Avast WEBforum
Other => General Topics => Topic started by: REDACTED on December 15, 2014, 06:24:02 PM
-
Starting today, I've gotten 3 notifications about web-infections being blocked.
What's going on? I'm not even visiting fishy websites.
-
Welcome to the forum.
Remember that today's good site can be tomorrows infected site.
You can always report the website to Avast if you think the detection is incorrect.
If you'd like someone to look into the problem further, you can post the link that's detected here
but do not make it a clickable link, Change http to hxxp or www to wxx when you post the link.
-
Welcome to the forum.
Remember that today's good site can be tomorrows infected site.
You can always report the website to Avast if you think the detection is incorrect.
If you'd like someone to look into the problem further, you can post the link that's detected here
but do not make it a clickable link, Change http to hxxp or www to wxx when you post the link.
It happened on 3 websites in one day, and it usually never happens.
-
If you can also attach a screen of the avast alert window, it will give more of an idea of what the detection is.
If it has happened today and you haven't rebooted or had a different avast popup, then you can right click the avast tray icon and select 'Show last popup message'.
-
If you can also attach a screen of the avast alert window, it will give more of an idea of what the detection is.
If it has happened today and you haven't rebooted or had a different avast popup, then you can right click the avast tray icon and select 'Show last popup message'.
(http://www.newgrounds.com/dump/draw/b3624cdb1a3ff1953e3b6c57d2772815)
-
It looks like some advertising banner add is going to a site considered malicious (URL:Mal) by avast. This usually means that the site is on some block list. Presumably you were at another site that displays ads.
Is this basebanner.com reflected in the other alerts that you have had ?
This could be a form of ads poisoning is becoming more frequent.
I use the firefox adblockplus add-on, so generally I don't see these ads and subsequently avast alerts if an ad site is compromised.
-
It looks like some advertising banner add is going to a site considered malicious (URL:Mal) by avast. This usually means that the site is on some block list. Presumably you were at another site that displays ads.
Is this basebanner.com reflected in the other alerts that you have had ?
This could be a form of ads poisoning is becoming more frequent.
I use the firefox adblockplus add-on, so generally I don't see these ads and subsequently avast alerts if an ad site is compromised.
Yeah, site had ads.
One was dailymotion, the other was a wikia.
-
It is difficult to say if this is a random case of ads-poisoning or if there happens to be something in your browser trying to connect to malicious/hacked sites.
This will probably need the skills of one of the malware removal specialists, I will try to get one to take a look at this and they will advise on what the next stage is.
-
It is difficult to say if this is a random case of ads-poisoning or if there happens to be something in your browser trying to connect to malicious/hacked sites.
This will probably need the skills of one of the malware removal specialists, I will try to get one to take a look at this and they will advise on what the next stage is.
Will do a Malwarebytes scan tomorrow. Will keep you guys updated.
-
It could be ad poisoning but if you are still having problems I could take a look for you
-
FWIW, I did some checking and I found something to do with amazon.com
here http://dnscheck.pingdom.com/?domain=basebanner.com×tamp=1418676578&view=1
Found this about basebanner.com/ in a quick check
https://www.virustotal.com/en/url/b2fbe7a26aa6ad23442961c3e335cfdee2590a5723bc6efe0a729029c0b4dd5d/analysis/1418677194/
http://multirbl.valli.org/lookup/basebanner.com.html
http://zulu.zscaler.com/submission/show/f7d13fd78ab12affc9c43382e24c5baf-1418676556
Redirects found here http://www.ragepank.com/redirect-check/
Blacklisted here http://sitecheck.sucuri.net/results/basebanner.com
-
Site is unsafe and has privacy issues...as Para-Noid has already clearly established.
Some additional info to get that picture somewhat more complete and where the real issue lies is a "http - https redirect"
basebanner com is trying to redirect to basebanner dot com/blank.html
Flagged by Bitdefender TrafficLight as malicious.
Google Safebrowsing does not flag now: http://www.google.com/safebrowsing/diagnostic?site=basebanner.com
Did not follow redirect to http://158.85.47.164-static.reverse.softlayer.com/blank.html
The plain HTTP request was sent to HTTPS port SSL teracreative dot com -
Had a history of trojans: http://google.cn/safebrowsing/diagnostic?site=teracreative.com/
The specified URL does a non search engine friendly redirect to another page....(24 pages do a 302 (temp) redirect.
