Jump to content
Sign in to follow this  
nobodyishere

wth is happening to AV software.....

Recommended Posts

Here is a quick test that anyone can do to check to see if ur AV software is hijacking/injecting/modiying links that refer to other anti-virus software.

 

first up, open a another tab or window and follow these directions.

 

goto atomic main webpage, under the events button should be downloads, click it.

 

scroll down to the download categories box under the downloads search box.

 

click on the antivirus & firewalls link.

 

now it should show a list of AV software/firewall software, click on any AV program link listed:

 

now mouse of the the manufacturer link.

 

for EG: my browser (firefox 3.5.4) shows "Http://www.avgfree.com.au/" for the following AV program detail pages:

 

Kaspersky Anti-Virus 2010 v9.0.0.463

Comodo Internet Security 3.12

Norton Internet Security 2010

Norton AntiVirus 2010

AntiVir Personal Edition 9.0.0.408

ZoneAlarm Free 2010

 

basicly a few on page 1, and every program link on page 2 onwards, all manufacturer links to avgfree.com.au

 

/begin rant

 

hmmm interesting u may think, now try the same thing by mousing over all the manufacture links for all the AV software on google.com.au and see how many link back to avgfree.com.au.......

 

 

i first noticed this after trying to download avast avira AV to scan my pc with, just out of curioisty, when i tried to goto the webpage, every link went to avgfree.com.au, every directdownload ended up in firefox downloading avgfree v8.5 (which was already installed).....

 

so i thought to myself, ok, this extremely unusual behavior... i don't think it would be crappy or misleading coding on atomic's website... maybe AVG itself is interfering here somehow...

 

so i uninstalled avg free v8.5, manually scan'd thru the registry for all references to avg / avgfree /antivirus and all sorts of combos and deleted every registry key there was, rebooted, opened firefox, loaded up atomic website, and checked the AV download section, now instead of every download link to avg, it was now send.onenetworkdirect.net/?/?????/???????/ where ? is insert random number/letter. interesting.

 

i then downloaded Avira AntiVir Personal Edition 9.0.0.408 and ran a few virus scans across on all pc hdd's and network drives, scans found nothing like i assumed it would, then i wondered if avira did the same thing as avg, so i re-ran my above test, and what do u know, every bloody link now linked to avira's website..........

 

ive now uninstalled avira ---the bloody advertising popup every 10mins was pissing me off--.

 

ive now got Comodo Internet Security AV/firewall installed and working, and it doesnt or hasnt so far screwed around with firefox and changed any webpage links...

 

/sigh, whats happening to AV software now.... they are turning to the same tactics malware uses in order to spread itself and operate.....

 

 

/end rant

 

 

is it just me? or does/did this happen to anyone else out there?

Share this post


Link to post
Share on other sites

Pretty sure its just you. Avira user here and I can't replicate what you have described.

 

Have you tried anything else other than the above?

 

-Different browser

-Scanned for malware (with malwarebytes, combofix etc)

Share this post


Link to post
Share on other sites

Pretty sure its just you. Avira user here and I can't replicate what you have described.

 

Have you tried anything else other than the above?

 

-Different browser

-Scanned for malware (with malwarebytes, combofix etc)

 

ive tried only with firefox, i havent used IE since vista was realesed, havent used opera since xp days when it was embedded with adds..

 

it happens to me if i use any version of firefox, with avira and avg.

 

ive scanned for viruses/malware using:

 

avg free 8.5 /9.0

avira

comodo

nortens

macfee

trend mirco

 

and even have malwarebytes running, all scans come up with nothing. even rebooted onto a fresh hdd with ubuntu linux and ran a virus scan while in linux on all my ntfs drives on my pc's.

 

i even re-installed win7 64bit RC + avg 8.5 + firefox to a fresh hdd, and same thing happens.

 

something weird is happening on my machine, could be malware or worse, a rootkit, but every AV/malware scanner comes up with nothing after every scan, but it doesnt explain why every AV software links to avgfree.com.au or avira's website when their AV software is installed.

