Avast WEBforum
Other => Viruses and worms => Topic started by: TuckerX on November 29, 2012, 11:57:10 PM
-
Some info first: I use an iMac running chrome and osx version 10.6.8
A few days ago my cousin came over and wanted to go to neopets.com. instead he went to www dot neoepets dot com About 3 seconds later when I saw his mistake, I exited the site. It didnt show to real site and just the plain white screen. I tried looking at different safe site checkers but it came with mixed info. C-sirt says its malicious on virustotal but i dont know if its correct. Could someone tell me if its safe and free of random downloads/malware? I accessed the site on my iPod also but the site looks different then what the image from a url query scan looks like. Help would be appreciated! Edited so the site was not able be visited. Dont want other users getting infected.
-
check your urls here
urlvoid.com
urlquery.net
sucuri.net
zulu.zscaler.com
-
I scanned the site. the image of the site from urlquery looks different then what I saw when I visited the site on my iPod though. Also, could you look at the scans?
Links to scan: http://urlquery.net/report.php?id=252189
http://zulu.zscaler.com/submission/show/d82f1fe645fa9c8d6092c6282a945fdb-1354231995
http://urlvoid.com/scan/neoepets.com/
https://www.virustotal.com/url/5900b0ca0bc7617b4137245dd8f022a96a829e99a26f6d19018f97665abf0b51/analysis/1354232438/
http://www.UnmaskParasites.com/security-report/?page=www.neoepets.com
-
Is that C-sirt threat warning of CYSC.RED.CLICKFRAUD-1 on virus total a false alarm or what? also what is that threat? Is it just telling me there is a link to a malicious site on that site? Also theres those earlier questions ^
-
I see an issue here, see: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Puzlice-A/detailed-analysis.aspx -> this is for: pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js on that site,
Can anyone confirm?
polonus
-
I have sophos for mac(home edition) on my computer so ill run a local drives scan to see if I have it. I shouldnt though because I never downloaded anything unless it was a drive by download.
-
See the scan results here for this malvertising site. Not a lot of scanners detect this malvertising, see at the bottom of the post for the frame domain...
Checking:htxp://dsparking.com/?epl=knKJX7BPJwXsNogTdPUrydwz4BwhoXCK5C5-siFixdRZphRCPTghJSFEUO9dLc4ZONmHk4iA4W2jcDOBhKgvZiUdrD6yLxjkWC0_EJbyfbrUnDIfTy1Tqj343BSxVuujekfEcXH4SaENlNihcq_zwRdUAw0AmdpINsmjGhQ8GajpSSbtqQb5qRqEACBg3O-_AADgfwEAAECAWwoAAO4ZcI5ZUyZZQTE2aFpCmAAAAPA
File size:44 bytes
File MD5:ff20b629c15604ed940eb8542849f3ba Very poor web reputation
htxp://dsparking.com/?epl=knKJX7BPJwXsNogTdPUrydwz4BwhoXCK5C5-siFixdRZphRCPTghJSFEUO9dLc4ZONmHk4iA4W2jcDOBhKgvZiUdrD6yLxjkWC0_EJbyfbrUnDIfTy1Tqj343BSxVuujekfEcXH4SaENlNihcq_zwRdUAw0AmdpINsmjGhQ8GajpSSbtqQb5qRqEACBg3O-_AADgfwEAAECAWwoAAO4ZcI5ZUyZZQTE2aFpCmAAAAPA - archive JS-HTML
htxp://dsparking.com/?epl=knKJX7BPJwXsNogTdPUrydwz4BwhoXCK5C5-siFixdRZphRCPTghJSFEUO9dLc4ZONmHk4iA4W2jcDOBhKgvZiUdrD6yLxjkWC0_EJbyfbrUnDIfTy1Tqj343BSxVuujekfEcXH4SaENlNihcq_zwRdUAw0AmdpINsmjGhQ8GajpSSbtqQb5qRqEACBg3O-_AADgfwEAAECAWwoAAO4ZcI5ZUyZZQTE2aFpCmAAAAPA - Ok very poor web reputation
The obfuscation directs to ->
htxp://www.dsparking.com/?design_id=4&domainname=dsparking.com&a_id=14840
Checking:htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A
File size:46.50 KB
File MD5:aa0d660858e12ad1074ba5e25cc16f46
htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A - archive JS-HTML
>htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_1[522][727f] - Ok
>htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_2[1064][673d] - Ok
>htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_3[665f][1142] - Ok
>htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A/JSTAG_4[7920][200] - Ok
htxp://www.neoepets.com?epl=xJ1NlXEVHHAPHNFu-gWL2ZRTvzdCQuEUyV1oaFP0MRtmTJwktIpG8HrSCueLkoB9AGdrHnhyMPslRpA2RVKPIGdfnLaDE2qpIe9WgbHHaAMZMTU1M_UUQT1o0gxlRG_qqUgAIADco68AAGB_AQAAQIBbBgAA5dTvjVlTJllBMTZoWkJeAAAA8A - Ok
