Flagged website - Game Jolt

[UnknownGamer]

Hello everyone,

I am representing the website Game Jolt. A month or so back one of the ad networks were serving up a trojan that Avast has caught. In Avast's protection they flagged the website's ad server URL which has caused the owner of the website to take down all of the ads for users to view the website properly.

The owner has emailed Avast directly multiple times and is in desperate need for the ad serving URL to be re-evaluated. What I'm asking is: Is it possible to get the URL re-evaluated and possibly be marked as safe again? The ad network has gotten rid of the trojan ad and all is safe again; we just need the website marked as safe by Avast.

Ad serving URL: http://gamejolt.com/adserver/www/delivery/afr.php
 
Thanks,
Sean Buller

[Pondus]

I am not getting any avast alarm on the URL ...

[DavidR]

Same here, no alert in either URL, all be it that the adserver URL page is blank, presumably because of what you said.

A month or so back one of the ad networks were serving up a trojan that Avast has caught. In Avast's protection they flagged the website's ad server URL which has caused the owner of the website to take down all of the ads for users to view the website properly.

[bob3160]

+1
No flag just nothing there to view.,. 

[CharleyO]

***

Welcome to the forums, UnknownGamer   

It seems all is well now. I also got no alerts from avast! Pro.


***

[polonus]

Hi Unknown Gamer

Nowhere blacklisted    access.redhawk.org      b.barracudacentral.org      bl.csma.biz
bl.emailbasura.org    bl.spamcannibal.org    bl.spamcop.net
bl.technovision.dk    blackholes.five-ten-sg.com    blackholes.wirehub.net
blacklist.sci.kun.nl    block.dnsbl.sorbs.net    blocked.hilli.dk
cart00ney.surriel.com    cbl.abuseat.org    dev.null.dk
dialup.blacklist.jippg.org    dialups.mail-abuse.org    dialups.visi.com
dnsbl.ahbl.org    dnsbl.antispam.or.id    dnsbl.cyberlogic.net
dnsbl.kempt.net    dnsbl.njabl.org    dnsbl.sorbs.net
dnsbl-1.uceprotect.net    dnsbl-2.uceprotect.net    dnsbl-3.uceprotect.net
duinv.aupads.org    dul.dnsbl.sorbs.net    dul.ru
escalations.dnsbl.sorbs.net    fl.chickenboner.biz    hil.habeas.com
http.dnsbl.sorbs.net    intruders.docs.uu.se    korea.services.net
mail-abuse.blacklist.jippg.org    misc.dnsbl.sorbs.net    msgid.bl.gweep.ca
new.dnsbl.sorbs.net    no-more-funn.moensted.dk    old.dnsbl.sorbs.net
pbl.spamhaus.org    proxy.bl.gweep.ca    psbl.surriel.com
pss.spambusters.org.ar    rbl.schulte.org    rbl.snark.net
recent.dnsbl.sorbs.net    relays.bl.gweep.ca    relays.bl.kundenserver.de
relays.mail-abuse.org    relays.nether.net    rsbl.aupads.org
sbl.spamhaus.org    smtp.dnsbl.sorbs.net    socks.dnsbl.sorbs.net
spam.dnsbl.sorbs.net    spam.olsentech.net    spamguard.leadmon.net
spamsources.fabel.dk    web.dnsbl.sorbs.net    whois.rfc-ignorant.org
will-spam-for-food.eu.org    xbl.spamhaus.org    zen.spamhaus.org
zombie.dnsbl.sorbs.net       
Legend
All= Not Listed

hxtp://gamejolt.com/adserver/www/delivery/afr.php
The requested URL was analyzed and found legitimate.
Hostname: gamejolt.com
IP Address: 99.198.112.170 (lucentweb.com)
Date: 14-08-2010 11:29

Running on: Apache/2.2.3

System info: (CentOS)
Powered by: PHP/5.2.9

Web Application details:
Blacklisting status

Domain clean by Google Safe Browsing: gamejolt.com

Domain clean by Norton Safe web: gamejolt.com

Domain clean by Sucuri Web Blacklist: gamejolt.com

Domain clean by the Phish Tank: gamejolt.com

Domain clean by the Malware Domain List: gamejolt.com

Nothing detected here also:
http://jsunpack.jeek.org/dec/go?report=aedc7c82654c1dc5fff1ce2fcc9063a4046bcabd

Revised avast flags and site has malcode...

polonus

[UnknownGamer]

Sorry guys, Avast is actually blocking the URL:
http://adserver.gamejolt.com/www/delivery/afr.php?zoneid=2

Thanks for all of the help so far! 

[bob3160]

Sorry guys, Avast is actually blocking the URL:
hxxp://adserver.gamejolt.com/www/delivery/afr.php?zoneid=2

Thanks for all of the help so far!  

Please remove the live link. Thanks
Here's the warning:

[DavidR]

Bob, you could have done the same in your quoted link, changing it to hXXp

@ UnknownGamer
That link still appears to have been hacked as there is a 1X1 iframe tag that appears to have been inserted after your div id=beacon tag, see image1 and image2 where I have broken the single line to make it easier to see.

This iframe tag points to a Paraquay IP address, image3. This IP is also blocked by the network shield as malicious and also by firefox as an attack page, image4.

So you still have some cleaning up to do and more importantly closing the vulnerability that is being exploited to insert these malicious iframe tags.

avast isn't alone (but almost) in detecting this, but there are very few scanners actually looking for these hacked/inserted tags and even less able to detect them. http://www.virustotal.com/file-scan/report.html?id=76e2e9be985f217f244ad8a50df9b06ef36b18b9768c9c8df4b8de16306a3b25-1281826952

[Asyn]

Report    2010-08-15 01:46:12 (GMT 1)
File Name    afr-php
File Size    981 bytes
File Type    Unknown file
MD5 Hash    a71cae1f9b2def8336433ef59b97140d
SHA1 Hash    c60892471564342a5036aebd5a253f2acb1ec056
Detections:   3 / 16 (19 %)
Status   INFECTED

Avast    15/08/2010    5.0            HTML:Iframe-inf
Avira     15/08/2010    7.6.0.59    HTML/Infected.WebPage
VBA32   15/08/2010    3.12.12.2    Malware.HTML.Iframe