last one is the process in this case is my browser, but in other messages the process was rocketdock.exe.

Hi krisyotow,

Are’n’t we lucky, we have Bulgarian qualified removal expert in our midst. I asked him to come to this thread. Wait for his suggestions.
In the mean time read: https://groups.google.com/forum/#!topic/google-maps-js-api-v3/mmlugLgmSFo

polonus

Thanks, and should i meanwhile follow the steps from “Logs to assist in cleaning malware” and attach logs from OTL and aswMBR and maybe some other programe? :slight_smile:

I am from Serbia ;D

Monitoring.

Ok, here are my logs. I don’t know why but OTL only created OTL.txt file and no extras.txt ???
And the log from MBAM is from my first and only full scan when it found 1 threat and as it says in bulgarian in the last line - the file was deleted.
I also included a screenshot from my avast network shield for you to see the last threat it blocked while aswMBR was scanning.

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.


Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



skipfix-iedefaults;
firefoxlook;
chromelook; 


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

Here are the TDSSKiller and zoek logs

Re-run zoek with this script and attach here fresh zoek log results.

emptyclsid;
jfmjfhklogoienhpfnppmbcbjfjnkonkl;chr 
emptyalltemp;
autoclean;

How is your computer running now?

My computer has been running perfectly normal all day. Everything runs normally - internet, programs, etc… The only problem is avast blocking url every now and then.
After i re-ran zoek it asked for reboot and after reboot it opened the new log file and again - everything normal for what’ve seen so far. Avast updated its virus database as i’m writing this and for now nothing has been blocked, but those blockings have been very random so far.
Anyway, here is the new log file.

Edit: Nope, again threat has been detected.

System is clean I do not see any threat.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

It’s good that the system is clean but what should i do with those messages now? Should i report them as false positive or?
The last blocked url was “www.gstatic.com/chrome/crlset/1057/crl-set-delta-1055-10461250089676518279.crx.data” and i checked it at virustotal. The result was “clean site”.

Not sure if you need that last log but i’m attaching it just in case.

just a moment I’ll be back.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Attached files Addition.txt and FRST.txt

Your system does not have active malware.

Edit:

download and re-run zoek with this script and attach here fresh zoek log results.

emptyalltemp;
emptyclsid;
autoclean;
resethosts;
FFdefaults;
chrdefaults; 
ipconfig /flushdns >> %temp%\log.txt;b

I ran it and after reboot my chrome was set on default but as I accidantelly clicked on my Youtube bookmark and avast again alerted for url being blocked. :o
And something I found out before applying the new zoek script is that as i go into my avast network shield, then click show traffic history and from the statistics page i open my reports for the last 30 days, my browser loads the avast page with my info for those 30 days but the antivirus again informs of threat being detected and blocked. It blocks something like 4-5 links all from gstatic.com.
I’m happy that the system is clean but those alerts are confusing me. ???

I will continue tomorrow.

Sorry to bump into your thread, but I’m having exactly the same issues as you. I have two machines - the one has java, the other one, which is the one that I’m typing form right now does not. This one is running Win 7 SP1, the other one is running Win XP SP2. All of the alerts come form gstatic.com and happen pretty randomly accesing sites - sometimes the site loads normally sometimes Avast blocks 3 or 4 urls all containig gstatic.com. Even opening the “show traffic history” in Avast itself triggers blocks form Avast - when the browser starts to load the two maps in that page. Both computers are clean. I ran some of the programs listed in this tread also and they showed nothing suspicious. This whole problem is really confusing for me :slight_smile:

Yup, exactly the same problem! It has something to do with this gstatic.com but what is it idk. Hopefully argus will help us solve it tomorrow! :slight_smile:

btw Avast alarmed me when i visited Youtube, because my adblock widged was off hence it loaded adds connected to this gstatic and avast blocked them. As i activated adblock, the adds were gone and avast didn’t say anything on youtube.

Hey,
today it seems the problem has gone. Avast hasn’t blocked anything since i started my computer which was about 3-4 hours ago. Since then i visited my avast report page which on opening yesterday avast blocked gstatic.com urls. The two maps on it also work properly and i can click them again without avast blocking anything. I suppose there was a problem with the virus definitions of some sort from yesterday as i saw many other users having the same problem in this forum. I saw that my virus definitions have updated with ver. 130622-1 with release date 22.6.2013 20:14:20 and i think that solved the problem. I re-ran Avast and MbAM both didn’t find any problem.
So again thanks for the assistance! :slight_smile:
If there is any other info you want me to provide you, feel free to ask as i’ll keep an eye on the forum in the next days to see what the other users with this problem will say.