Lavasoft Support Forums Malware???

[Sly_Toad]

It is not a false positive, see the reply by polonus.

No FP: Banner adware of the worst kind: http://maldb.com/url4short.info/c29e7461 -> htxp://ib.adnxs.com/ttj?id=1183036&size=728x90 spamvertiser malcode. ->
https://www.mywot.com/en/scorecard/ib.adnxs.com?utm_source=addon&utm_content=popup-donuts
Listed in OpenDNS blocklist and blacklisted elsewhere.

polonus

Yeah, just noticed that. So... what does it mean? Should we be concerned, since we all tested the website?

[Eddy]

Following up on Reply 28. (just as info)

I did a little test.
Indeed first time it is blocked, second time not.
I did not remove cached/temporary files, only the cookie lavasoft webboard places in the browsers.

[Sly_Toad]

Following up on Reply 28. (just as info)

I did a little test.
Indeed first time it is blocked, second time not.
I did not remove cached/temporary files, only the cookie lavasoft webboard places in the browsers.

Ok, so it's the cookie? It's always the cookie... it's like cluedo... it's always coronel mustard... eheh...

Enough with the jokes... do we need to contact lavasoft about the problem? I don't have an account there. I was just trying out the new ad-aware 11 (as a 2nd line of defense), but their webinstaller was really slow. So I went to the forums to see if anyone had a problem with it, and then it all began.

But with sapo search engine, there was no warning.

[Eddy]

I just have send a message to their webmaster about it.
Lets see if I get a response.
I did include a link to this thread.

[Sly_Toad]

I just have send a message to their webmaster about it.
Lets see if I get a response.
I did include a link to this thread.

Ok. Thank you.

[mchain]

It is not a false positive, see the reply by polonus.

No FP: Banner adware of the worst kind: http://maldb.com/url4short.info/c29e7461 -> htxp://ib.adnxs.com/ttj?id=1183036&size=728x90 spamvertiser malcode. ->
https://www.mywot.com/en/scorecard/ib.adnxs.com?utm_source=addon&utm_content=popup-donuts
Listed in OpenDNS blocklist and blacklisted elsewhere.

polonus

Yeah, just noticed that. So... what does it mean? Should we be concerned, since we all tested the website?

Not if you do your testing in a virtual machine or run your browser sandboxed and automatically clear sandboxed contents when done.  What it likely means is that, as Polonus said, it's banner adware of the worst kind, utilizing a cookie to begin the initial redirect to the malicious site.  There's cookies and then there are tracking cookies....  normally not an issue, but in this instance, it likely is one.

[Sly_Toad]

It is not a false positive, see the reply by polonus.

No FP: Banner adware of the worst kind: http://maldb.com/url4short.info/c29e7461 -> htxp://ib.adnxs.com/ttj?id=1183036&size=728x90 spamvertiser malcode. ->
https://www.mywot.com/en/scorecard/ib.adnxs.com?utm_source=addon&utm_content=popup-donuts
Listed in OpenDNS blocklist and blacklisted elsewhere.

polonus

Yeah, just noticed that. So... what does it mean? Should we be concerned, since we all tested the website?

Not if you do your testing in a virtual machine or run your browser sandboxed and automatically clear sandboxed contents when done.  What it likely means is that, as Polonus said, it's banner adware of the worst kind, utilizing a cookie to begin the initial redirect to the malicious site.  There's cookies and then there are tracking cookies....  normally not an issue, but in this instance, it likely is one.

Sorry, as I said I'm Portuguese, so English is not my native language. Since I accessed the address in "normal mode", should I be concerned? That's the only address that's behaving that way. And banner adware... it's adds/pub right? I don't want to reinstall windows for the fourth time.... lol
Is there anyway to correct this problem?

[mchain]

It is not a false positive, see the reply by polonus.

No FP: Banner adware of the worst kind: http://maldb.com/url4short.info/c29e7461 -> htxp://ib.adnxs.com/ttj?id=1183036&size=728x90 spamvertiser malcode. ->
https://www.mywot.com/en/scorecard/ib.adnxs.com?utm_source=addon&utm_content=popup-donuts
Listed in OpenDNS blocklist and blacklisted elsewhere.

polonus

Yeah, just noticed that. So... what does it mean? Should we be concerned, since we all tested the website?

Not if you do your testing in a virtual machine or run your browser sandboxed and automatically clear sandboxed contents when done.  What it likely means is that, as Polonus said, it's banner adware of the worst kind, utilizing a cookie to begin the initial redirect to the malicious site.  There's cookies and then there are tracking cookies....  normally not an issue, but in this instance, it likely is one.

Sorry, as I said I'm Portuguese, so English is not my native language. Since I accessed the address in "normal mode", should I be concerned? That's the only address that's behaving that way. And banner adware... it's adds/pub right? I don't want to reinstall windows for the fourth time.... lol
Is there anyway to correct this problem?