Checking:htxp://www.neoepets.com/
Engine version:7.0.4.9250
Total virus-finding records:3424473
File size:1766 bytes
File MD5:96483d751c84dc60b301c7c10c6a31a8
hxp://www.neoepets.com/ - archive JS-HTML
>htxp://www.neoepets.com//JSTAG_1[244][ea] - Ok
htxp://www.neoepets.com/ - Ok
Also placeholder code link: htxp://cdn.dsultra.com/js/main.js This is malvertising hidden in a frame
polonus
-
Here the malvertising fraud was missed completely. Reported there: http://zulu.zscaler.com/submission/show/d82f1fe645fa9c8d6092c6282a945fdb-1354318424
polonus
-
So what does this mean/what is it? I never really visited the site except on my iPod and when my cousin visited it accidentally which i quickly exited out of. Am I infected?
-
Do you know if sophos detects this? Also is it just an advertisement that links to a malicious site or does it contain a drive by download or something bad?
-
still wondering about this if anyone can jump in and help
-
hi TuckerX,
Please be patient.
Polonus is the very next best thing to a wizard we have, and the work he is doing takes some bit of time. When he is finished analyzing and understands what he is seeing, he will report back here. User !Donovan is another one.
BTW, if nothing is obviously wrong with your system, try to worry a little less. It is when things begin not to work as they should, then action is called for to rectify or fix. I did ask him to have a look here, so far he has come through.
This is new stuff and rare, not looked for elsewhere by others, so...
-
Hi TuckerX and mchain,
The page is a so-called dsparking dot com hijack. This redirect affects Internet Explorer and Firefox browser, Google Chrome is not vulnerable. Uninstall dsparking.com
1. Open Windows Control Panel.
2. Choose Programs (Uninstall a Program).
3. It will open a list of installed programs, find dsparking.com or any related term and click on ‘Uninstall’.
Remove dsparking.com in Internet Explorer:
1. Open Internet Explorer.
2. Go to Tools > Options.
3. On General tab, proceed to ”Change search defaults” and click the “Settings” button.
4. You will see a list of search providers. Select your desired search provider and click the button “Set as default” to replace dsparking.com.
5. You may now remove dsparking.com from the list.
Remove dsparking.com in Mozilla Firefox:
1. Open Mozilla Firefox Internet Browser.
2. On Google’s Search box, click the “arrow down” beside the logo.
3. Select “Manage Search Engine” from the drop-down list.
4. Choose your desired search default (like Google) and click the button “Move up.” It should be on the top of the list to set it as default.
5. You can now remove other installed search engine.
Remove dsparking.com in Google Chrome:
1. Open Google Chrome.
2. Click on the Wrench icon on top right corner of the browser.
3. Choose “Settings” from the drop down list.
4. Select “Basics.”
5. Click on “Manage search engines” under SEARCH settings area.
6. Hover your mouse to a preferred search engine and click “Make default.”
7. You can now remove dsparking.com by clicking on the X mark.
manual removal information author Xman23
But you could also follow the instructions here: http://forum.avast.com/index.php?topic=53253.0
and let any of our qualified removal expert look into the matter and help you with the removal of this search setting hijacking domain parking malware. At least one of them was alerted to this thread, so wait for him to come in and look into your provided logs,
polonus
-
Ok well i have google chrome and safari on my imac but i visited the site on chrome. So i just do those 7 steps you gave me to uninstall it? Will it just be one of the search options that i can just clik the x on to delete(looking step 6 and7) Also, so it wont effect me/do anything because I only use chrome and not FF or IE? I dont even have windows on my computer also. Edit: did it install anything onto my computer or did it just change my search settings?
