Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Tom581 on January 12, 2021, 11:35:54 PM
-
Every time I search using Google, I get a pop-up about servscrpt.de being blocked. Only happens with Firefox and not Edge. Started a few days ago. How to stop this?
-
Strange, servscript.de appears to belong to amazon.com https://www.ip-adress.com/website/servscrpt.de but located in Dublin.
Firefox is my default browser, my default search engine is GoogleUK and I'm not seeing this, what are your Privacy and Security settings, mine are on Strict.
-
Thanks DavidR,
I am using an old version of FFox - v56 - and cannot see anywhere to set 'Strict'.
-
If you can you should get the latest version that is compatible with your OS (which is ?)
If you are unable to update firefox, I don't know what version of Avast you are using (?)
If it is the latest avast version then you should be able to update firefox, this would give you much more in the way of Privacy and Security settings. Not to mention other functions.
-
Thanks again DavidR..
I am using the latest Avast. Won't update to latest FFox as I would lose some functionality I rely on. Just curious what changed in the last few days to cause this. Clearly it's Google. OS is Win7 pro.
-
You're welcome.
I just wonder if it is something in google that has change, as presumably they are constantly updating their product to gather data. But why it is connecting to servscrpt.de for a search, I wouldn't know.
But this site is considered a medium security risk on this scan https://sitecheck.sucuri.net/results/servscrpt.de that may or may not be why avast has the URL Blacklisted.
You could try - Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php (https://www.avast.com/false-positive-file-form.php) - this goes to the avast virus labs. They will look at it again, but there is no guarantee that it would be removed from the URL Blacklist.
-
Hi,
servscrpt[.]de is a domain used by a malicious payload to spy on Google/Bing/Yahoo search results and modify them. It has the ability to redirect arbitrary search results through servproc[.]de. This is most likely spread by a malicious browser extension: we recommend disabling suspicious ones and checking if the issue persists. If you figure out which extension was to blame, please let us know.
-
Thank you Jan for the clarification.
-
Hi,
I have the same problem only with firefox last version :(
I post a subject on Monday 10
https://is.gd/KzHBSd
But no answer.
So how can we ask to avast TK?
As i only have the free version and it sure that it occur on every version :'( :'( :'(
Very boring situation....
Gerald
-
Hi,
servscrpt[.]de is a domain used by a malicious payload to spy on Google/Bing/Yahoo search results and modify them. It has the ability to redirect arbitrary search results through servproc[.]de. This is most likely spread by a malicious browser extension: we recommend disabling suspicious ones and checking if the issue persists. If you figure out which extension was to blame, please let us know.
Thanks Jan953..
I started FFox with add-ons disabled and no problem. After restart, I tried disabling add-ons one-by-one but can't figure out the culprit. Only one has been updated in the last week or two, but I fully trust it.
Is there a way to effectively troubleshoot this? Is the a scanner of some sort out there?
-
Hi,
I have the same problem only with firefox last version :(
I post a subject on Monday 10
https://is.gd/KzHBSd
But no answer.
<snip>
Do you not think it is strange to post a shortened URL link to a 3rd party site to redirect you back to the avast forums ?
https://forum.avast.com/index.php?topic=247008.0
Many don't use shortened links to unknown origins or locations.
Plus you did get an answer.
One of which was to report it as a possible false positive.
Another to post it in the viruses and worms sub-forum, which you chose not to do.
The only people who can move topics need full permissions and essentially this is an Avast Team member. If they visited the topic they could well have answered it without the need to move it.
-
Hi,
I use Copyshorturl addon to make a small url that all ^^
A false positive ok, but not solved on detection database...
Ok, a lot ofhave the Free version so, we don't have the direct support.
Wait and see, to have a patch of false positive. ;D
Gerald
-
Well shortening your link actually puts some people off even visiting it, not to mention the link I posted to your topic is hardly long.
I didn't say it was a false positive, just that there was a link that you could use, if you felt it was, then it could be investigated.
There has been a response by 'Jan593' an avast team member Reply #6 in this topic who states that it isn't an FP and what actions to take to try and find a potentially bad browser extension in Firefox.
This is an issue that is unrelated to what avast version you have the web shield and file system shield 'virus protection is the same in all versions.'
-
Hi,
Well, malicious extension, maybe but i don't know why Firefox could let such extension to be downloaded on his server.