Nameserver issues: http://www.dnsinspect.com/basebanner.com/1418694696
The https site has privacy issues: http://www.uploady.com/#!/download/xhL_JQbJSQT/VyjzWt~mABywNd9w
Net_err_cert_common_mame_invalid - only correct autocomplete settings - Form element of type 'url', child of <form> '_f'
polonus
-
I know Amazon is known for leaving cookies so they can target ads, but I delete my cookies daily.
Will do a Malwarebytes scan in a bit.
-
Hi tom.vanhee,
What can be said about the IP and site is that it is known as a PHISH: https://www.virustotal.com/nl/url/b2fbe7a26aa6ad23442961c3e335cfdee2590a5723bc6efe0a729029c0b4dd5d/analysis/
This scan is also rather conclusive: Domain Name: 158.85.47.164-static.reverse.softlayer.com
URL Tested: htxps://158.85.47.164-static.reverse.softlayer.com
Number of items downloaded on page: 1
SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
ERROR: certificate common name '*.teracreative.com' doesn't match requested host name '158.85.47.164-static.reverse.softlayer.com'.
Certificate valid through: May 22 19:54:42 2017 GMT
Certificate Issuer: GoDaddy.com, Inc.
SSL Protocols Supported: SSLv3 TLSv1 TLSv1.1 TLSv1.2
Server supports SSLv3, may be vulnerable to POODLE attack. It is suggested to disable the SSLv3 protocol.
Server certificate
Total number of items: 1
Number of insecure items: 1
Insecure URL: htxp://158.85.47.164-static.reverse.softlayer.com/blank.html
Damian
-
I know Amazon is known for leaving cookies so they can target ads, but I delete my cookies daily.
Will do a Malwarebytes scan in a bit.
Personally I would take essexboy up on his offer (if you are still having problems) to run some analysis tools to see what is what.
It could be ad poisoning but if you are still having problems I could take a look for you
MalwareBytes may not be enough for a detailed analysis. After you have attached that log, check out this topic "Logs to assist in cleaning malware" https://forum.avast.com/index.php?topic=53253.0 (https://forum.avast.com/index.php?topic=53253.0) and run the next tool Farbar Recovery Scan Tool (FRST) and attach the log in this topic. Then wait for essexboy to check out the logs and give further instructions.
-
Do as DavidR suggests, his recommendation is a sound one.
polonus
-
Do as DavidR suggests, his recommendation is a sound one.
polonus
Did a Malwarebytes scan and problem seems to be gone.
-
Do as DavidR suggests, his recommendation is a sound one.
polonus
Did a Malwarebytes scan and problem seems to be gone.
Are you sure? ???
I strongly urge you to let essexboy have a look.
Follow these instructions https://forum.avast.com/index.php?topic=53253.0
And post the results in this thread.
-
Do as DavidR suggests, his recommendation is a sound one.
polonus
Did a Malwarebytes scan and problem seems to be gone.
Are you sure? ???
I strongly urge you to let essexboy have a look.
Follow these instructions https://forum.avast.com/index.php?topic=53253.0
And post the results in this thread.
Used same sites, got nothing.
I really don't want to download new programs on this old computer.
-
Don't worry essexboy cleans up after himself.
But if you happen to have a time delay backdoor trojan and it gets
loose on your machine...well, you know.
Better safe than sorry.
-
Don't worry essexboy cleans up after himself.
But if you happen to have a time delay backdoor trojan and it gets
loose on your machine...well, you know.
Better safe than sorry.
How would I get essexboy to take a look?
(I'm only 16, I'm the only guy in the family who cares about computer safety). And I'm quite nervous about getting someone else in another country to take a look at my computer.
-
Just some scans. They do not release any private info unless your Username contains your Actual Name.
In most cases posting here releases more info as (some (Ubers, Mods/Admins/Avast! Team) can see your IP)...
If you wish, I can post the same logs from one of my system(s). You can get the tools from this site: https://forum.avast.com/index.php?topic=53253.0
You'll also notice if you visit the V&W section, Essexboy leads most of the cases, and most are usually resolved unless there is a hardware issue. I've trusted him before and he has never not once let me down.
(You can also find him on a bunch of other sites like geekstogo.com/forum/
-
Well, it's 17:44 here atm. I could let him do the scans tomorrow, but he would have to be able to do them before 16:00 my time.
-
Tom you need to do the scans from the link above and provide/attach the logs for essexboy to look over when he is available and if there is an issue he can provide a fix.
You have already run Malwarebytes so you only need to run Farbar as DavidR mentioned on the previous page.
-
Tom you need to do the scans from the link above and provide/attach the logs for essexboy to look over when he is available and if there is an issue he can provide a fix.
You have already run Malwarebytes so you only need to run Farbar as DavidR mentioned on the previous page.