-
No the check is safe. And yes it is only the preferred search settings changed,
polonus
-
Sorry to ask so many questions(I dont know that much about redirects). But what about the site that soes the redirecting?(the eebsite that i typed in that you said redirects you to a hijack) is that site safe or does it just does te redirecting to the bad site?(the one with the search default changer). And After seeing your post just now, i asked more then two questions and what do you mean by the check is safe?
-
That site is doing the redirecting, yes, but only if you perform the typo to be redirected to the wrong typo site. So the redirect is only valid there where you go to the typo site. That is how devious it is. A normal domain parked site can be used for parking an undemanded search site to score a couple of additional ad click dollars. This is not so here, this is a domain park for a typo site. If you would have given in the site without a typo, no problem would have occurred. Ask a touchscreen pencil for Xmas and feel safer...
The check is safe is that that redirect only changed your default search settings (without your approval of course), that is all the "malware hijacker"did to let you go to their searchsite and earn on fraudulous clicks. It is all about money, you know...
polonus
-
thanks for the help polonus! But I also visited a site before that seemed to be malicious. when i scanned the site, it said that there were malicious javascripts. Website is checkwebsitesafe dot com without the www. It also had annoying popups that were probably pay per click ads. All the info was either outdated or wrong also. I visited the site on my Macbook laptop but I spilled coffee/hot chocolate on it and it broke. I dont remember if i visited the site on this iMac so i want to be sure. I also scanned the iMac with sophos and clamxav(i had them on this computer already) and it found nothing. Links to scan of website are first and then links to scan of the websites scan that I visited.(the website does scans to see if a site is safe or not using webutation,google safe browsing diagnostic etc.)
http://urlvoid.com/scan/checkwebsitesafe.com/
http://sitecheck.sucuri.net/results/checkwebsitesafe.com
http://zulu.zscaler.com/submission/show/a13f04f447c7457b42b5378d7d2a75bd-1354372705
http://urlquery.net/report.php?id=265499
and the 2nd one:
http://urlvoid.com/scan/checkwebsitesafe.com/
http://urlquery.net/report.php?id=265540
http://zulu.zscaler.com/submission/show/cb2e443ca64a247e91b0e93f92e550f3-1354372797
Could someone tell me if its safe? It didnt seem safe. I dont know why google would put that site on the second page when i searched for a website that could let me see if a link was safe or not.
-
Hi TruckerX,
What I get on that site is that it is a known scam and phish: http://www.mywot.com/en/scorecard/checkwebsitesafe.com?utm_source=addon&utm_content=popup-donuts
I get document.writeln(''); from htxp://bdv.bidvertiser.com/BidVertiser.dbm?pid%E2%89%88%20451302&bid%E2%89%88%201125316%22%20type%E2%89%88%20%22text/javascript%22 on that site
On BidVertiser hijacker, see: http://forum.avast.com/index.php?topic=98455.0
Read: http://khiaao.blogspot.nl/2011/03/virus-and-malware-in-bidvertiser-ads.html article author khiaao
Suspicious recently and now given clean: http://zulu.zscaler.com/submission/show/6804f063be09fd245f0b61bd8d9ae923-1354380473
Quttera has 1 potentially suspicious file:
Potentially Suspicious files: 1
all-include.js
File size[byte]:
141000
Threat type:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method write <code> __tmpvar20438881 = write; <code/> (this is linux code malware paths include /tmp, /var/tmp as we see here (remark from polonus)
MD5:
2FBC99E74E3C107DAFB60F637BEB1755
Scan duration[sec]:
1.017000 data from online Quttera scan for above website...
polonus
-
So what can you figure out about the site? Do you think i might have any malware from it? I never clicked on the bidvertiser ads from what i know
-
Also I did those seven steps you told me to so for chrome. The only thing waw that dsparking wasn even in my search options. I just had google chrome/google. I deleted the other search options(bing,yahoo,some sites that i use that were under there for search options) just in case because I dont even use them. Also does what you just said mean that i have malware on my iMac? I have scanned with two antiviruses and they disnt find anything malicious(clamXav and Sophos for mac home edition)
-
Hi TuckerX,
I think you just were startled a bit and not became in any way infested or what. Just be aware of typo's. You know now why. Think you had a lucky escape. Thanks for reporting this anyway and for us having the privilege to dive into this issue. Certainly if it helps towards everyone's awareness,
polonus
-
Wait what about my question about checkwebsitesafe sot com?
