Avast FAILS with false positives AGAIN (JS:Includer-BAO [Trj])

[dominator]

Half of visited adult sites blocked by Web Shield with following infection info: JS:Includer-BAO [Trj]
Including major ones like xhamster.com. Many small and obscure sites (not gonna throw links in here ;]) working just fine.
All "normal" sites/portals working without problems.

HDD scan detects JS:Includer-BAO [Trj] again in browser cache (in my case firefox). Cleaning browser cache fixes this.
Full system scan and startup scan return no infection.

What the hell is happening at avast? First AV-Test destroy you in test and now wave of annoying false positives. Get a grip or change job (or maybe I will change AV software).

[Pondus]

First AV-Test destroy you in test................

destroy   ....hmmm   

and now wave of annoying false positives. Get a grip or change job (or maybe I will change AV software).

ahaaa..... so other AV dont have FP ..... can you recomend a FP free AV  ?

[dominator]

ahaaa..... so other AV dont have FP ..... can you recomend a FP free AV  ?

one of those: https://www.virustotal.com/en/file/6c49fb8cb6098f4a5a7fdffa69b8a4627f65b0ec210627cc06030d2b8675921b/analysis/1396082682/

1/49 AVAST seems bit retarded dont you think?

Just FIX this shit and stop posting stupid replies.

[Secondmineboy]

Watch your language please

First submission 2014-03-29 08:44:42 UTC ( 3 hours, 57 minutes ago )
Last submission 2014-03-29 08:44:42 UTC ( 3 hours, 57 minutes ago )

File is new, maybe Avast is the only one to detect yet.

[dominator]

File is new, maybe Avast is the only one to detect yet.

According to my Avast scan history JS:Includer-BAO [Trj] was blocked by Web Shield and then detected (in my browser cache) already @ 2014-03-29 01:10:04 (GMT+1).

I highly doubt other AV's are so slow with updates.

[dprout69]

Dominator you aren't dominating anyone here.  You have way too much attitude to be asking for help.  Bottom line if you don't like the product don't use it.  Other than that, report what you believe is the false positive and treat people with respect until they have done something to disrespect you.

[dominator]

I'm not asking for help becase I dont need one.
And I report here because build in report tool is way to slow (outsource more into hindu IT land...)

I'm in bashing mood so here we go again: http://www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1[report_no]=140613
FIX.THOSE.PATHETIC.SCORES.
I'm disgusted to even look at this.

I'm done. Now work. (and by work I mean improving detection engine and algorithms, not adding useless shit like grimefapper or software updater.)

[Flippy]

Hello,

sorry detection JS:Includer-BAO caused some false positives and its switched off. Sorry for any inconvenience.

Best regards,

Filip Chytrý
Virus analyst

[polonus]

Now we have heard the verdict from base (detection with various FP), in retrospect we could give some remarks on the site-detects bordering on being unwanted adware for some users (others that block won't come into contact with it even).

So just a couple of remarks for the VT example given in post #2 having issues next to it probably being a FP
-> wXw.makamundo.com.htm,,,Not in namespace, 
Server errors: Unable to properly scan your site.
Unable to connect. http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.makamundo.com.htm
No SOA record found for wXw.makamundo.com.
No SOA record was found when querying the name server.
This is most probably due to a misconfiguration at the name server - a zone must have a SOA record.

Nameserver 208.109.255.25 does not do DNSSEC extra processing. Nameserver 216.69.185.25 does not do DNSSEC extra processing.

Avast! WebShield here still flags here as infested with JS;Includer-BAO[Trj].

Web Security Test Results come up with the following detections:

Suspicious iFrame Check:
Suspicious
htxp://adf.ly/5668242/exo'
htxp://adf.ly/5668242/plug'
htxp://adf.ly/5668242/juicy'
htxp://widget.plugrush.com/makamundo.com/5imx'
//ads.exoclick dot m/iframe.php?idzone=832320&size=728x90'
htxp://adserver.juicyads.com/adshow.php?adzone=266917'
htxp://adserver.juicyads.com/adshow.php?adzone=274847'
//ads.exoclick dot com/iframe.php?idzone=827182&size=300x250'
//ads.exoclick dot com/iframe.php?idzone=827176&size=300x250'
//ads.exoclick dot com/iframe.php?idzone=823268&size=300x250'
htxp://widget.plugrush.com/makamundo.com/5imo'
htxp://widget.plugrush.com/makamundo.com/5j7u'
htxp://adserver.juicyads.com/adshow.php?adzone=291743'
htxp://adserver.juicyads.com/adshow.php?adzone=291744' (also as Eddy mentioned in his posting).

Included script:
Suspect - please check list for unknown includes
htxp://syndication.exoclick.com/splash.php?idzone=821938&type=4  (is being blocked by several extensions)

Outdated vulnerable  PHP version found: php/5.4.24
external link to htxps://d31qbv1cthcecs.cloudfront.net/atrk.js -> http://jsfiddle.net/B5m87/  probably benign - no strict transport security -
various https- no-best-policy issues flagged

For website code, see: http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://www.makamundo.com/&uag=MSIE+8.0+Trident&ref=http://www.google.com&aen=&req=GET&ver=1.1&fmt=AUTO

What Eddy reports on exoclick is valid according to WOT,
controversial results: https://www.mywot.com/en/scorecard/exoclick.com?utm_source=addon&utm_content=popup-donuts
involved in generating smut-ads!  bad web rep.
Even here there is a flag: http://www.urlvoid.com/scan/exoclick.com/  WOT
Site may be malware free, still might be considered as at least controversial -
well with ABP and no script extensions in the browser  installedbrowser users do not need to read this posting,
because they are protected against any eventual risks anyway,

polonus

[true indian]

I'm in bashing mood so here we go again: http://www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1[report_no]=140613
FIX.THOSE.PATHETIC.SCORES.
I'm disgusted to even look at this.

There is a explaination:
http://forum.avast.com/index.php?topic=147986.msg1075601#msg1075601