Avast WEBforum
Other => Viruses and worms => Topic started by: Bob338 on August 24, 2010, 05:53:06 AM
-
Do I or don't I have an infection?
Running Windows 7 32 bit, IE8, Avast 5.0, and current Malwarebytes. While trying to access a site I visit regularly Avast reported a threat from HTML:Iframe-inf and blocked access to the site. Both a Quick scan and a Full scan showed nothing. Likewise with MBAM yet every time I try to go back to the site Avast reports threat and blocks access. CCleaner has been run multiple times and all cookies removed.
Report to webmaster of the target site advises they have no problem yet threat continues to be reported and the site is blocked to me. In desparation I found a site with apparent knowledge of the threat, F-Secure, ran their free quick scan which turned up 4 items of spyware that were removed and not reported or found by either Avast or MBAM. Still blocked I ran a full scan and turned up two more, all listed as tracking cookies. When blocking continued a further scan of only the reported process with the problem, Internet Explorer, turned up three more tracking cookies yet neither Avast nor MBAM reports any problem and I still can't access the site I want.
What is the fix and why do neither Avast nor Malwarbytes see the problem?
-
You are not getting infected, as Avast! will not let you go there. Is that a web shield detection, or network shield? Web shield, I would guess.
You could run the website through here, see what it says>>http://www.urlvoid.com/ (http://www.urlvoid.com/)
http://vscan.urlvoid.com/ (http://vscan.urlvoid.com/)
-
Thanks.
In one case it says it's clean. The other says it cannot fetch.
That being the case I obviously have something in the computer that is blocking that site. How do I get rid of it? And, where did it come from and why didn't Avast and Malwarebytes not detect and F-Secure did?
That IS a Web Shield detection.
-
avast and MBAM does not scan for cookies
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26
I visit regularly Avast reported a threat from HTML:Iframe-inf and blocked access to the site.
what is the URL in question? when you post it use hxxp and not http or wxw and not www so the link is not clickable
when you see the popup from avast with HTML:iframe, is there a URL listed on it ?
-
The "object" listed is "hXXp://www.pcmech.com/forum/│>{gzip}"
While cookies may not be dangerous they are an invasion of privacy. And if they aren't dangerous why does Avast perceive a threat?
Note: Corrected typo in URL.
-
Can not scan the website as it seems to be down
http://downforeveryoneorjustme.com/%20http://www.pchmech.com/forum/
maybe they have been alerted of the website infection ( HTML:iframe ) and have taken the website down for cleaning ?
While cookies may not be dangerous they are an invasion of privacy. And if they aren't dangerous why does Avast perceive a threat?
avast does not react on cookies
HTML:Iframe-inf wordpress Infection
http://fieldsmarshall.com/htmliframe-inf-wordpress-infection/
http://www.youtube.com/watch?v=HXzLgY2f01U
-
Because avast isn't alerting on a cookie, but the loading of a compressed javascript file that is what the {gzip} part is about.
I have tried visiting that forum and I can't connect to it, firefox is spinning its wheels trying to load, so perhaps there is something going on at the site, cleaning up ???
It looks like the site is down, see image, http://downorme.com/pchmech.com (http://downorme.com/pchmech.com).
-
I've accessed it several times this morning and was on it just before I came here. It's NOT down.
-
***
Yes, it is down. Click the image below to enlarge.
***
-
I've accessed it several times this morning and was on it just before I came here. It's NOT down.
Sorry but your post is bracketed by two reports that it is down, I visited the downorme.com site to check after I couldn't connect.
-
Sorry but your post is bracketed by two reports that it is down, I visited the downorme.com site to check after I couldn't connect.
three ;)
-
My bad, typo, I inserted an extra letter in the address S/B pcmech.com, not pch.
I'm still having the problem.
-
No detection on any online webscanners, is your avast updated? latest is 100824-0
-
Same here no detection on the hXXp://www.pcmech.com/forum/ link.
Try clearing your browser cache and ensure you have the latest virus signatures as mentioned.
-
Hi DavidR,
Browser Defender detected it, but now as it seams clean gives it as clean: http://www.browserdefender.com/site/pcmech.com/
But I would block this adware on that site: htxp://kona.kontera.com/javascript/lib/KonaLibInline.js
If you use Firefox, just install AdBlock and add htxp://kona.kontera.com/javascript/lib/KonaLibInline.js as a filter. (with http of course)
Then these ads will disappear completely,
polonus
-
Hi DavidR,
<snip>
But I would block this adware on that site: htxp://kona.kontera.com/javascript/lib/KonaLibInline.js
If you use Firefox, just install AdBlock and add htxp://kona.kontera.com/javascript/lib/KonaLibInline.js as a filter. (with http of course)
Then these ads will disappear completely,
polonus
I didn't get any ads, so presumably it is already blocked in my ABP ;D
-
Hi DavidR,
Well I knew you had the right subscription lists in there, you are an ad-blocking savvy, ;D
pol
-
No detection on any online webscanners, is your avast updated? latest is 100824-0
I have a version later than this updated this AM, 100824-1
Browser cache is clean.
In order to reach the site I wanted I temporarily disabled the Web Shield for 10 minutes. Now I find I can't enable it, my mouse is inert on "fix" button as well as the enable one on the tool bar from the logo. If I click the 'enable all shields', the Web Shield remains disabled. ????
-
For those of you that are loading the site that Bob338 linked to ( hxxp://www.pcmech.com/forum/ ) are you actually loading various threads to test this? Because I go to that same site all the time and have the same problem, and the only time I get hit with the HTML: Iframe-inf detection is when I load each individual thread. I originally had to make an exclusion in Avast's Web Shield to be able to access the site at all, but now I just get the detection when I go into a forum and load a thread up.
On mine, Avast ends up alerting about this through the File shield by popping up the red box stating the offender as HTML: Iframe-inf, but the location it shows is my Temporary Internet Files folder on my hard drive. After visiting the site, I can do a scan of my drive with Avast and it will find these "threats" in that folder, with the names of the threads, like C:/Documents and Settings/*all the other stuff here*/Temporary Internet Files/Content.IE5/PTKCZ913/216397-norton-complains-about-attack-any-time-i-visit-pcmech-page[1].html. <That last part, from the numbers on, is the name of the thread where we're talking about the problem on that site, in case you're wondering. After scanning with Avast and deleting the problems, everything's fine until I go back there again. I've cleared out my Temp folders thinking maybe it was something left over from the old site (before the new site was launched recently, which is when the problems started) and have current definitions; 100824-1.
-
No I'm not, because the OP didn't post any links other than the default forum home page.
-
FWIW, it looks like the webmaster found a solution to the problem at the pcmech site.
http://www.pcmech.com/forum/system-security-privacy/216397-norton-complains-about-attack-any-time-i-visit-pcmech-page.html#post1476188
-
Which seems to confirm a good detection by the web shield once again, on an injected iframe.
This injected iframe seems only effected IE and not firefox which I use as my default browser and which I won't use to investigate possible malicious sites.
-
Yeah, it seems to have affected only IE. Version didn't matter either, because when it started, I was using Maxthon with IE7 and it did it, then changed to Maxthon2 with IE8 and it still did it. Firefox didn't have that problem though.
I really *was* beginning to question whether it was a FP in Avast, but at the same time I found that hard to believe since that was the only site that was making Avast scream. Looks like Avast wasn't crazy after all. ;D
-
Which seems to confirm a good detection by the web shield once again, on an injected iframe.
Congratulations to avast team!