-
If you are not redirected to specific sites you are free of this.
Try to search Google for something and click on the various search results that show up, if none of the results allow you to go to the appropriate site, you are infected. Instead you'll be redirected to sites like:
icityfind.com
scour.com
fastsfind.com
amusede.in
1freefiledownload.com
find-quick-results.com
bidvertiser.com
If not so you are not affected,
polonus
-
Ok so I guess i dont have anything. The bidvertiser redirect works on all plarforms right(windows,osx,linux) or does it only effect windows?. If it is only windows then I wont know if I have it or not.(i use a mac with no windows installed?
-
I would not worry one bit. It is an IE issue and windows related,
polonus
-
But can i send this to windows computers? I have a computer with windows on the same network and in the same house. I also send things to windows computers. This cant be spread to other computers/computers on the same network/in the same house, right?
-
So I should have no malware/something malicious on my iMac right? And if I did, it wouldnt effect me and be able to transfer itself to other conputers?
-
Hi TuckerX,
I think you are overreacting a bit... Was there any explicit differentiation after visiting the misspelled site? Did you readily find something new and unwanted upon the visit of this site?
~!Donovan
-
No i did not find anything new or strange on my computer. Like you said, i do tend to overreact about things. But is the bidvertiser thing also just a redirect? I dont seem ro get redirwcted when using google however. I just want to make sure my computer is clean of anything bad even if it doesnt effect me. I guess i am safe?
-
Alas, please wait until Polonus is back to further assist you,
~!Donovan
-
Ok, I can wait. I just want to Know wether or not i am safe or not(I probably am but i just want to hear it from a somewhat/expert on these things
-
Also juat a general question about malware, can iphones or ipods get any malware? Also is wiki.d-addicts.com down? I tried visitin it on my ipod and it shows up for a little before switching to a blank white screen.
-
As for wiki.d-addicts.com being down, can't say as it is several hours after your last post.
But you can check any site to see if up or down in the future: http://www.downforeveryoneorjustme.com/ (http://www.downforeveryoneorjustme.com/)
-
Still waiting for an answer.Also i tried visiting wiki.d-addicts.com and it loaded then switched to a blank white screen again. If i reload the page it fixes itself for a little(I am using a iPod)
-
I do not think you can pass any malware to Windows platforms if the users do not use the same typo you did, they cannot be harmed either. So do not panick, you are safe.
About iPod security read this: http://ipod.about.com/od/iphonetroubleshooting/a/iphone-security.htm (link author Sam Costello)
The site wiki.d-addicts.com is found to be clean on VT, Quttera and urlquery.net scanning
availability is OK: http://www.websitedown.info/46.165.216.86
polonus
-
I guess i dont have any malware on my computer! Thanks for all the help Polonus and everyone else! Edit: Almoay forgot I hav one More question. Can windows/any malware hide from my antivirus when i do a scan with my antivirus? I heard that you should run in safe mode? Doessafe mode show the malware and what is safe mode?
-
Your welcome, my friend. Stay safe and secure,
polonus
-
Could you read my edit just now^? Forgot to ask about it.
-
Also can a website adress be an ip? I remember clicking on a link an it took me to a web adress that was an ip and long.google chrome said that it couldnt find it?(was using my iMac)
-
still wondering about these questions.
-
Hi TuckerX,
As safe mode av scan you can select a avast boottime scan. Once memory scan finish, you can right click on the Avast anti virus window and select “Schedule Boot Time Scan”.
A website address can be an IP. For instance here where hostname is the same as the IP: http://173.194.65.100/
this is a google address. So you can go there as http://www.google.nl or as http://173.194.65.100 the IP number that resolves to that address,
polonus
-
Oh im not wondering about that. I am wondering if malware can hide from my av scanner if its not in safe mode. Also can windows malware hide from my antivirus scanner when doing a regular scan on my computer(when not in safe mode)? I just want to know in cause I should run my antivirus scanner in safe mode also.
