Avast A/V reporting Google and Bing as malicious URLs
-
Yes, this may not be the most appropriate forum, but the folks here seem to be better informed than most.
This morning, Avast A/V started popping up Malicious URL alerts for most of the major search engines. This did not happen yesterday and no software has been installed recently. This behavior was seen with FF 14 and IE 9 on Google, Bing, and Yahoo. With Google, the alerts only appear when searching, with the other two, they appear when simply visiting the site. The alerts do not appear for other sites, such as CNN, SevenForums, etc. The alerts seem to point to 25.masterppcadvertising.com.
I looked at the page source for the Google and Bing home pages. Both had a significant amount of javascript code - I suspect it relates to the search completion feature. I saw this same code on another computer (also with Avast, but not behaving in the same manner as this computer).
I ran a full malwarebytes scan and it found nothing. I emptied my browser cache, but that did not help. One site I found suggested removing and reinstalling Avast, but I cannot imagine how that would help.
Please offer some suggestions. This issue is quite disruptive.
Thank you.
Update: I disabled all of my FF extensions and plugins, and the problem went away. I then re-enabled all of the ones that are normally active, and again, no problem. Not at all sure what the heck is going on...
Last edited by Brink; 25 Jul 2012 at 13:18.
Reason: merged
-
-
I would change to MSE as we've pretty much stopped recommending Avast over the past year here and now all I see are MSE recommendations. Use Malwarebytes for on-demand scanning.
-
The alerts seem to point to 25.masterppcadvertising.com.
The IP address points to 85.17.132.33 {Netherlands Haarlem Leaseweb B.v.}
Looks like a "pay-per-click advertising".
Let's flush the DNS cache and restore MS's Hosts file.
Copy and paste these lines in Note pad:
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0
Save as flush.bat to your desktop.
Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.
Next, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
You should be (hopefully) free of any re-directions and/or reports of 'malicious' URLs.
Please let us know :)
-
-
The problem I have been fighting sounds identical to the one described in this thread.
I followed Jacee's plan and it did not stop the pop up warnings. (Mine, incidentally were directed to a different site)
BUT, GRosten gave me an idea with his disabling add on and extensions in Firefox. I disabled them all and the issue went away. I restarted them one by one and the one causing my problem was "Mozilla Safe Browsing 2.0.14" Tested it 3 times. It was updated 7/14/12 which is just about the time the problem started.
This forum solved three problems I had today so I want to contribute what little I can. Hope it helps!
-
Good info, thanks for reporting back.
I'd uninstall and reinstall Firefox then guard my Add-Ons list.
I never let any browser have an Add-On unless I've confirmed it's required for a function I want and need.
-
All,
Sorry for the missed replies. I think that hroush9037 may be on to something. The problem seems to re-occur after rebooting, which seems to coincide with the "Mozilla Safe Browsing" being re-enabled (but not by me).
-
-
My web shield isn't reporting any issues, and I have Chrome here. The only issue I have with Avast! at the moment, each time it's been updating the virus definitions and does its pop-up alerts it would play the sound notification twice in a row (or however many times it takes) until the pop-up does appear.
-
Try MSE to see the difference.
-
Same Problem
The same problem happened to me but with a different advertising re-direct script that Avast said was coming from the Firefox browser I was using. I clicked the link on the alert that took me to Avast's advertising page that wanted me to upgrade to their virus scanner that costs money, but the page didn't explain the trojan. So instead of Avast getting rid of the trojan, it acted like a firewall and just said it was from Firefox and leaving me to have to figure it out. After deleting toolbar folders that I didn't need, nothing resolved, and I still kept getting alert pop-ups from Avast that my browser was hijacking me. So I went into Firefox's safe mode that turned off all the add-ons, and that stopped the pop-up alerts. Then I went one by one disabling each add-on in Firefox and found that Avast stopped alerting me when I turned off the add-on Mozilla Safe Search.
This is just a thought, but that got me to wonder why no other virus scanners, like Malwarebytes, Spybot, Sophos, Combofix, etc. picked it up. So it's possible that because Avast has it's own "Safe Search" app called "avast! WebRep" that could be loading it's own list of clients into Google searches, which is the trade off for getting Avast free, and needed the user of their software to disable Mozilla Safe Search because it was interfering with Avast "avast-WebRep." So Avast might be putting in a false trojan script to get you to disable any web shields you might be using.