Can I delete Farbar after I used it? Or shouldn't I?
I'll do it tomorrow.
-
Farbar is the only thing I'll have to do, right?
-
Just run the tool and attach the logs as requested, don't delete the tool as essexboy will clean that up for you when he's completed.
-
Just run the tool and attach the logs as requested, don't delete the tool as essexboy will clean that up for you when he's completed.
What do you mean with cleaning up?
Pardon my ignorance by the way.
-
Meaning that after cleaning your system of infections "if needed" he will clean up "remove" the tools you download from the system leaving it nice and clean.
-
Please calm down. Anything essexboy suggests/directs you to do is for your benefit.
He will never, ever ask you to do something which could/would compromise you or your
system. Just post the logs as requested and he will take it from there. You will be in the
safest hands possible. And he has endless patience so don't be afraid to ask him any
question if you are not sure of anything.
I have notified essexboy so post your logs as requested.
-
Please calm down. Anything essexboy suggests/directs you to do is for your benefit.
He will never, ever ask you to do something which could/would compromise you or your
system. Just post the logs as requested and he will take it from there. You will be in the
safest hands possible. And he has endless patience so don't be afraid to ask him any
question if you are not sure of anything.
I have notified essexboy so post your logs as requested.
I'll get to that tomorrow.
-
Should I post logs here for everyone to see (kind of weary about that) or just send them to essexboy.
-
Generally there is no personally identifiable items on the scans it is just a list of registry loading points, programmes installed etc.. After I have looked at them you can delete them from your post. None of the bots look inside attachments either :)
-
Hi tom.vanhee,
No one is going to look inside your family's computer, the qualified expert just will go over the scan logs you are asked to produce here and then come up with a removal script just for you to cleanse the family computer. The people that are allowed to do that here have an online outbuilding that is recognized by sites as MS and others online.
You could not be in more secure hands then those of a qualified removal expert here. For demanded logs see: https://forum.avast.com/index.php?topic=53253.0
polonus
-
All right.
So after I post logs, I'll get a script I'll have to run?
Okay, I'll do it tomorrow afternoon (live in Belgium, so you guys have an idea of what time I'll post them).
Don't really want parents complaining about me doing stuff with the pc (they are pretty ignorant when it comes to computers).
-
All right.
So after I post logs, I'll get a script I'll have to run?
Okay, I'll do it tomorrow afternoon (live in Belgium, so you guys have an idea of what time I'll post them).
Don't really want parents complaining about me doing stuff with the pc (they are pretty ignorant when it comes to computers).
This isn't anything you have to do. It's help offered and up to you to accept. :)
-
All right.
So after I post logs, I'll get a script I'll have to run?
Okay, I'll do it tomorrow afternoon (live in Belgium, so you guys have an idea of what time I'll post them).
Don't really want parents complaining about me doing stuff with the pc (they are pretty ignorant when it comes to computers).
This isn't anything you have to do. It's help offered and up to you to accept. :)
Well, it hasn't happened anymore, so I might not have to do it.
I'm not sure.
-
If you are "not sure" that's the best reason to accept essexboy's help.
After he's done then you will be sure. Until you post the MBAM and FRST
logs no one is sure.
Look at it this way, if there is or is not an infection I'm pretty sure your parents
will be grateful to have an infection free computer.
-
Fine. Will post Farbar logs tomorrow.
But if I'll be the one who's going to run the script, then who's "cleaning up" ?
Can someone write down the steps or something?
-
Here's a link to one of the threads where essexboy helped someone and is now
giving the instruction to clean up the tools that he used.
https://forum.avast.com/index.php?topic=163003.msg1163531#msg1163531 (https://forum.avast.com/index.php?topic=163003.msg1163531#msg1163531)
Yours may vary depending on what was installed to help you with your problem or analysis.
-
Here's a link to one of the threads where essexboy helped someone and is now
giving the instruction to clean up the tools that he used.
https://forum.avast.com/index.php?topic=163003.msg1163531#msg1163531 (https://forum.avast.com/index.php?topic=163003.msg1163531#msg1163531)
Yours may vary depending on what was installed to help you with your problem or analysis.
So, I download Farbar, run scan, post logs. Then essexboy will check them out, but what after that?
-
Here's a link to one of the threads where essexboy helped someone and is now
giving the instruction to clean up the tools that he used.
https://forum.avast.com/index.php?topic=163003.msg1163531#msg1163531 (https://forum.avast.com/index.php?topic=163003.msg1163531#msg1163531)
Yours may vary depending on what was installed to help you with your problem or analysis.
So, I download Farbar, run scan, post logs. Then essexboy will check them out, but what after that?