About the ip adress: well i dont remember what the ip adress was when I clicked on the link but I ran my antivirus scanners(clamXav and Sophos) and they found nothing so i guess i am safe.
-
Also can you visit wiki.d-addicts for me on a computer? Just want to know if it switches to a white screen after a bit on a mobile device only or is it in general. EDIT:For some reason the site loads fine only when i have javascript disabled? I AM USING AN IPOD. Edit2: sorry for all the caps
-
Here is wiki.d-addicts on the site up or down checker on my system: http://www.downforeveryoneorjustme.com/wiki.d-addicts (http://www.downforeveryoneorjustme.com/wiki.d-addicts) ???
-
Hi TuckerX,
Why are you coming here asking all these questions when you do not have avast or avast apps installed. You say you have both clamav (non-resident) and Sophos. Two resident av solutions on one system will interfere with each other and the one may find up the other's signatures.
That is why it does not deliver enhanced protection! It is a bad isea.
There is a particular kind of virus that can hide from av scanners, that is called a zero-day (not detected, so completely new) or a virus that has special features to circumvent av scanning (stays dormant for some time, has rootkit possibilities it appears non-existent to the OS). But I would not worry about all these distant possibilities. You are not paranoid, are you? Using a computer should be fun, not a stressing situation,
polonus
-
I am sorry for posting here polonus. I will refrain from posting about things like this again.
-
I am sorry for posting here polonus. I will refrain from posting about things like this again.
I doubt that this result/reaction was his intention. ;)
-
What do you mean by that/who was that to asyn?
-
I am sorry for asking again but could you figure out if www dot 44andahalf dot com is safe? I did some scans using quttera and those other things but quttera found 7 file/redirects potentially suspicious. Could you look into this for me one more time? If you cant I understand why.(ive asked you a lot of questions already.Morw then yoy were expecting) I just typed in www.4 and pressed enter by mistake and it took me to that site that i dont even know.
-
Hi TuckerX,
That site is safe as far as can be established. But as I said everybody has to look out for typo's, because the misspelled domain one lands onto could been created by malcreants on purpose to infest. Avast has inbuilt protection against such typo's, but there is always a remaining threat. Therefore dyslectics should be careful and take some time to give in addresses. Check, then click, also be careful with surfing backwards with a the browser. Anti-malware can do a lot but it cannot save users from making wrong click, that is a PEBCAC problem. (PEBCAC means "problem exists between computer and chair"),
polonus
-
The site you asked about had issues recently but not now, see the intrusion detection alerts for an earlier scan:
http://urlquery.net/report.php?id=299593
Read about the file extraction Suricata IDS alert here: http://blog.inliniac.net/2011/11/29/file-extraction-in-suricata/
(link author .inliniac, we see these alerts are already coming since 2011) and also consider my comments on a likewise detection for another site here: http://forum.avast.com/index.php?topic=102084.0 and we will establish that it is SPAM related...
polonus
-
Well I visited the site yesterday(the 3rd). From what you told me just now, Does that mean that www dot 44andahalf dot com just gives spam and doesnt contain anything else thats malicious?
-
No I did not say that, I said it was involved in spam recently, as you see from the urlquery scanning report that was alerted in a previous scan of that site, not now. So someone has cleansed that or it was closed. So no malware from there at the moment,
polonus
-
Ok, so if I get anything still then its would just be spam. what do you mean by consider my comments on a like wise detection for another site here...?
-
That a similar kind of threat was being commented by me in another thread here on this forum: http://forum.avast.com/index.php?topic=102084.0
Malware always comes in similar patterns, via similar attack vectors through similar vulnerabilities with similar payloads.
And these patterns are to be repeated in an endless variety. After seeing enough of malcode you also can almost smell it out when you see a log, a webpage coding or a website analysis or a unpacked script example or a particular IDS alert...
polonus
-
So the site just used to give spam to emails? I guess i am safe then?(I dont know when it stopped being involved in spam but after some more research, it seems to be a site for a restaraunt. Real website for the restaraunt is 44andx/44andahalf though)
Edit: Also, What about the quttera scan for that site(www dot 44andahalf dot com)? it said that it found 7 redirects or something like that?