Address the issue of having to reinstall your os multiple times by using a disk imaging software program, preferably having an image, either full or incremental, of the operating system drive done once a day.  Restoring a known clean image will take you only minutes instead of hours and/or days, plus any malware that got installed on the disk will be automatically removed and overwritten.

Run, at the very least, a sandbox program, to prevent unwanted changes to any program you use whilst connected to the Internet and always delete the sandboxed contents when done.

As this alert only presented itself when no cookie from the ad aware forum was present, because of pre-existing FF settings, and ceased when a cookie was in place, up to you to reformat and uninstall.  If avast! is not alerting now, the threat seems to have been blocked entirely.  That's what it looks like from here.

[Para-Noid]

Are you running Ad-Aware along side of avast?
If so, that's a bad idea. If you have two resident a/v's that could lead to various results. Most of which are bad.
See http://www.bleepingcomputer.com/forums/t/260844/two-anti-virus/#entry1441638

I found...
http://zulu.zscaler.com/submission/show/ca9bcb449ce76f6af913e0ad17b55238-1392919377

[Sly_Toad]

Are you running Ad-Aware along side of avast?
If so, that's a bad idea. If you have two resident a/v's that could lead to various results. Most of which are bad.
See http://www.bleepingcomputer.com/forums/t/260844/two-anti-virus/#entry1441638

I found...
http://zulu.zscaler.com/submission/show/ca9bcb449ce76f6af913e0ad17b55238-1392919377

No, I'm not running avast and ad-aware at the same time. Ad-aware is disabled by me on Services. And I only update it/ use it when I need to. So, for now no service of ad-aware is running. Also it's installed as compatible mode (no real-time), only on-demand.

Address the issue of having to reinstall your os multiple times by using a disk imaging software program, preferably having an image, either full or incremental, of the operating system drive done once a day.  Restoring a known clean image will take you only minutes instead of hours and/or days, plus any malware that got installed on the disk will be automatically removed and overwritten.

Run, at the very least, a sandbox program, to prevent unwanted changes to any program you use whilst connected to the Internet and always delete the sandboxed contents when done.

As this alert only presented itself when no cookie from the ad aware forum was present, because of pre-existing FF settings, and ceased when a cookie was in place, up to you to reformat and uninstall.  If avast! is not alerting now, the threat seems to have been blocked entirely.  That's what it looks like from here.

I know you're right about the images, but some software don't deal very well when you do a system restore or use a image (like avast... at least in my experience). Also some program's that do install right, fail to uninstall after using the image to restore them.
As for a sandbox, normally I use Comodo, but I didn't know the address was infected when I googled it. That was my problem.

I'm still having the problem. I'm still getting redirected and avast blocks the infection.
What I still don't understand is if only the cookie is infected or if it installs something on the machine. If only the cookie is infected, avast blocks the connection and when I close Firefox, it cleans the infection because Firefox deletes the cookie (as I selected to do so)?

I don't know if I have the need to reinstall. The only address I have problems is the support forum one, and it only happens after using google, bing, yahoo, etc etc etc. If I access the site by writting the url in the address bar, after restarting Firefox, I don't get redirected. Also, if I use my country most know search engine (sapo.pt), I also don't get redirected.

I just have send a message to their webmaster about it.
Lets see if I get a response.
I did include a link to this thread.

Any word from the webmaster?



To you all, thank you. I know I'm a giant pain in the...  I want to solve this, help you solve this, and prevent/help anyone that to whom this could happen/has happen.

[AdrianH]

Lavasoft forum is not blocked by avast now. I can access the site without any issue.

As to AdAware ............ killing the service is not enough, the hooks and components are still installed.

The program needs completely ininstalling.

[Sly_Toad]

Ok, I'll do that right now. But avast still blocks the access to hxxp://www.lavasoftsupport.com/ if you google it after clearing all cookies. At least mine still does it.

[AdrianH]

That is a Google search cache problem.

The first entry :  Lavasoft Support Forums www.lavasoftsupport.com/‎ throws the alert. The redirect is coming from a cached entry.

Use the same URL directly in any browser there is no issue.

These Google results are clean:

Ad-Aware Support - Lavasoft Support Forums
www.lavasoftsupport.com/index.php?/forum/30-ad-aware-support/‎


Ad-Aware 10 - Lavasoft Support Forums
www.lavasoftsupport.com › Ad-Aware Support‎

[mchain]

Are you running Ad-Aware along side of avast?
If so, that's a bad idea. If you have two resident a/v's that could lead to various results. Most of which are bad.
See http://www.bleepingcomputer.com/forums/t/260844/two-anti-virus/#entry1441638

I found...
http://zulu.zscaler.com/submission/show/ca9bcb449ce76f6af913e0ad17b55238-1392919377

No, I'm not running avast and ad-aware at the same time. Ad-aware is disabled by me on Services. And I only update it/ use it when I need to. So, for now no service of ad-aware is running. Also it's installed as compatible mode (no real-time), only on-demand.

