Who knows anything about this annoying drifting message:
n the past few hours I keep getting a sort of drifting pop telling me
that McAfee Site Advisor (which I have and which is in action every
time I open FF - find it seemingly quite useful) has “changed its
privacy policy”, with some other statement but to the effect that
will be sending information about my PC. Is
this malicious, so to speak? There is an ‘OK’ box to click, Could it be
anything sinister?
Comodo fires the following alerts everytime Site-Advisor loads a search-query:
Program Files\SiteAdvisor\6172\SiteAdv.exe has loaded C:\Program Files
Site-Advisor\6172\saHook.dll into …firefox.exe
Is loading this global hook malicious? What to do.
Anyone heard about this. How to remove or is MacAfee starting to monitor us?
I can only assume that there is a hook to capture the urls on a page so that site advisor can return the data.
I have the extension installed in FF (disabled as it takes too much bandwidth in dial-up) but I don’t have a SiteAdvisor folder on my HDD, so you must have choose to download the urls database, etc. that requires updating.
My firewall has a hook into almost everything so as to give Component Control and anti-leak to avoid changes to the application and avoid leaks. So this may be a similar hooking but only in FF as that is where the extension is.
One certain moment I lost Internet connection, after I had made some adjustments in the settings of the Comodo FW the browsers could not connect to the Webshield via localhost port 12080. Something had made a reconfiguration.
The saHook.dll version in SiteAdv 6172 is different from the other version, I checked the size:
File size: 11552 bytes Siteadvisor version 2,5,0
MD5: ce2c2243b1b9de72bbf63431663dbf94
SHA1: 9b54fd28bfb548fe0c066b28b0ec1380b72579d7
Uninstalled Comodo and reinstalled after fresh boot up.
I did not click the pop up for OK. I closed all windows downloaded ComboFix and had a run and reboot on the normal user account where the problem appeared. This ComboFix asked for a reboot after running, I did so and cleared ComboFix from my machine again. Fired saHook.dll and the Firefox.exe up to Virustotal nothing there, scanned with Ewido (nothing came up). So now I think it is just annoying behavior of MacAfee’s add-on. Keep a close eye on things and proceed on, will check the global hook with FileAlyzer, and have a look at all that is running with Process Explorer. You certainly hear from me, folks.
Interesting, just yesterday i had these strange problems with page loading, everything needed minutes to load. I finally narrowed it down to SiteAdvisor and removed it right away. To be totally honest i have no need for it so my decision to get rid of it was quite an easy one.
Well appreciate your view, and basically I agree with you - too intrusive. Scandoo as a search engine does the same and has no system implications, I fired up StartDreck, but all seems fine now. Really this monitoring behavior and calling home to a server that logs “whatever it is they are after” is a bit over the top for me, I grant it only if I decide to give them the data, when I send them on on my own accord. They said on their forum that they do such surveys from time to time. Nice thought ?! A hacked site cannot be avoided, if it is a trusted one, even the best are trapped, so if the scanning is not realtime as with the DrWeb hyperlink checker it is not worth a real lot i…m.h.o.
Well, why would you expect less of a McAfee product? I was using SiteAdvisor until they bought it and I immediately deleted it at that point. I have no trust at all in McAfee.
Anyway, since I once used SiteAdvisor, I decided to take a look and here is what I found.
Well no sign of sahook.dll on my system and I had the firefox extension installed, but disabled for ages, now removed as I hadn’t used in it a very long time.
Honest I don’t know because I removed all of ComboFix after it did its job, seen in the light of the recent destructive rootkit warning, just as a precautions. For sahook there are 16 variants that SiteAdvisor uses: http://www.spywaredata.com/spyware/malware/sahook.dll.php
Mine is the 6172 variant. The annoying thing was that my Comodo FW started to alert that SiteAdvisor.exe had loaded saHook.dll into firefox.exe using a global hook used for monitoring, and that was what the floating message from SiteAdvisor said it was going to do. But the frequency of the pop-ups from Comodo FW was such that I could hardly write a search query into the search window in the navigation bar at the top, SiteAdvisor 2,5,0 was seeking for a connection. I disabled it on my FF browser. I loaded saHook.dll and firefox.exe up to virustotal, all clean there.
I’ve installed McAfee SiteAdvisor and i havn’t got SiteAdvisor.exe, and i use CFW, and never try to seek a connection when i’m not browsing.
I don’t know.
The behavior of SiteAdvisor was only when I tried to load a new result into the browser, there was nothing going on when the browser was static or closed. I remember from the start of SiteAdvisor that particular cooperation of the user was asked to mark a site as safe/secure or suspicious. I mean to say that SiteAdvisor was set out on quite another footing than MacAfee apparently has turned it into recently.
I think in this respect Finjan is much more user friendly, but that is nothing more than a personal note from me. And what CharleyO remarked here and my good friend Miha makes me feel I am not alone here. SiteAdvisor got a little minus this time, and that is gonna stay there for quite some time.