Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: goodwitch on October 09, 2013, 08:22:19 PM
-
About an hour ago I was on Care2.com and when visiting another members profile page a red Avast warning popped up telling me Avast had blocked a malicious URL, at least that is what I think it said. The message said Avast saved my computer from becoming infected by malware. On that profile page were many comment pics from those comment pic sites. One contained the infected URL. I am now being asked to give that specific info and cannot find a way to find it from within the Avast interface. Is it possible to view that warning again?
-
Right click on the Avast icon in the taskbar and choose show last popup.
-
URLvoid report http://www.urlvoid.com/scan/care2.com/
hpHosts class it as PSH
PSH - sites engaged in Phishing
virustotal
https://www.virustotal.com/nb/url/ca62fc9e334905d9776c810e5dff49c0b7286a8ce328ef3a1626bd33af659e06/analysis/1381343198/
Sucuri report http://sitecheck.sucuri.net/results/care2.com/
so, conclusion .... stay away ;)
-
Comodo reports suspicious, Blacklisted by SucuriMalware Labs.
-
Right clicked on the avast icon in the tray and "show last pop-up message" was greyed out. Was doing Windows updates and the system had been restarted.
Those other links are showing very scary info as I spend most of my time on that site. Will pass on the URLs to the official help group host on the site. Thanks for responding.
Is there any other way I can view that red warning pop-up?
-
There should be a log somewhere in the Avast files. But i cannot find it at the moment.
Maybe someone else knows where you can find it, im also running the newest Beta, maybe they changed it.
-
OK. Found the logs.
Go to Computer>C Drive>Program Data>Avast Software>Avast>Report
In the folder are logs for each Realtime Shield, in them you can find the Detections. If possible you can attach them
to your next post.
-
Sorry not sure how to attach the file, but have copied the relevant text from the log. Thanks a million for guiding me to it. It was in NetworkShield.txt
09/10/2013 12:27:43 PM hxxp://www.wallpaperfo.com/thumbnails/detail/20120428/autumn%20halloween%20houses%20fantasy%20art%20village%201680x1050%20wallpaper_www.wallpaperfo.com_31.jpg [L] URL:Mal (0)
-
OK. Please make the http to hxxp. We dont want to have people who get infected by such links.
-
On this site you can look a the reputation of the site and what many AV vendors think about it.
http://ScanURL.net/?u=www.wallpaperfo.com%2Fthumbnails%2Fdetail%2F20120428%2Fautumn%2520halloween%2520houses%2520fantasy%2520art%2520village%25201680x1050%2520wallpaper_www.wallpaperfo.com_31.jpg#results
Sometimes you have to reenter it if you have clicked some links (Virustotal and some others).
Some of them only accept this as link: hxxp://www.wallpaperfo.com/
-
Sorry, didn't know the link would go live. Changed it.
-
No problem.
-
Website looks clean to me.
If you want i can let it be checked by an website analyst.
-
Ive notified polonus.
-
On Care2.com every now and then someone's anti-virus pops up a virus warning for one of those comment pics that other anti-virus programs do not have a problem with. People do not always post them properly and just hotlink them instead. (And no, I do not know what that means) Seems Avast was the only program that had a problem with that particular comment pic, so at this point I don't know what to do. It has already been deleted from the persons profile page just in case it was infected. So few of those links from the link you posted had a problem with that particular comment pic or the host site that I'm beginning to think Avast made a woopsie in reporting it as malware.
I'm extra careful these days as I had a nasty malware infection that took me 8+ weeks of 8-12 hour days to get my system back to being clean again. What do you suggest I do now? Who is polonus?
-
Polonus is a Website Analyst from the forum.
If you want a check of your system or if you are get infected in future there are also malware removers in this forum.
Just open a post in the viruses and worms section and follow the guide logs in assist to clean malware at the top of the section.
-
These might help
https://asafaweb.com/Scan?Url=wallpaper.com
https://asafaweb.com/Scan?Url=care2.com
Both appear to have excessive headers which can be easily exploited.
Care2(dot)com appears to have clickjacking and cookies issues.
Personally I would be very wary of using either site. Both pose malware and privacy issues.
-
Thanks I'll remember that I can come here too. Back in June I was advised to run Combofix and it deleted so many files that was the big headache. I then got help from BleepingComputer.com but it took a long time to get everything sorted out again. I run Malwarebytes every week now as well as full daily scans of Avast and also Sophos Virus Removal tool and Eset online scanner every month. Have been told I'm too cautious these days. But it never hurts to stay as safe as possible.
Have to close the computer for today, but will check in first thing in the morning. Thanks a million for all the help.