Look at the link I provided.
Again, this is your choice not something you need to do.
-
So, I download Farbar, run scan, post logs. Then essexboy will check them out, but what after that?
It depends on what he finds. He uses different tools for "cleaning-up" after he's finished.
He will give you step by step instructions as he goes. If, for any reason, you are not sure
about something don't hesitate to ask him. essexboy has helped tens of thousands of others
with his expertise. His is the best hands you will ever put your computer in.
-
I've decided to wait till the problem occurs again.
Because it seemed to be gone after Malwarebytes detected and deleted something.
Thanks anyway, guys.
-
Hi tom.vanhee,
This malware routine will only be healthy for that family machine, whenever the problem persists I as one would not hesitate to risk it.
As attached those logs cannot be seen apart from those that have an account here and are logged in. As said later you can remove them, no sweat.
There a lot of things you are not allowed to do when 16 years old even in good old Belgum, but being helped to cleanse a computer from an online infection is no big thing. We have a person here who when 15 years old scanned infested website code and now at your age is a voluntary website analyzer.
Everyone knows who that person is and he is very, very smart, a reel g33k and I have very much respect for what he does.
I am 66 and even I at my respectable age am very much interested to learn new tricks and sometimes also feel the drive of an "inspired teenager" to try new roads of exploring. In Holland zeggen we: "Heb geen watervrees!".
polonus
-
I've decided to wait till the problem occurs again.
Because it seemed to be gone after Malwarebytes detected and deleted something.
Thanks anyway, guys.
Glad we could help. We'll always be here if you need us :-)
-
Happened again on a wikia, this time on laptop.
Same basebanner thing, it's definitely the ads, and not some sort of virus.
-
Can't install Adblock Plus either. Keeps saying there's a connection error with the Adblock website.
-
Hi tom.vanhee,
All signs of a persistent malware infection are there placed in front of you and going in denial does not cure it one byte, provide the demanded malware cleansing logs and let a qualified remover look into the matter. The prevaling stealthy infection doing the rounds now is this one, read: https://blog.malwarebytes.org/security-threat/2014/11/no-more-poweliks/
When it is Poweliks indeed I had a good hunch ;D
polonus
-
Hi tom.vanhee,
All signs of a persistent malware infection are there placed in front of you and going in denial does not cure it one byte, provide the demanded malware cleansing logs and let a qualified remover look into the matter. The prevaling stealthy infection doing the rounds now is this one, read: https://blog.malwarebytes.org/security-threat/2014/11/no-more-poweliks/
When it is Poweliks indeed I had a good hunch ;D
polonus
But it's on laptop now, and it used to be on pc.
When will I ever get rest.
-
You get rest and loads of relief from the verdict of a qualified remover, produce these malware removal logs and wait for the script to cleanse this infection else it will eat through all of your home network and what is hanging on to it...
polonus
-
If you decide to do a removal routine, this routine can also be transferred informally and anonymously through PMs with the qualified remover, no one there to snoop. We like to treat you predicament delicately and under complete discretion as we treat all our "victims" actually,
polonus (volunteer website analyst and website error-hunter)
-
We are now on page two and nothing has been accomplished.
Help is freely offered but must be accepted by the person seeking help.
Begging isn't something that needs or should be done. IMHO
The same service offered here by qualified helpers is also available at some of the
better computer repair shops.
The difference is that the service is Free Here and can cost you a fortune at the shop.
-
He maybe getting helped via PM as polonus suggested.
And this is page 4.
-
He maybe getting helped via PM as polonus suggested.
And this is page 4.
Hint/tip you can change the default number of posts displayed per page - Bob and I have changed it to show 50 per page so we are only on page two - makes life a little easier when monitoring how a thread is going without having to flick pages too often.
-
He maybe getting helped via PM as polonus suggested.
And this is page 4.
Hint/tip you can change the default number of posts displayed per page - Bob and I have changed it to show 50 per page so we are only on page two - makes life a little easier when monitoring how a thread is going without having to flick pages too often.
Duh! :-[ I have always been looking for "reply/page" and finally figured out "messages=reply".
Now I'm on page 2. Ta-Da!
-
He maybe getting helped via PM as polonus suggested.
And this is page 4.
Hint/tip you can change the default number of posts displayed per page - Bob and I have changed it to show 50 per page so we are only on page two - makes life a little easier when monitoring how a thread is going without having to flick pages too often.
Duh! :-[ I have always been looking for "reply/page" and finally figured out "messages=reply".
Now I'm on page 2. Ta-Da!
Easy to find when you know where to look ;D