Avast A/V reporting Google and Bing as malicious URLs

GRoston

Member
Power User
VIP
Local time
3:27 AM
Messages
382
Yes, this may not be the most appropriate forum, but the folks here seem to be better informed than most.

This morning, Avast A/V started popping up Malicious URL alerts for most of the major search engines. This did not happen yesterday and no software has been installed recently. This behavior was seen with FF 14 and IE 9 on Google, Bing, and Yahoo. With Google, the alerts only appear when searching, with the other two, they appear when simply visiting the site. The alerts do not appear for other sites, such as CNN, SevenForums, etc. The alerts seem to point to 25.masterppcadvertising.com.

I looked at the page source for the Google and Bing home pages. Both had a significant amount of javascript code - I suspect it relates to the search completion feature. I saw this same code on another computer (also with Avast, but not behaving in the same manner as this computer).

I ran a full malwarebytes scan and it found nothing. I emptied my browser cache, but that did not help. One site I found suggested removing and reinstalling Avast, but I cannot imagine how that would help.

Please offer some suggestions. This issue is quite disruptive.

Thank you.

Update: I disabled all of my FF extensions and plugins, and the problem went away. I then re-enabled all of the ones that are normally active, and again, no problem. Not at all sure what the heck is going on...
 
Last edited by a moderator:

My Computer My Computer

At a glance

Windows 7 x64 ProCore i7 860 @ 3.8 GHz16 GB F3-12800CL7D (DDR3 1600 7-7-7-24)Sapphire Vapor-X 100283VXL Radeon HD 5770
Computer type
PC/Desktop
OS
Windows 7 x64 Pro
CPU
Core i7 860 @ 3.8 GHz
Motherboard
MSI P55-GD80
Memory
16 GB F3-12800CL7D (DDR3 1600 7-7-7-24)
Graphics Card(s)
Sapphire Vapor-X 100283VXL Radeon HD 5770
Monitor(s) Displays
NEC LCD3090WQXi-BK
I would change to MSE as we've pretty much stopped recommending Avast over the past year here and now all I see are MSE recommendations. Use Malwarebytes for on-demand scanning.
 
The alerts seem to point to 25.masterppcadvertising.com.
The IP address points to 85.17.132.33 {Netherlands Haarlem Leaseweb B.v.}
Looks like a "pay-per-click advertising".
Let's flush the DNS cache and restore MS's Hosts file.

Copy and paste these lines in Note pad:

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

Next, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

You should be (hopefully) free of any re-directions and/or reports of 'malicious' URLs.

Please let us know :)
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
The problem I have been fighting sounds identical to the one described in this thread.
I followed Jacee's plan and it did not stop the pop up warnings. (Mine, incidentally were directed to a different site)
BUT, GRosten gave me an idea with his disabling add on and extensions in Firefox. I disabled them all and the issue went away. I restarted them one by one and the one causing my problem was "Mozilla Safe Browsing 2.0.14" Tested it 3 times. It was updated 7/14/12 which is just about the time the problem started.

This forum solved three problems I had today so I want to contribute what little I can. Hope it helps!
 

My Computer My Computer

At a glance

Win 7 Home Premium 64bit
OS
Win 7 Home Premium 64bit
Good info, thanks for reporting back.

I'd uninstall and reinstall Firefox then guard my Add-Ons list.

I never let any browser have an Add-On unless I've confirmed it's required for a function I want and need.
 
All,

Sorry for the missed replies. I think that hroush9037 may be on to something. The problem seems to re-occur after rebooting, which seems to coincide with the "Mozilla Safe Browsing" being re-enabled (but not by me).
 

My Computer My Computer

At a glance

Windows 7 x64 ProCore i7 860 @ 3.8 GHz16 GB F3-12800CL7D (DDR3 1600 7-7-7-24)Sapphire Vapor-X 100283VXL Radeon HD 5770
Computer type
PC/Desktop
OS
Windows 7 x64 Pro
CPU
Core i7 860 @ 3.8 GHz
Motherboard
MSI P55-GD80
Memory
16 GB F3-12800CL7D (DDR3 1600 7-7-7-24)
Graphics Card(s)
Sapphire Vapor-X 100283VXL Radeon HD 5770
Monitor(s) Displays
NEC LCD3090WQXi-BK
My web shield isn't reporting any issues, and I have Chrome here. The only issue I have with Avast! at the moment, each time it's been updating the virus definitions and does its pop-up alerts it would play the sound notification twice in a row (or however many times it takes) until the pop-up does appear.
 

My Computer My Computer

At a glance

Microsoft Windows 7 Home Premium 64-bit Servi...AMD A10-6800K APU with Radeon(tm)™ HD Graphic...(2) G.Skill F3-12800CL10-8GBXLASUS R7 250 Series (0x6610)
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom
OS
Microsoft Windows 7 Home Premium 64-bit Service Pack 1
CPU
AMD A10-6800K APU with Radeon(tm)™ HD Graphics 4100
Motherboard
ASRock FM2A85X Extreme4-M
Memory
(2) G.Skill F3-12800CL10-8GBXL
Graphics Card(s)
ASUS R7 250 Series (0x6610)
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
Acer X213H LCD monitor, 21"
Screen Resolution
1920 x 1080 x 32 bits @ 60 Hz
Hard Drives
WD Black, 1.0TB, WDC WD1002FAEX-00Z3A0
PSU
Rosewill Quark-650
Case
Raidmax Comet SECC Steel ATX Mid Tower Computer Case
Cooling
1 x 80mm + 2 x 120mm + Stock cooler
Mouse
Gear Head Wireless Optical 5-button mouse
Internet Speed
FTTx 6000 / 1000
Antivirus
Avast! Free Antivirus 2015.10.0.2208
Browser
Google Chrome Version 40.0.2214.115
Other Info
*AMD Dual-Graphics
*Uses OpenDNS
*Uses Folding@Home
*HP 16x Super-Multi DVD Writer
*Superspeed 74-in-1 Card Reader
*Maximum overclock has not been determined.
Same Problem

The same problem happened to me but with a different advertising re-direct script that Avast said was coming from the Firefox browser I was using. I clicked the link on the alert that took me to Avast's advertising page that wanted me to upgrade to their virus scanner that costs money, but the page didn't explain the trojan. So instead of Avast getting rid of the trojan, it acted like a firewall and just said it was from Firefox and leaving me to have to figure it out. After deleting toolbar folders that I didn't need, nothing resolved, and I still kept getting alert pop-ups from Avast that my browser was hijacking me. So I went into Firefox's safe mode that turned off all the add-ons, and that stopped the pop-up alerts. Then I went one by one disabling each add-on in Firefox and found that Avast stopped alerting me when I turned off the add-on Mozilla Safe Search.

This is just a thought, but that got me to wonder why no other virus scanners, like Malwarebytes, Spybot, Sophos, Combofix, etc. picked it up. So it's possible that because Avast has it's own "Safe Search" app called "avast! WebRep" that could be loading it's own list of clients into Google searches, which is the trade off for getting Avast free, and needed the user of their software to disable Mozilla Safe Search because it was interfering with Avast "avast-WebRep." So Avast might be putting in a false trojan script to get you to disable any web shields you might be using.
 

My Computer My Computer

At a glance

windows xp 32bitPentium 3256?
Computer Manufacturer/Model Number
Dell
OS
windows xp 32bit
CPU
Pentium 3
Motherboard
?
Memory
256
Graphics Card(s)
?
Sound Card
Sound Blaster
Monitor(s) Displays
SynMaster 740n
Hard Drives
Maxtor
PSU
?
Case
Dell
Cooling
OSM
Back
Top