 

 

1 strange thing happened a few hours after i posted this topic, the pc was idleing, then comodo kept throwing up alerts saying dllhost.exe was trying to excute almost every exe/dll in the system, i kept clicking the block option.

 

ive noticed everytime i open up taskmanger/processexplorer, that there is always 3 copies of either rundll32.dll or dllhost.exe running, they immdiately close within sec's thou.

 

when i was cleaning out the registry of all avg/avira reg keys, i noticed that keys located in -> computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Enum\Root\ all error'd with permission errors when i tired to delete 3 avg keys + 3 avira keys.

 

i eventually deleted those keys by setting read/write permissions on every sub key starting from currentcontrolset, and forcing inherit permissions to child objects, then taking ownership. alot of hoops to jump thru to delete stuff on win7 =(

 

ive always downloaded firefox + avg + avira + comodo thru the atomic download section, u think 1 of them might of been infected?

Share this post


Link to post
Share on other sites

ive always downloaded firefox + avg + avira + comodo thru the atomic download section, u think 1 of them might of been infected?

Well, it is possible I guess, but unless someone else can replicate it I doubt it.

Have you tried downloading it from somewhere else using IE? Or download chrome, or Opera, anything else but FF.

Share this post


Link to post
Share on other sites

Pretty sure its just you. Avira user here and I can't replicate what you have described.

 

Have you tried anything else other than the above?

 

-Different browser

-Scanned for malware (with malwarebytes, combofix etc)

just to give u a idea of what my firefox is seeing when i use it to view page source:

 

link listed in address bar: link page 1 --> http://www.atomicmpc.com.au/Download/13704...alware-141.aspx <-- using firefox to view source.

 

line 271, Col 225 """<p style="padding:5px 0px 5px 0px; margin:0px;"><b>Manufacturer:</b> <a id="ctl00_ctl00_ContentPlaceHolder_LeftColumnContentPlaceHolder_Manufacturer" href="http://www.avgfree.com.au" target="_blank">Malwarebytes<""".

 

 

 

Link page 2 --->http://www.atomicmpc.com.au/Download/152405,antivir-personal-edition-900408.aspx <---

 

 

line 271, Col 225 """<p style="padding:5px 0px 5px 0px; margin:0px;"><b>Manufacturer:</b> <a id="ctl00_ctl00_ContentPlaceHolder_LeftColumnContentPlaceHolder_Manufacturer" href="http://www.avgfree.com.au" target="_blank">Avira</a></p>""""

 

 

 

 

Link page 3 ---> http://www.atomicmpc.com.au/Download/13112...-free-2010.aspx <---

 

line 271, Col 228 """<p style="padding:5px 0px 5px 0px; margin:0px;"><b>Manufacturer:</b> <a id="ctl00_ctl00_ContentPlaceHolder_LeftColumnContentPlaceHolder_Manufacturer" href="http://www.avgfree.com.au" target="_blank">ZoneLabs</a></p>"""

 

 

if firefox is showing me this in view source... and ur's says different, that means something is injecting code into firefox as it downloads webpages right?

 

i still think its avg's link scanner feature thats doing it, even a complete uninstall of avgfree 8.5, then installed avgfree9.0 without link scanner produces same results.

 

i completly wiped all traces of firefox + avg + avira off my pc, used my other gaming pc that my bro uses to game on to download firefox from mozilla, burn it to dvd, then install off that on my pc, results in the links being fudged like i pointed out earlier =/.

 

Does anyone else want to help me fix this and have a few ideas, ive tried everything i can think of, i need some ideas on ways to approach this to figure out whats going on.

 

ive always downloaded firefox + avg + avira + comodo thru the atomic download section, u think 1 of them might of been infected?

Well, it is possible I guess, but unless someone else can replicate it I doubt it.

Have you tried downloading it from somewhere else using IE? Or download chrome, or Opera, anything else but FF.

 

 

just re-enabled IE8, downloaded FF, same thing, almost every link is avgfree.com.au

 

 

even IE8 shows all links to avgfree.com.au as well....

