vbs:obfuscated-gen alert

[thommy18]

Today afternoon I've seen an alert from my avast WWW residental security module: "vbs:obfuscated-gen has been found in hxxp://en.sfwads.info/in.htm". This alert appear when I try to open websides with my internet viewer - firefox in version 2.0.0.17 or IE6. I try to find information about that trojan but I don't found How to solve that problem. Important is it that I don't want and try to open destenation "hxxp://en.sfwads.info/in.htm" but other webside. When I've seen that alert I've sent report about this problem to avast, but I haven't any reply from developer of Avast. Have you ever this problem or similar alert? How can I solve this problem? I'm use OS Win XP Pro SP3 with all of available fixes from MS Windows Update Service. Please reply on a board on to my email: thommy18@tlen.pl
Sorry for my English is not perfectly but I'm not English man, I came from Poland.

[Jtaylor83]

Please disable the URL link by changing it to hxxp.

Unless you want spam in your email, disable the email link.

It appears you need to update your Firefox to version 3 and update IE6 to IE7.

Hopefully someone could help you.

[jsejtko]

Hello,

VBS:Obfuscated-gen is generic detection that covers several types of script downloaders.

Problem is probably with some hacked webpage you are visiting. It could be hacked just by adding some malicious iframe tag or some script, but in both cases you will be redirected to dark side of the internet.

Please let me know what address were you visiting while you have got avast alert?

[jezza96]

Arghhh......

Hi

I am having the same problem.

I am going onto the site i made and it says the same but it says File Name http://hap1.cn/  Here is the link to my sight  www.bloodangels.co..c or  www.blood-angels.csmsites.com  I need help with this

Regards
jezza96

[polonus]

Hi jezza96,

As I scan the links with DrWeb's av linkchecker they are given clean:
Checking: http://www.blood-angels.csmsites.com/
Engine version: 4.44.0.9170
File size: 38.65 KB

http://www.blood-angels.csmsites.com/ - archive HTML
>http://www.blood-angels.csmsites.com//Script.0 - Ok
>http://www.blood-angels.csmsites.com//Script.1 - Ok
>http://www.blood-angels.csmsites.com//Script.2 - Ok
http://www.blood-angels.csmsites.com/ - Ok

Checking: http://yui.yahooapis.com/combo?2.5.2/build/utilities/utilities.js&2.5.2/build/container/container_core-min.js&2.5.2/build/menu/menu-min.js&2.5.2/build/button/button-min.js&2.5.2/build/editor/editor-beta-min.js&2.5.2/build/json/json-min.js
File size: 344.96 KB

http://yui.yahooapis.com/combo?2.5.2/build/utilities/utilities.js&2.5.2/build/container/container_core-min.js&2.5.2/build/menu/menu-min.js&2.5.2/build/button/button-min.js&2.5.2/build/editor/editor-beta-min.js&2.5.2/build/json/json-min.js - Ok

Checking: http://www.google-analytics.com/urchin.js
File size: 22.11 KB

http://www.google-analytics.com/urchin.js - Ok

Checking: http://www.gamearena.com.au/services/ladders/teamframe.php?id=38726
File size: 877 bytes

http://www.gamearena.com.au/services/ladders/teamframe.php?id=38726 - Ok

Checking: http://hap1.cn
File size: 920 bytes

http://hap1.cn - archive HTML
>http://hap1.cn/Script.0 - Ok
http://hap1.cn - Ok

Checking: http://www.gamearena.com.au/services/ladders/teamframe.php?css=http://www.gamearena.com.au/services/ladders/teamframe.css&id=37203
File size: 1115 bytes

http://www.gamearena.com.au/services/ladders/teamframe.php?css=http://www.gamearena.com.au/services/ladders/teamframe.css&id=37203 - Ok

Checking: http://edge.quantserve.com/quant.js
File size: 2951 bytes

http://edge.quantserve.com/quant.js - Ok

So this could well be a False Positive,

polonus

[Jtaylor83]

Thank you, polonus. I hope they'll correct it.

[kubecj]

hap1.cn has iframe link to malware.... 100%

[wyrmrider]

I would think while the downloader source problem is being addressed both of you could start on the basic cleaning/diagnostic regimen

first rt click the avast ball and update>programs
then open avast and schedule a boot time scan
send any hits to chest do not remove/delete etc

then go to MalwareBytes.org and Dl update and scan with both RogueRemover Free and
MalwareBytes Anti Malware
With MBAM put a check next to all baddies and then click REMOVE SELECTED- a backup will be made
POST THE LOGS (not jsut comments)

lets hope nothing got established on your systems
JEZZA96
if you get any hits please start a new thread-
we do not want to hose someones system with advise meant for another
follow the generic problem here

[Lisandro]

hap1.cn has iframe link to malware.... 100%

Dr. Web is not reliable anymore... Shame... Pity...

[kubecj]

Depends if it went further. Levels 1 & 2 were 'clean', anything beyond index.htm on the second site is malware exploit.

[Lisandro]

Depends if it went further. Levels 1 & 2 were 'clean', anything beyond index.htm on the second site is malware exploit.

Yeah... but we're seeing that Dr. Web is not good enough going only on the first level... the user will be there at one click of the malware...

[Cloudeight]

My son is getting this error (has different web addresses) but it is happening when he goes to many sites, such as Cnn.com, Microsoft.com and more.  He says several students at his school have the same problem and this started yesterday. Can you assist further as to what this might be?

[Lisandro]

Cnn.com, Microsoft.com

These two sites are being shown as clean on my side, no access problems...

[Cloudeight]

Thank you. Yes, we realize all the sites he gets the alert for are clean; he and many others are getting the AVAST alert when visiting known clean sites, such as Microsoft.com, cnn.com, etc.

Could it be their college webserver that has the problem?

8

[DavidR]

I would say if there are multiple people with this problem is it possible that the server might be infected, possibly a DNS redirect issue, but you should check your HOSTS file to ensure that it isn't one your and other systems.

HOSTS file redirect - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there. http://en.wikipedia.org/wiki/Hosts_file

You would be looking for entries for cnn,com, microsoft.com, etc.