Address the issue of having to reinstall your os multiple times by using a disk imaging software program, preferably having an image, either full or incremental, of the operating system drive done once a day.  Restoring a known clean image will take you only minutes instead of hours and/or days, plus any malware that got installed on the disk will be automatically removed and overwritten.

Run, at the very least, a sandbox program, to prevent unwanted changes to any program you use whilst connected to the Internet and always delete the sandboxed contents when done.

As this alert only presented itself when no cookie from the ad aware forum was present, because of pre-existing FF settings, and ceased when a cookie was in place, up to you to reformat and uninstall.  If avast! is not alerting now, the threat seems to have been blocked entirely.  That's what it looks like from here.

(Bolding is mine)

I know you're right about the images, but some software don't deal very well when you do a system restore or use a image (like avast... at least in my experience). Also some program's that do install right, fail to uninstall after using the image to restore them.
As for a sandbox, normally I use Comodo, but I didn't know the address was infected when I googled it. That was my problem.

I'm still having the problem. I'm still getting redirected and avast blocks the infection.
What I still don't understand is if only the cookie is infected or if it installs something on the machine. If only the cookie is infected, avast blocks the connection and when I close Firefox, it cleans the infection because Firefox deletes the cookie (as I selected to do so)?

I don't know if I have the need to reinstall. The only address I have problems is the support forum one, and it only happens after using google, bing, yahoo, etc etc etc. If I access the site by writting the url in the address bar, after restarting Firefox, I don't get redirected. Also, if I use my country most know search engine (sapo.pt), I also don't get redirected.

I just have send a message to their webmaster about it.
Lets see if I get a response.
I did include a link to this thread.

Any word from the webmaster?



To you all, thank you. I know I'm a giant pain in the...  I want to solve this, help you solve this, and prevent/help anyone that to whom this could happen/has happen.

Imaging a system disk (or any other hard drive, for that matter) is different from Windows System Restore.

avast! has issues with system restore in that not the entire disk is restored at the same time, thus avast! will see the environment it is operating in has changed to some degree.  System Restore primarily is designed to restore system files and will leave personal data alone. 

Not so with an image restoration.

With an image restore, all files and data created since the last image snapshot are lost.  So, when avast! wakes up and runs after an image restore, it does not detect any changes in this environment, and avast! Self-Defense module does not kick in and run, and that will not cause it to become disabled, as in a System Restore.

For the same reason above, all programs will work as they should and no issues with uninstalling them should ever happen as long as the restored image is a known clean image.  Otherwise, that image captured data and files that were already corrupted and your issues with uninstalling them later were existing before that image was created.

For example, you must have the latest version of .msi (Windows Installer) in order to successfully install/uninstall your programs.  Either that, or the version you now have is damaged/corrupted.  Fix that issue by installing the latest clean version from Microsoft from their site only.

Workaround for using System Restore is to first disable avast! Self-Defense module, do the system restore, and then, when successful, re-enable Self-Defense.  This allows Self-Defense to accept the changes it sees, as it was disabled during the SR.

Two free disk imaging softwares available that are solid and good:  http://www.paragon-software.com/home/br-free/index.html  &  http://www.macrium.com/reflectfree.aspx

As for the second issue of FF redirects, either completely uninstall FF, get a clean and the latest version, save only bookmarks beforehand, and start from scratch, or use another sandboxing program such as Sandboxie:  http://www.sandboxie.com/ to protect your browser you use from unwanted and undesirable changes session to session.  You must enable automatic deletion of the sandboxed contents on close of your browser for maximum protection.

Use this version 4.09.1 (beta) http://forums.sandboxie.com/phpBB3/viewtopic.php?f=46&t=18337 that was just released in response to reports of an incompatibility issue with FF 27.0 and 27.1; the browser window fails to visibly open after being called to run in a SBIE window.  It is seen running in SBIE, but never appears on the desktop.

Fixed in this version.

I'd forget about running anything Comodo, as one of the issues I've noted is a general system slowdown in all processes as Comodo does it's thing, including all firewall processes in play.  It just doesn't work right, and system impact is too high and is too slow in operation, IMO.

Lastly, running your browser in a sandbox will mean all changes made to it are lost, including cookies, tracking or otherwise, provided the sandboxed is automatically deleted on close, so the FF setting causing your redirect issue will become moot and unimportant.  I'd recommend the above steps to troubleshoot and also be safe(r) at the same time (Thanks, polonus, for that).