What also noticed it that there was no such warning message on the previous version too... :o
I disabled all my add-on.
Re-activate each one by one, and no more warning message from Avast at 6:30am French hour :o :o :o :o
So bad ad-on or bug of detection, or new update of one of add-on make Avast be quiet???
Will shut down the laptop around of 6:50 and start it again around of 8:45 and will see if it's ok or not.
Gerald
-
Hi,
servscrpt[.]de is a domain used by a malicious payload to spy on Google/Bing/Yahoo search results and modify them. It has the ability to redirect arbitrary search results through servproc[.]de. This is most likely spread by a malicious browser extension: we recommend disabling suspicious ones and checking if the issue persists. If you figure out which extension was to blame, please let us know.
I had same alerts a few days ago with Google Chrome, thinking it must be extensions.
For me it was an extension named "Proxy SwitchySharp" to blame, but now alerts are stopped for me too so I can't confirm it anymore.
-
I've been getting this alert when I do a Google search on Chrome browser, too, on my Windows 10 laptop. I updated Chrome to the latest version yesterday, but it still persisted.
Following NON's lead, I checked all my Chrome extensions; I don't have Proxy SwitchySharp.
But I've been able to stop the alert by disabling CrossPilot 1.1.1, which is described as "Install Opera extensions in Chrome in a sandboxed environment". Sure hope it was me that installed that extension, because I don't remember it! But let's just hope this sticks.
-
I've been getting this alert when I do a Google search on Chrome browser, too, on my Windows 10 laptop. I updated Chrome to the latest version yesterday, but it still persisted.
Following NON's lead, I checked all my Chrome extensions; I don't have Proxy SwitchySharp.
But I've been able to stop the alert by disabling CrossPilot 1.1.1, which is described as "Install Opera extensions in Chrome in a sandboxed environment". Sure hope it was me that installed that extension, because I don't remember it! But let's just hope this sticks.
Well I have CrossPilot installed too, but I don't have alerts with it enabled at least for now. :-\
-
Hi ^^
NON did you have the warning message with the previous Avast version even free or other version?
Gerald
-
NON did you have the warning message with the previous Avast version even free or other version?
I'm using latest Avast, not previous version.
-
Thanks Jan953..
I started FFox with add-ons disabled and no problem. After restart, I tried disabling add-ons one-by-one but can't figure out the culprit. Only one has been updated in the last week or two, but I fully trust it.
Is there a way to effectively troubleshoot this? Is the a scanner of some sort out there?
Unfortunately, I don't think there is any good tool to automatically troubleshoot this. But what you can do is navigate to a Google search page, and open "Web Developer" -> "Debugger" -> "Sources". You should see there on the left pane the list of add-ons that are executing a content script in the current page. If there is any add-on that should not be loaded into a Google search page, you found the culprit.
-
Thank you for the tips, we will look into both CrossPilot and Proxy SwitchySharp if there is any hidden malicious code!
-
Thanks Jan953..
I started FFox with add-ons disabled and no problem. After restart, I tried disabling add-ons one-by-one but can't figure out the culprit. Only one has been updated in the last week or two, but I fully trust it.
Is there a way to effectively troubleshoot this? Is the a scanner of some sort out there?
Unfortunately, I don't think there is any good tool to automatically troubleshoot this. But what you can do is navigate to a Google search page, and open "Web Developer" -> "Debugger" -> "Sources". You should see there on the left pane the list of add-ons that are executing a content script in the current page. If there is any add-on that should not be loaded into a Google search page, you found the culprit.
Thanks again Jan953...
Problem has apparently disappeared.
Yesterday, I disabled all add-ons (not restart with add-ons disabled) and turned them back on one at a time and checking for the issue each time. Even when all were back on, problem did not surface. I waited to post today to see if issue came back after reboot. It did not.
Cannot explain this.
Tried your troubleshooting and did not notice any add-ons loaded.
-
Hi,
I have answer from Avast French support ;D
They said that it was from a bad add-on...
They advise me to disable add-on one by one and enable it one by one to see which one was bad.
I did it, but as a forumer said before, they did it without possibility to know which one wasn't good :o :o
Gerald
-
Thanks Jan953..
I started FFox with add-ons disabled and no problem. After restart, I tried disabling add-ons one-by-one but can't figure out the culprit. Only one has been updated in the last week or two, but I fully trust it.