 

 

might try download Opera + chrome using IE and see what happens..

 

ill repost results in a few mins

 

Pretty sure its just you. Avira user here and I can't replicate what you have described.

 

Have you tried anything else other than the above?

 

-Different browser

-Scanned for malware (with malwarebytes, combofix etc)

just to give u a idea of what my firefox is seeing when i use it to view page source:

 

link listed in address bar: link page 1 --> http://www.atomicmpc.com.au/Download/13704...alware-141.aspx <-- using firefox to view source.

 

line 271, Col 225 """<p style="padding:5px 0px 5px 0px; margin:0px;"><b>Manufacturer:</b> <a id="ctl00_ctl00_ContentPlaceHolder_LeftColumnContentPlaceHolder_Manufacturer" href="http://www.avgfree.com.au" target="_blank">Malwarebytes<""".

 

 

 

Link page 2 --->http://www.atomicmpc.com.au/Download/152405,antivir-personal-edition-900408.aspx <---

 

 

line 271, Col 225 """<p style="padding:5px 0px 5px 0px; margin:0px;"><b>Manufacturer:</b> <a id="ctl00_ctl00_ContentPlaceHolder_LeftColumnContentPlaceHolder_Manufacturer" href="http://www.avgfree.com.au" target="_blank">Avira</a></p>""""

 

 

 

 

Link page 3 ---> http://www.atomicmpc.com.au/Download/13112...-free-2010.aspx <---

 

line 271, Col 228 """<p style="padding:5px 0px 5px 0px; margin:0px;"><b>Manufacturer:</b> <a id="ctl00_ctl00_ContentPlaceHolder_LeftColumnContentPlaceHolder_Manufacturer" href="http://www.avgfree.com.au" target="_blank">ZoneLabs</a></p>"""

 

 

if firefox is showing me this in view source... and ur's says different, that means something is injecting code into firefox as it downloads webpages right?

 

i still think its avg's link scanner feature thats doing it, even a complete uninstall of avgfree 8.5, then installed avgfree9.0 without link scanner produces same results.

 

i completly wiped all traces of firefox + avg + avira off my pc, used my other gaming pc that my bro uses to game on to download firefox from mozilla, burn it to dvd, then install off that on my pc, results in the links being fudged like i pointed out earlier =/.

 

Does anyone else want to help me fix this and have a few ideas, ive tried everything i can think of, i need some ideas on ways to approach this to figure out whats going on.

 

ive always downloaded firefox + avg + avira + comodo thru the atomic download section, u think 1 of them might of been infected?

Well, it is possible I guess, but unless someone else can replicate it I doubt it.

Have you tried downloading it from somewhere else using IE? Or download chrome, or Opera, anything else but FF.

 

 

just re-enabled IE8, downloaded FF, same thing, almost every link is avgfree.com.au

 

 

even IE8 shows all links to avgfree.com.au as well....

 

 

might try download Opera + chrome using IE and see what happens..

 

ill repost results in a few mins

 

 

just updating, Opera 10.01 + googlechrome + IE8 + FF all have same problems, and viewing webpage source in all broswers shows the exact same code.

 

this has got me stumped =(

Share this post


Link to post
Share on other sites

Try not to quote yourself for such big posts, it makes things hard to keep track of!

 

 

I can see the same thing (FF on Ubuntu);

<p style="padding:5px 0px 5px 0px; margin:0px;"><b>Manufacturer:</b> <a id="ctl00_ctl00_ContentPlaceHolder_LeftColumnContentPlaceHolder_Manufacturer" href="http://www.avgfree.com.au" target="_blank">Malwarebytes</a></p>

 

Maybe it warrants a thread in Feedback. It could just be a bug or bad data entry.

But it doesn't look like your PC.

Edited by iamthemaxx

Share this post


Link to post
Share on other sites

Seriously weird. I just skim read your posts so I may have missed something, but does this only happen on the Atomic website or does it happen on other sites too (e.g. if you do a google search for 'malwarebytes' are the results munged?)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×