-
Hi TuckerX,
For the site you mention I get a Bad Request for wXw.44andahalf.com/../scripts/swfobject.js
[decodingLevel=0] found JavaScript
error: undefined variable swfobject
error: undefined function swfobject.embedSWF
error: line:3: SyntaxError: missing = in XML attribute:
And then we come to the alerted adobe files in the Quttera scan you mention:
wXwimages.adobe.com/wXw.adobe.com/js/foresee/foresee-trigger-dlc.js
Detected procedure that is commonly used in suspicious activity.
wXw.adobe.com/etc/pagetables/reflowtypes/adobe.js benign
[nothing detected] (script) wXw.adobe.com/etc/pagetables/reflowtypes/adobe.js
status: (referer=wXw.adobe.com/go/us)saved 1342 bytes f1cf987be6ae5c060d62c4f49f6b171bc3e9f7e9
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
And various adobe's-> Detected unconditional redirection to external web resource.
These external scripts are only flagged because
maxruntime was exceeded 10 seconds (incomplete) 0 bytes
Could mean a probabbility for something suspicious, but could depend on a misconfiguration or a benign adobe code hack, etc.
These are subtleties to consider, but here they are just "background noise"
based on this scan: https://www.virustotal.com/url/98c111ceee74adc9413fd2d954899acad446d025317076a9acb32f6d72d89a08/analysis/
and this http://urlquery.net/report.php?id=315201
polonus
-
So is there anything malicious or bad about that site that I should worry about? I know that I might get spam on my mail account but anything else?
-
Not as far as I know,
polonus
-
Well just in case ill go run a scan on my antivirus tomorrow. I did take you information and uninstalled one of them. I didnt know that it could effect their scanning!
Edit: what do you mean when you say: For the site you mention I get a Bad Request for wXw.44andahalf.com/../scripts/swfobject.js
[decodingLevel=0] found JavaScript
error: undefined variable swfobject
error: undefined function swfobject.embedSWF
error: line:3: SyntaxError: missing = in XML attribute:
is that ok to ignore or were you talking about everything in general(the quttera scans also) is safe to ignore?
-
Polonus I have edited my post incase you didnt see it. Thanks for your help but thats my last question that i kbow of.
-
Hi TuckerX,
Well let us anser this last question also as good as we can. The Quttera scans all the files heuristically. If it detects something out of the ordinairy it flags that anomality. That could be a cript that runs slightly longer as expected or has some aspects of suspicious files.
These finds are not real malicious files. They could be suspicious or something not earlier detected, but then it should be supported from other scans. I never go by the results of one scanner, I use quite a plethora depending on what I expect to find or not to find there. You can also run an URL through a javascript unpacker scan service. Same story there unexpected hick-ups are found as potentially suspicious. So in the previousd example of "external-interface-and-swfobject-js" if you invoke it there it throws up an error in javascript and that is flagged by the analysis (some parameter was not set or the developer forgot about that). So we are not talking about severe logical errors here and so as you put it we can easily ignore these code hick-ups.
If we had a report from a sucuri's scan or a wepawet scan about malicious content found or a blacklisting status of the site or a WOT bad web report, that would mean quite another kettle of "phish" and of course I would have reported that here.
Dissecting these potential website threats or finding they aren't there can be fun,
polonus
-
Hi polonus, Thanks for all the help. You answered my questions and you gave me helpful advice about using av scanners and general malware info. I should be safe then.
-
Hi TuckerX,
I never doubted that. But I hope that you and others that ploughed through this thread have learnt a bit about anti-malware scanning.
Learn about these things and know how to protect yourself and then feel more secure...
polonus
-
Hi TuckerX,
And just something further reassuring fot you when on a Mac: http://blog.sucuri.net/2012/11/new-google-chrome-blacklist-warning-for-macs.html
sucuri blog article author = David Dede
polonus
-
Thanka for that article polonus. I ran my antivirus and it didnt find anything on my computer. I did exclude my external drive though. Should i scan my external drive too incase malware could get onto it? I have a wd smartware/my book external drive that I hookup to laptops.(my families) it only has some backups and other things like music on it.
-
Could you answer this question?^ thought of it when i was acanning because it took way to long for mr to scan the external drive. Dont want to waste time when im busy!