t2.gstatic.com = False Positive or Not???

ok seriously, this alert is beginning to piss me off now. >:(

ever since I updated my Avast 6 with the latest major update, every time I go to google image search anything, THIS starts popping up like crazy when I’m scrolling down:

http://img854.imageshack.us/img854/1715/falsepositive.png

It’s always either t1.gstatic.com, t2.gstatic.com, or t3.gstatic.com.
but IT ALWAYS picks up the same thing! and it’s not like it’s even BLOCKING IMAGES to begin with! it’s just a random alert that pops up whenever I’m Google Imaging things.

But at the same time: There are ABSOLUTELY NO SYMPTOMS of infection on my PC.
No Corrupted Files, No Wallpaper Changes, No Random Promptings of Rogue Security Programs, No Blocking of Internet Access, NONE OF THAT! ???
Nothing is wrong with it at all, and I scan my PC on a weekly basis with not just Avast 6, but also with SUPERantispyware Free Edition, Malwarebytes Anti-Malware, Trend Micro HijackThis and Kaspersky TDS Killer. I make sure my PC is SPOTLESS, since I’ve had to deal with MBR Rootkits MULTIPLE TIMES in the past… :stuck_out_tongue:

Nothing BIG is detected on ANY OF THEM tho! and nothing seems to be the matter with my PC at all aside from THIS.

Since this ONLY JUST started happening after the latest Avast update with me, I am 99% Sure that his has GOT 2 BE some kind of False Positive going on here, since Google Images uses that website all the time to load many image results without a problem.

So is it possible that this alert is a false positive? cuz based on nothing being wrong with my PC at all, that’s definitely what it seems like from my point of view here…

OR

Is it possible that I MISSED A SPOT and this is actually a Hidden Rootkit’s doing that can’t do anything due to my insane level of protection but is still somewhat being detected??

I need you to run command line, from the commandline this command:

nslookup t1.gstatic.com

a then cut’n’paste the results for me - and three times, for t1, t2, t3.

Also check the hosts file for any records regarding this.
It’s usually in c:\windows\system32\drivers\etc

Third thing is to check out which dns servers do you use.
Running cmdline again, and this command:
ipconfig /all

and then cut’n’paste your dns servers.

I suspect you’ll have there 188.229.88.7 or 188.229.88.8.

Urlvoid reported them all as clean, but I’m not really sure why avast would do that…

Because I suspect there is some kind of dns hijack and avast is (by the chance, not by design) reporting it. It’s a local problem of a user, not a problem of the sites.

Results for nslookup on the 3 gstatic websites:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>nslookup t1.gstatic.com
Server: UnKnown
Address: 192.168.0.1

Non-authoritative answer:
Name: t1.gstatic.com
Addresses: 74.125.226.179
74.125.226.177
74.125.226.178
74.125.226.176
74.125.226.180

C:\Windows\system32>nslookup t2.gstatic.com
Server: UnKnown
Address: 192.168.0.1

Non-authoritative answer:
Name: t2.gstatic.com
Addresses: 74.125.226.180
74.125.226.177
74.125.226.179
74.125.226.178
74.125.226.176

C:\Windows\system32>nslookup t3.gstatic.com
Server: UnKnown
Address: 192.168.0.1

Non-authoritative answer:
Name: t3.gstatic.com
Addresses: 74.125.226.178
74.125.226.179
74.125.226.176
74.125.226.177
74.125.226.180


IPCONFIG Results:

C:\Windows\system32>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : G-Machine
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ether
net Controller
Physical Address. . . . . . . . . : 00-22-15-A3-CE-72
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::1586:fdb5:e482:f9fb%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.198(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, August 02, 2011 3:50:22 PM
Lease Expires . . . . . . . . . . : Wednesday, August 03, 2011 3:50:22 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 301998613
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-FD-0C-9D-00-22-15-A3-DF-E3

DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8001/8003/8010 PCI Gigab
it Ethernet Controller
Physical Address. . . . . . . . . : 00-22-15-A3-DF-E3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hamachi Network Interface
Physical Address. . . . . . . . . : 7A-79-63-A2-41-CE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 5.175.192.218(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Lease Obtained. . . . . . . . . . : Tuesday, August 02, 2011 3:50:21 PM
Lease Expires . . . . . . . . . . : Wednesday, August 01, 2012 3:52:28 PM
Default Gateway . . . . . . . . . : 5.0.0.1
DHCP Server . . . . . . . . . . . : 5.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{0988A8B5-A33D-4B5A-A8E1-8C6F9D4F2831}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{006E1A2B-1547-4FA2-AA8D-1C8AEC0BE0DF}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3c19:35cb:ba8c:7b20(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::3c19:35cb:ba8c:7b20%14(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{FB806E3F-9F5D-41F8-8426-C8AE6606E8A1}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:5af:c0da::5af:c0da(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Windows\system32>

I see what you mean…but I thought adding it there for extra information~

I mean, I do notice the infection listed as “URL:MAL”, and after looking around on the Avast Support Forums, that type of Malware is usually associated with a Rootkit.
But usually URL:MAL has symptoms of infection that go with it, does it not??
It’s true that Alureon is associated with a URL:MAL Infection in some cases, but if it’s not even effecting anything on my PC at all, are you sure it’s REALLY AN INFECTION or is it just a false positive??

@kubecj

I gave you the info you requested.
So what’s the diagnosis from your point of view??

My diagnosis is, that it should work for you now without a glitch 8) (ie. our fp)

CONFIRMED!!! ;D
No more annoying alerts!!

Thanks a bunch for sorting this out, you guys! :wink:
AVAST 4 LIFE!!! 8)

APOLOGY FOR DOUBLE POST, but…
apparently I spoke too soon ::slight_smile:

http://img4.imageshack.us/img4/3728/damnit.png

NOW, whenever I google image search, I’m now also getting alerts about t0.gstatic.com.
That one wasn’t popping up before. Last time, it was only t1, t2, and t3.

This all started happening right after my Avast updated its virus definitions when I started up my PC about 20 minutes ago.

Any suggestions???

Unbelievable…
please nslookup www.google.com for me again :-/

RESULTS:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>nslookup www.google.com
Server: UnKnown
Address: 192.168.0.1

Non-authoritative answer:
Name: www.l.google.com
Addresses: 74.125.226.178
74.125.226.180
74.125.226.177
74.125.226.176
74.125.226.179
Aliases: www.google.com

C:\Windows\system32>

But wait! It gets even BETTER now! Cuz now I KNOW it’s not just me!
My MOM’S PC; which ALSO has Avast was freaking out as well over Google and ALSO YOUTUBE; which still pointed to a link from Google! So now, I’m not the only one seeing this.

I wonder how many others got this problem too…

UPDATE:

I am NOW also getting reports from MY FRIENDS TOO that Avast is going nuts with Google and Google Images with them as well.

UPDATE #2:

Oh, this is just great!
Now YOUTUBE is being effected… ::slight_smile:
Probably due to the fact that Youtube is owned by Google.

Maybe essexboy should take a look at our situation and see what’s REALLY HAPPENING.
If this is happening on EVERYBODY I KNOW’S PCs, then it can’t ALL BE MALWARE.
But maybe a 2nd opinion would be in order here…