Author Topic: Reg HTML:Script-inf warning from Avast  (Read 15738 times)

Offline sam_cit

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Reg HTML:Script-inf warning from Avast
« on: January 10, 2009, 02:30:23 PM »
Hi Everyone,

 I have started receiving warning from Avast, saying every site that i try to access has a virus/worm called,

HTML:Script-inf

 and it request to abort connection. I do it but not able to access any sites. This happens even for a ordinary site.
However, after many attempts, the site starts to work normally and avast doesn't display any warning.

 What is the reason? Is it a false positive?

Offline sam_cit

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #1 on: January 10, 2009, 02:46:02 PM »
I get this error while accessing,

 http://172.20.0.1/24online/webpages/client.jsp

 Its the site of my ISP provider and i use this to login to get net access,

but avast gives a warning saying,

 http://172.20.0.1/24online/webpages/client.jsp?loginstatus=nulllogoutstatus=nullmessage=null...

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20131
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #2 on: January 10, 2009, 03:17:43 PM »
Hi sam_cit,

Avast detects but must be unable to delete / quarantine the suspicious file(s) while the operating system is running.

Try running the Avast boot-time scan.

Open the Avast scanner interface from the desktop. Once open click on the button at the top left (it looks like an eject button) then from the menu that pops up select "Schedule Boot Time Scan" and allow it to reboot your system. The scan will take place before the OS fully loads, you will be prompted for an action when detections are made,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline sam_cit

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #3 on: January 11, 2009, 03:57:11 AM »
Hi,

 I tried the boot scan from avast and it started a scan however i look at the report it says, and reports few corrupted files,

Error 42136 {CHM archive is corrupted.}
Error 42136 {CHM archive is corrupted.}
Error 42126 {RAR archive is corrupted.}
File C:\System Volume Information\_restore{BC554F74-5213-4B02-B93C-494AF5486CCD}\RP578\A0082658.exe\ESXP\setup.exe Error 42126 {RAR archive is corrupted.}
Error 42125 {ZIP archive is corrupted.}
 
Number of searched folders: 9826
Number of tested files: 876587
Number of infected files: 0

 I have no idea if my system is infected or not... so far i'm able to access internet normally without the warning...

Offline anowim

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #4 on: January 11, 2009, 10:03:37 AM »
hej polonus mogłbys mi jeszcze raz to dokladnie powiedziec jak pozbyc sie tego wyskakujacego hasla ze mam robaka skript-inf.

Offline abonaca

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #5 on: January 11, 2009, 02:40:22 PM »
Hi,

I have the same problem with avast detecting HTML:Script-inf and aborting connection to that pages. I ran the boot-time scan, and it found no infected files. I also ran an online kaspersky scan of my computer, again nothing infected.

Any ideas?


Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #6 on: January 11, 2009, 03:40:35 PM »
Well... it should be an English-only forum...
Could you please, go to an automated translation service, copy & paste your text and get, at least, an automated translation of your writings?
Thanks.

http://world.altavista.com/
http://dictionary.reference.com/translate/text.html
http://www.freetranslation.com/
http://www.worldlingo.com/en/products_services/worldlingo_translator.html
http://translation2.paralink.com/

I have the same problem with avast detecting HTML:Script-inf and aborting connection to that pages.
Which pages?
The best things in life are free.

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20131
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #7 on: January 11, 2009, 04:41:32 PM »
Czesc Anowim,

Aby sie pozbyc hasla pobierz Frefoksa 3: http://download.mozilla.org/?product=firefox-3.0.5&os=win&lang=pl
i instaluj dodatek NoScript: https://addons.mozilla.org/pl/firefox/reviews/display/722

pozdrawiam,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline chernavin

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #8 on: January 11, 2009, 07:47:40 PM »
Hello,
I had a same virus HTML:Script-inf and the same problems that sam_cit had. After Avast boot-time scan I deleted virus, but internet pages "https://bcee.snet.lu/" and "http://gmail.com/" are still blocked and programms "skype" and "yahoo.messenger" still don't work. Can you advice something?