-
Hi goodwitch and also Steven Winderlich,
Will try to cover this general IP block, as that is what I think it is, and I came up with this in depth information for you. Para-Noid was right on spot with his assumption! ;D
In a sense Steven Winderlich may be right there is no actual malware at the site at this moment, also as the avast! detection is a general one, URL:Mal, which could also be a general IP block (because of malware residing there). Here the most likely cause for the flag is that that site is known to be a notorious malvertiser in the Russian Business Network, see: http://urlquery.net/report.php?id=6500985 IDS alert for "ET RBN Known Malvertiser IP (17) ", hence a general IP block. * The Current IP is pulled in realtime so may differ from the IP we have on record. And this info comes from a scanner that flags this site also:
http://hosts-file.net/?s=care2.com There are domain or netblock problems -> http://hosts-file.net/?s=Help#ipresolve
This is a site with a PSH qualification, that means a PHISHING site, Severity: High Risk.
The recommended security scan at Sucuri's provides us with the following info:
Sucuri
web site: care2 dot com
status: Site blacklisted, malware not identified
web trust: Site blacklisted* . * = Site found to be used on spam campaigns (either forum, comment or SEO spam).
*Cached results from more than 2 days ago.
Security report (Warnings found):
error Blacklisted: Yes
error Likely compromised: Yes
This VT report may be the reason why avast! Web Shield may block that IP:
https://www.virustotal.com/en/ip-address/63.146.170.87/information/
Furthermore the Project Honey Pot system has detected behavior from the IP address 63.146.170.87 that is consistent with that of a Bad Web Host.
Code to be checked: d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/110;s=1;d=14;w=728;h=90 benign
[nothing detected] (iframe) d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/110;s=1;d=14;w=728;h=90
status: (referer=www.care2.com/)saved 5063 bytes 891a0bdc31476e3e662b1fe5381599a27a23a151
info: [iframe] d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/
info: [script] d7.zedo dot com/bar/v17-010/d3/jsc/gl.js
info: [iframe] yads.zedo dot com/ads3/a?
info: [decodingLevel=0] found JavaScript
error: undefined variable Image
error: line:5: TypeError: Image is not a constructor
suspicious: -> http://www.mywot.com/en/scorecard/d3.zedo.com?utm_source=addon&utm_content=popup-donuts
Report quote there from Puddin Tame multi-site tracking, profile building, click hijacking, and deceptive ads that look like legitimate items (e.g. a news article) but are actually adverts. Zedo is so large (and likely profitable!) that they probably don't engage in out and out evil behaviour like spreading viruses, but the basis of their entire business is collecting as much of your information as possible, with or without your consent."
But they try to clear their slate here: http://www.mywot.com/en/forum/5423-zedo-is-not-spyware-or-malware?new=1348893595#new
go through the discussion there and make up your own point of view ( on a side-note: I personally like to block such annoying pop-up ads, but that is me)
Then there are insecurities there flagged at Quttera's:
/polls/vote?pollID=35265&results
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [['<span class="comment-pages">Most Recent ... </span><span class="comment_link_selected">Oldest</span>']] of length 12025 which may point to obfuscation or shellcode.
For threat dump see: http://quttera.com/detailed_report/care2.com#ReportTabPotSusp
File size[byte]: 59429
File type: ASCII
MD5: B9ED749D954024F7F6285946D292B8FC
Scan duration[sec]: 0.427000
Well that more or less covers it all,
polonus
-
So its most probaply an IP block i think?
-
Most likely, Steven,
I did not ,look over the avast! team member's shoulder, but it is the nearest guess I can make.
It could also be a PHISH site block (also counts as URL:Mal as this is a general kind of website block detection).
Para-Noid made a fair and good assumption on basis of the asafaweb scan results.
So when goodwitch does not mind the tracking and the SEO spam he can visit the site,
I forewarned by the WOT report would shun that site and that zedo infotracking bunch.
To get convinced on even how zedo is being manipulated click tracking, read:
http://www.advertpro.com/docs/2.5/html/manual/thirdparty_zedo.html
But with NoScript extension and RequestPolicy active I can safely visit: htxp://www.care2.com/polls/vote?pollID=35265&results
without getting alerts.
and as always follow the avast! Shield alerts!
I know how accurate they are as I check them all the time all of the time.
polonus
-
Polonus and Steven, thank you so much for all your hard work looking into the 2 sites. The original Avast warning was for the comment pic, not for Care2 itself. I realize that the Care2 site has many problems and that others complain about the constant pop-ups. I never see them though as I use Firefox 24.0 with it's pop-up blocker and also have AdBlock Plus installed, and WOT. It is a revelation when I log-on using Internet Explorer that I keep without any add-ons as a test browser when Firefox doesn't work somewhere online, the site is then full of ads and pop-ups and it takes much longer to load pages than with Firefox. I didn't understand everything in the reports at the links you posted, but did understand enough to be scared. In the 3 years I have been using the site this is only the 2nd time Avast, (used AVG or MSE previously), has warned me about anything malicious, the first was also a malicious URL that was linked to a comment pic. and was also an Avast warning.
I've been spending most of my time online on Care2 and now am thinking it is time to leave. It's going to really hurt though, have made many good friends there. The Facebook security program thinks I am a corporation, wants a copy of government issued photo ID, and as I will never post a photo of myself online I cannot get back into that account. My Yahoo groups are now decimated due to the new NEO look and functionality that has made them almost impossible to navigate or post in. Once again thank you for all the information.