Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: english teacher on October 24, 2012, 04:37:45 PM
-
Hi,
I have a toolbar on my computer for Firefox which AVAST says is bad.
I have had to disable the Network Shield as I'm getting continuous alerts.
This toolbar is from Nectar.com and is a legit toolbar it is used as a search engine and with it you collect points. These points are credited to your account with them and you use them to buy things in shops etc.
How can I stop the alerts for this toolbar and where do I report it as a false positive? It's not like a virsu where it is blocked in the Vault and you can report it from there.
Thanks
-
If you can post a screenshot of (only) the avast alert window or post the full text from the alert window, change any URL from http to hXXp to prevent accidental exposure to a suspect site.
The toolbar in itself may be legit, that doesn't meant that any sites it may be linked to aren't infected/malicious, that is why we need more info.
-
Hi and thanks for the reply.
Here is the link from the log file. I have cleaned it up a bit as there is personal information in it like account number etc ...
24.10.2012 16:21:06 Network Shield: blocked access to malicious site hXXp://toolbarservice.freecause.com/2.6/?action=rewards_xul&toolid=61465&userid=XXXXXXXXX&username=XXXXXXXXXXX&time=1351088466&hash=4078b38746862f336ed994c8050ce67e&username=XXXXXXXXXXX&session_key=jkhl2345kj2345kj23jsdfgk45&session_id=1 [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 4316 ) ]
Virustotal link scanner says it's also clean as well. This has worked to day up until the latest update of AVAST
-
Avast isn't the only one thinking this site is at least suspect WOT has it as poor reputation, image1.
However, I didn't get an alert on the main domain, but visiting the toolbarservice sub domain results in two alerts by avast (image2&3), on image2 there is a redirection to hXXp://toolbarservice.freecause.com/2.6/.
This scan has two detections, http://www.urlvoid.com/scan/toolbarservice.freecause.com/ (http://www.urlvoid.com/scan/toolbarservice.freecause.com/), the one from WOT plus this one, http://www.avgthreatlabs.com/sitereports/domain/toolbarservice.freecause.com/ (http://www.avgthreatlabs.com/sitereports/domain/toolbarservice.freecause.com/)
Nothing found here though, sitecheck.sucuri.net/results/toolbarservice.freecause.com/ (http://sitecheck.sucuri.net/results/toolbarservice.freecause.com/).
####
You can ask for it to be analysed/reviewed:
- There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles (http://www.avast.com/contact-form.php?loadStyles) for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.
- If you are reporting an FP, then you get another input field open (image4), click Browse button and navigate to the file or enter the web URL for the site you wish to submit for review, etc. A link to this topic also wouldn't hurt.
-
I have contacted both Nectar and Avast about this. So for now thanks for the help. I'll post back what is said by both when they reply.
Thanks once again.
-
Thanks, i have the same problem with avast blocking freecause, also have the nectar toolbar.
-
Yep, same with me, with the Nectar freecause toolbar. Opening 'More Details...' on the alert opens up in Chrome for some reason and as I have the Toolbar operational there I had a similar warning. I've had to disable the toolbar on Firefox and Chrome for now.
It was OK earlier today. I shut the computer down and now back to find this a while ago. Pleased someone else found it and not just me :)
-
I've just looked on Nectar on Facebook and someone there has the problem. The person tried to remove the toolbar and reinstall it but now it doesn't appear in the Extensions.
-
This was the malware found there (now being closed since 2012-04-10 21:53:53) known as "unknown_html_RFI_php"
htxp://toolbarservice.freecause.com/2.6/?action=version_xml&toolid=100783&userid=&username=&key=&mode=1&v=Bucksbee%20Loyalty%20Plugin%20%2D%20InstallMonetizer%201%2E650
See: http://www.threatexpert.com/report.aspx?md5=08ca3457be9e45259c0767322ecdf8b4
site has conditional redirects (vulnerable to PHP/5.3.15-1~dotdeb.0 bugs)
polonus
-
Same problem here with the Nectar Toolbar. It only started this afternoon and that was before I updated to the latest Avast free. After updating, I still have the same problem. I will report it as a false positive.
-
I have contacted both Nectar and Avast about this. So for now thanks for the help. I'll post back what is said by both when they reply.
Thanks once again.
You're welcome, hopefully now any issues have been removed/resolved at the site avast can review the block.
-
I seem to have started something here, haven't I?
Anyway, can somebody tell me how to stop the alerts from popping up for this problem. I don't want to turn the Network Shield off so I've turned off the sound as I'm fed-up of hearing (ahhhhhhh dare I write it ? I can't stand even writing it ahhhhhhhh)
"DING DING DING Threat has been detected"
Thank you.
-
The Network Shield has no user configurable settings, so no excluded URLs option. I certainly wouldn't disable the network shield for any short term gain as it provides a valuable level of protection. It is now up to avast to follow up on your reporting it.
You can try to pause or stop the toolbar as a temporary measure or add the *toolbarservice.freecause.com/* or 174.37.58.233 IP address to your firewall to block access to it, but avast may still get in there before the firewall.
-
@ drac3, rob24, Mender,
Please see http://forum.avast.com/index.php?topic=107658.msg854389;topicseen (http://forum.avast.com/index.php?topic=107658.msg854389;topicseen) See reply # 3 & 4 there. You can get the help you need if you start your own topic. We do not mind the extra work.