Is there a way to effectively troubleshoot this? Is the a scanner of some sort out there?
Unfortunately, I don't think there is any good tool to automatically troubleshoot this. But what you can do is navigate to a Google search page, and open "Web Developer" -> "Debugger" -> "Sources". You should see there on the left pane the list of add-ons that are executing a content script in the current page. If there is any add-on that should not be loaded into a Google search page, you found the culprit.
Thanks again Jan953...
Problem has apparently disappeared.
Yesterday, I disabled all add-ons (not restart with add-ons disabled) and turned them back on one at a time and checking for the issue each time. Even when all were back on, problem did not surface. I waited to post today to see if issue came back after reboot. It did not.
Cannot explain this.
Tried your troubleshooting and did not notice any add-ons loaded.
Seems this idiocy is back again. 6 days of freedom and now it is starting again. Nothing has changed in my system.
-
Hi,
Welcome back >:( >:( >:(
I have the issue back.
To see if something wrong with add-on, which add-on do you have on your firefox or other navigator which occur the problem?
Gerald
-
Hi,
Welcome back >:( >:( >:(
I have the issue back.
To see if something wrong with add-on, which add-on do you have on your firefox or other navigator which occur the problem?
Gerald
No idea Gerald. Did the same test as before and problem is still there with add-ons disbaled without a FFox restart. I am baffled.
-
Hi everyone,
I'll be copying this other reply of mine on the AVG forum:
I know it might not be what you're exactly looking for (since it's more probable you're being closely monitored as I am and this is only going to prevent you from viewing the window - check the address loaded on the pop-up, because it'll match a ton of your latest searches on Google), but, at least for now, you could edit the hosts file present at the path "C:\Windows\System32\drivers\etc" and block the address from being sucessfully opened. Remember you'll have to run the text editor (notepad, why not?) as an administrator and open the file through the own notepad prompt (ctrl + o). After this, go to the last line and create a new one with "127.0.0.1" (which is the localhost used for loopbacks; learn more at https://en.wikipedia.org/wiki/Localhost (https://en.wikipedia.org/wiki/Localhost)) plus the address targeted. You also should preferably press the "tab" key to separate a parameter from each other.
It seems this threat actually comes from some kind of action triggered by Crosspilot. Discussions are being proposed across other forums too, I see.
Hope this helps.
(I attached a sample of what it also looks when running on AVG. Same deal, same issue.)
-
I got this from Avast:
If the detection pops up randomly it is possible that you have hijacker in your browser. To get rid of it please follow steps described bellow:
1) Make sure that Avast is up-to-date: https://support.avast.com/en-ww/article/Update-Antivirus
2) Reset the affected web browser to its default/factory settings: https://support.avast.com/en-ww/article/Reset-browser
Did not do it yet, did anyone else?
-
You could start by attaching a screenshot (to your reply) of the avast alert, that could help us investigate.
See my attached image on how to attach it in the post.
-
Ok, this is the screenshot
-
This pretty much confirms the detection, that an Avast Team member posted about.
Hi,
servscrpt[.]de is a domain used by a malicious payload to spy on Google/Bing/Yahoo search results and modify them. It has the ability to redirect arbitrary search results through servproc[.]de. This is most likely spread by a malicious browser extension: we recommend disabling suspicious ones and checking if the issue persists. If you figure out which extension was to blame, please let us know.
And also what actions others in this topic have taken to try and pin down what add-on is triggering this alert.
But what you got from avast in your Reply #27
1. Avast being up to date (virus definitions) wouldn't have an impact unless this were a false positive.
2. Resetting the browser back to defaults, would presumably remove all add-ons and probably resolve the problem until you put the add-ons back again.
So it doesn't seem to follow what 'Jan593' suggested, to track down the add-on responsible. Or what other contributors to this topic have done to try and find the add-on. All I as an Avast user can suggest is read through some of the other replies on what they have done to find the add-on and then remove that add-on.
-
I only removed CrossPilot (which I never asked for by the way) and now peace has returned - no more alerts. What IS CrossPilot???
-
I updated the 'hosts' file as per an earlier post and have not had this since. Perhaps that's the 'real' solution. For me, before, this issue would come and go for no apparent reason I could discern. It's peace for now.