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20131
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #9 on: January 12, 2009, 10:51:44 AM »
Hi chernavin,

As I posted in my previous posting use Firefox browser with NoScript installed and I bet that avast will let you get to these sites, because NoScript prevents that script from running,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #10 on: January 12, 2009, 01:13:33 PM »
Hello,
I had a same virus HTML:Script-inf and the same problems that sam_cit had. After Avast boot-time scan I deleted virus, but internet pages "https://bcee.snet.lu/" and "http://gmail.com/" are still blocked and programms "skype" and "yahoo.messenger" still don't work. Can you advice something?

First avast doesn't monitor the https secure encrypted pages, so there is something else in the mix. First I tried to visit the first with firefox and noscript (enabled) and I got an error page no javascript enabled. I temporarily enabled the site in noscript and still it didn't work it displayed the javascript must be enabled error page. So I don't know if this is a site issue with firefox as javascript is enabled but it still displays the error page.

I get the gmail page and it redirects to the https logon page see image2, so that is aparently what it would do.

Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline chernavin

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #11 on: January 12, 2009, 08:41:44 PM »
Thank you, Polonus, thank you DavidR. I'll try.

Offline return_of

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #12 on: January 28, 2009, 03:15:31 PM »
I am also infected with similar virus. I did some research and the Web browser EXE is not infected but the virus is using some low level technique to insert the Java script line in every html request that is made from my pc. I tried IE and Firefox as well as tried after installing the new browser Opera same result. When I checked with gmer it is showing vsdatant.sys and tcpip driver infected. I have done boot time scan several times but no infected file is got. I had read recently  that a  Boot sector virus (Sinowal Trojan) which does similar thing changes HTML page contents but not detected easily. Can any avast staff could suggest some removal procedure ?

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20131
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #13 on: January 29, 2009, 09:14:21 PM »
Hi return_of,

You could run the following removal tool, to be downloaded here:
http://www.softpedia.com/progDownload/Norman-Sinowal-Cleaner-Download-104305.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Daknife

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: Reg HTML:Script-inf warning from Avast
« Reply #14 on: January 30, 2009, 11:07:57 AM »
I'm also getting that same error, 

The Sinowal cleaner found nothing in the MBR, (it's still working through my HD at this time.)

For those of you also getting hit by this, if you pause the Web shield part of Avast, and then look at the source of the web page (Edit, View Source) you'll probably find the evil script inserted before any of the html of the website.

This is the one I'm getting. 
[skript language="jabaskript" type="text/jabaskript" src="hxxp://mk.cxaaaa.cn/mk.js"></script]

It is always at the very top of the source code, before anything else.
Note: other than changing spellings in the script coding, I only altered the http portion of the actual address given in the script.  Hopefully I sufficiently deactivated the script without making it unreadable.   

I'm trying to find the source of it, and am beginning to wonder if it's coming from my ISP's server, because I've done boot scans with Avast, I've run the latest MSRT, I'm running the Sinowal cleaner, but it hasn't found anything in the MBR where Sinowal resides, and so far it hasn't found anything anywhere else yet, and none of the scans have found anything on the system.

I'd use no script but it's a pain with all the other legal scripts in use out there.  That, and I use Opera even more than Firefox and I don't have a no-script plugin for Opera.

What I'm wondering is why can't the so called Web shield, just deactivate, block or remove the bad script, rather than just blocking access to the supposedly infected sites, which really means it blocks all web access at times.

Knowing it's there is good, but I've placed the domain name from the script into my hosts file, so it shouldn't be able to resolve the actual script anyway, but I don't like that I have to disable the web shield to do anything on the web, including come and post here.

I just wanted to add that I have a login page I have to use for my ISP like sam-cit does.  And it too at times has evidenced the script.
« Last Edit: January 30, 2009, 11:17:46 AM by Daknife »

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now