-
***
Thousands of web sites get infected every minute of every day.
Turning off the Network Shield is a definite No-No !
***
-
HI,
Thanks for the replies. I had never any intention of turning off the Network Shield.
I have, this morning, received this reply from Nectar about this problem which I've pasted below.
Now I'm going to reply to them saying that also AVG has found viruses in two subdomain pages. I'll keep you posted.
Ah PS I also left a message about this on Facebook Nectar page as well!!! There are people reporting the problem there as well (as already posted in this thread)
Thank you for contacting FreeCause Support.
Freecause Toolbars are simple plug-ins that provide ready access to the features and functions you use online every day. They are free of spyware, adware, and malware.
Despite the fact that our software is safe, some security software will flag Freecause software as untrusted software. We were able to identify the problem and our team is contacting Avast.
We suggest adding freecause.com as trusted site for your antivirus software at this time.
We will inform you when the problem is resolved.
Best Regards,
FreeCause Support
-
Just a quick update.
Anybody noticed that there are NO "DING DING DING Warning Threat Has Been Detected" ?
I guess somebody must have fixed it. (I just turned on the sound) ;D
-
The site has a long ongoing history of launching malware from 2011-11-02 15:09:2 to 012-10-19 21:57:26
unknown_html_RFI_php malware and unknown_html_google_malware has been present there, longest time of malware activity 510 hours,
latest malware activity episodes 1 to 0.1 hrs. Website must be vulnerable to remote file injection attacks and needs hardening against this.
At the moment I get a Unable to properly scan your site. Site returning error (40x): HTTP/1.1 400 Bad Request
Your configuaration is lax adn there are issues....
Search for STOR, APPEND give in & ggf. to check on the IPs 174.37.58.238 174.37.58.237 DNS type A....
polonus
-
Just a quick update.
Anybody noticed that there are NO "DING DING DING Warning Threat Has Been Detected" ?
I guess somebody must have fixed it. (I just turned on the sound) ;D
I'm not getting an alert on the toolbarservice.freecause.com sub-domain and it still redirects to the toolbarservice.freecause.com/2.6/ directory, but I get a blank page and no page source. So perhaps they have taken down this /2.6/ directory data, but avast is no longer alerting on the sub-domain as before.
-
I have re-enabled the Toolbar on Firefox and Chrome and there is no longer any Malware detection warnings. So not sure what has happened but I'm glad it has!
-
Hi,
It is apparent that the detection by Avast! was correct. It provided the protection you needed when you needed it.
Do not blame Avast! when it is doing its' job. Be glad it does. Question now is, if past history is any indication, why have this on your system?
-
Hmm interestingly, on today's 18:30 hrs Quick Scan, Avast has detected PUP see attached screenshot of file in Chest. In 2+ years of using this toolbar (to collect points towards money off shopping) I've never had problems with it. But then doing the arithmetic, its worth next to nothing! ::)
Perhaps I ought to submit to Avast anyway.
-
Well the point is that it is a PUP (Potentially Unwanted Program) - See http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1066761,00.html (http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1066761,00.html). Not included in this definition are tools which can be used for good or evil, some have been legitimately installed for a specifically good purpose, but could have been unknowing installed for a malicious purpose.
Not all antivirus programs scan for PUPs and avast has it turned off by default (an exception being the boot-time scan).
So if you get this on a Quick scan you have been tweaking the avast settings without knowing what the impact might be.
-
Good remark by DavidR, and right he is there!
Beacause tweaking the settings without an informed advice is bad practice.
An av solution is a program with a purpose and all parts of it have their purpose (pup detection, shields, etc. etc.)
polonus
-
Ah yes I see the association with Spyware in the link you provided DavidR. Interesting.
Yes it does look as if I've been tweaking the scan settings as PUP is ticked. Not that I recall doing it! Do you advocate turning this off back to the default setting? Actually I did a Boot time scan today (which was clear) then re-enabled the toolbar then did the Quick scan as I do every day. Think I might actually give the Toolbar the heave-ho. It earns 100 points per month equivalent to £0.5 in a Supermarket. Drop in the ocean when compared to grocery price rises!
-
The main problem with enabling PUPs is you have to have a degree of knowledge of what you have installed on your system, what it does and why it might be considered a PUP to be able to make any informed decision. I believe that is why PUPs are not enabled in the regular on-demand scans.
- With a resident on-access antivirus like avast, the need for frequent on-demand scans is much depreciated. For the most part the on-demand scan is going to be scanning files that would be otherwise be dormant or inert. If they were active files then the on-access file system shield would be scanning them before being created, modified, opened or executed.
I have avast set to do a scheduled weekly Quick scan, set at a time and day that I know the computer will be on. If for some reason my system wasn't on, no big deal I will catch up on the next scheduled scan.
####
Now if you know why you installed this toolbar and the fact that it will be gathering information that is used for marketing purposes by the vendor. This may also be used to deliver targeted adverts, this is why many toolbars are considered ad/spyware.
-
***
The real lose is not the "100 points per month equivalent to £0.5" but the lose of your personal information using such toolbars. It doesn't matter what toolbarservice.freecause.com might tell you. Think about this:
How do you think they know what offers to present to you?
***