Author Topic: Infection:html:Script-inf but virustotal says everything is fine  (Read 5306 times)

0 Members and 1 Guest are viewing this topic.

Icy

  • Guest
Hi, i'm the owner of the site hxxp://www.holylol.com (adult content, do not visit it if you don't want to see explicit sex images).

Today i received two emails from surfers saying that my site was blocked by Avast. I installed Avast free myself and checked it and they were right, it also got blocked for me with the following message:

Infection Details

URL:   hxtp://www.holylol.com/|%3E{gzip}
Process:   file://C:\Users\Ivan\AppData\Local\Google\Chrome\Application\chrome.exe
Infection:   html:Script-inf

I have checked it with virustotal and it says the site is fine:
http://www.virustotal.com/url-scan/report.html?id=93f079a0c55d44997c3e2e70c556fead-1310464221

So can you please let me know what is going on and how to fix it? my first suspicion was that it was one of my banner advertisers doing something nasty, but can't find anything nor any tools like virustotal detects anything, it's only Avast.

I see it mentions gzip in the url but... gzip is just a widely used and google recommended html/php compression format to speed up page load so i doubt it's that.

Thanks for your help.
« Last Edit: July 12, 2011, 08:14:26 PM by Milos »

spg SCOTT

  • Guest
Re: Infection:html:Script-inf but virustotal says everything is fine
« Reply #1 on: July 12, 2011, 07:59:09 PM »
Hi Icy, welcome to the forum :)

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.

Looking at the code, it seems that avast is alerting on a script that is just before the closing body/html tags (highlighted in the image)

I sent that code to VT in the form of a text file, and only avast and Gdata (uses avast engine)detect it. I'm not too sure on the detection, but without that script, there is no alert.

Scott

Icy

  • Guest
Re: Infection:html:Script-inf but virustotal says everything is fine
« Reply #2 on: July 12, 2011, 08:19:39 PM »
Hi Icy, welcome to the forum :)

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.

Looking at the code, it seems that avast is alerting on a script that is just before the closing body/html tags (highlighted in the image)

I sent that code to VT in the form of a text file, and only avast and Gdata (uses avast engine)detect it. I'm not too sure on the detection, but without that script, there is no alert.

Scott

Thanks Scott but the url i wrote had already xx instead of tt :)

I'm going to check removing that script, that is the one that pops the IM chat, from an advertiser.

Icy

  • Guest
Re: Infection:html:Script-inf but virustotal says everything is fine
« Reply #3 on: July 12, 2011, 08:28:23 PM »
You were right, removing that fixes the report, big thanks!

But still would like to know what is wrong with that code, it's should be harmless as it's from an advertiser with very good reputation. I have asked him too about it to check it.

spg SCOTT

  • Guest
Re: Infection:html:Script-inf but virustotal says everything is fine
« Reply #4 on: July 12, 2011, 08:37:08 PM »
Thanks Scott but the url i wrote had already xx instead of tt :)
Yes, looks like Milos beat you to it ;)


Quote
I'm going to check removing that script, that is the one that pops the IM chat, from an advertiser.
You were right, removing that fixes the report, big thanks!

But still would like to know what is wrong with that code, it's should be harmless as it's from an advertiser with very good reputation. I have asked him too about it to check it.

avast blocks this domain, via the network shield, so the script that call it on your site is also blocked.

I am not entirely sure on the detection, correct or not, but if it does turn out to be a correct detection then it could suggest that the advertiser has been hacked...

Hopefully one of the avast team can comment


Offline Sirmer

  • Avast team
  • Sr. Member
  • *
  • Posts: 324
Re: Infection:html:Script-inf but virustotal says everything is fine
« Reply #5 on: July 13, 2011, 09:29:52 AM »
Hello,
this ad site was blocked incorrectly. It will be fixed in next VPS.
Sorry for your inconvenience

boneprone

  • Guest
Re: Infection:html:Script-inf but virustotal says everything is fine
« Reply #6 on: July 27, 2011, 08:27:35 AM »
Hello,
this ad site was blocked incorrectly. It will be fixed in next VPS.
Sorry for your inconvenience

Hello, I am the owner of the advertisement you blocked incorrectly. When you guys did the block I was in a panic and had webmasters change the code you blocked to a new code only to later find out you made a mistake and fixed the problem.. I thank you.. But it looks like you are blocking it again. This time the new code i had webmasters change their code to.

http://199.91.173.53/a1/chatbar.php


can you please look into this again, and whitelist it and also look into why this ad keeps getting blocked. This is the second time.

Thanks

boneprone

  • Guest
Re: Infection:html:Script-inf but virustotal says everything is fine
« Reply #7 on: July 27, 2011, 08:30:30 AM »
here is a screen shot one of our webmasters posed:

http://img837.imageshack.us/img837/2504/screenshot1da.jpg

boneprone

  • Guest
Re: Infection:html:Script-inf but virustotal says everything is fine
« Reply #8 on: July 27, 2011, 10:33:31 AM »
Anyone here?

boneprone

  • Guest
Re: Infection:html:Script-inf but virustotal says everything is fine
« Reply #9 on: July 27, 2011, 07:45:08 PM »
i'm still waiting for an answer...

alenka

  • Guest
Re: Infection:html:Script-inf but virustotal says everything is fine
« Reply #10 on: July 28, 2011, 07:20:45 AM »
Hello,

Your problem will be fixed in the next VPS.

Best regards

Alena Varkockova

boneprone

  • Guest
Re: Infection:html:Script-inf but virustotal says everything is fine
« Reply #11 on: July 28, 2011, 07:42:44 AM »
can you tell me why they get blocked? is there something i can to do help avoid this in the future?