Avast WEBforum
Other => Viruses and worms => Topic started by: Pholover on December 02, 2015, 06:04:26 AM
-
It seems icefilms dot info has a Trojan or some kind of virus loading. Now I can't visit the site. Before I had Adblocker so it prevented ad viruses . How do I get back visiting the site again?
Thanks
-
How do I get back visiting the site again?
When website owner have cleaned it ...
It seems icefilms dot info has a Trojan or some kind of virus loading.
How do you know; is it avast alerting? .... what does avast say?
-
How do you know; is it avast alerting? .... what does avast say?
Avast alerts are different :
http://forum.icefilms.info/viewtopic.php?f=161&t=108980
Latest warning :
http://imgur.com/MTUgB82
-
HTML:Scrip-inf detected by avast
At a quick look it seems to be a false positive
https://blog.avast.com/tag/false-positive/
They do have some problems though:
http://multirbl.valli.org/lookup/104.28.3.119.html
http://zulu.zscaler.com/submission/show/48d6fbc586e44f282e52ffd443e85b48-1449050438
-
There is code that goes to xpc dot googleusercontent proxy I do not trust: http://toolbar.netcraft.com/site_report?url=http://xpc.googleusercontent.com
For that code consider: http://www.domxssscanner.com/scan?url=https%3A%2F%2Foauth.googleusercontent.com%2Fgadgets%2Fjs%2Fcore%3Arpc%3Ashindig.random%3Ashindig.sha1.js%3Fc%3D2 has some strange iFrame code, it is Shindig, the OpenSocial container: http://shindig.apache.org/
it has front-end SPOF with <script src="//html5shim.googlecode.com/svn/trunk/html5.js">
polonus
-
only avast
https://www.virustotal.com/nb/file/48d2b7e9b215aee8d241ce2aad414bb8dbcd83e9b6467dc62be611ee57a5168a/analysis/1449069246/
-
There is adsbypasser code there, landing at: -http://ads.comeadvertisewithus.com/ads/ads.js flagged by VT....
polonus
-
I got this from avast.
http://imgur.com/JxKFmP7
So it's false positive or it's a real threat?
Thanks
-
Why don't you still haven't ask avast ?
https://blog.avast.com/tag/false-positive/
-
+1
While the site does not seem 100% "kasher" (fit for use) to me,
asking Avast in this case seems like a good idea.
polonus
-
Fair enough, I emailed them, so lets see.
-
This is most likely not an FP. There are many domains that are highly suspicious on the same IP, and we block all of them. Avast complains about icefilms[.]info loading scripts from one of these domains (specifically get[.]scorepresshidden[.]info/1400/get.scorepresshidden.info).
Just in case anyone is interested, this is the active domain list 8):
65[.]111[.]190[.]170
data[.]awakebottlestudy[.]com
data[.]bitlearnreplace[.]info
data[.]branchroughlend[.]info
data[.]causingcopeirritating[.]info
data[.]detailtoothteam[.]com
data[.]drydenhereaftercursive[.]info
data[.]explainidentifycoding[.]info
data[.]filingspendsection[.]com
data[.]fincastavancessetti[.]info
data[.]flagagreebelieve[.]com
data[.]forevermelodicheidegger[.]info
data[.]friesmeasureretain[.]info
data[.]halpeperglagedokkei[.]info
data[.]houseprogramingweight[.]info
data[.]ikzikistheking[.]com
data[.]initialcontroledge[.]info
data[.]jointspellgot[.]com
data[.]likablescaldfelted[.]info
data[.]lockscalecompare[.]com
data[.]nuclersoncanthinger[.]info
data[.]officerrecordscale[.]info
data[.]oileddaintiessunset[.]info
data[.]poundaccordexecute[.]info
data[.]replacingobservedlose[.]info
data[.]requiredcollectfilm[.]info
data[.]requritungerryworkvi[.]info
data[.]retainguaninefluorite[.]info
data[.]runreproducerow[.]com
data[.]scorepresshidden[.]info
data[.]shipthankrecognizing[.]info
data[.]stabletrappeddevote[.]info
data[.]suffusefacultytsunami[.]info
data[.]tracereplacedtransfer[.]info
data[.]witlessostentatiousripple[.]info
data[.]wizenedjogger[.]info
data[.]droppedstayreply[.]info
data[.]immaterialportmanteausurvivor[.]info
data[.]lendincludevary[.]info
data[.]quithappenbetting[.]com
datas[.]attracteffectclub[.]info
data[.]committeemenencyclopedicrepertory[.]info
data[.]unansweredhairierfoggy[.]info
-
Hi HonzaZ,
Thanks for confirming.
polonus
-
Hi, so if it's not an FP, perhaps, icefilms must have fixed the issue?
I can access the site no problem now.
Not sure if I should be concerned.
-
Whenever you are not redirected like for instance described here: https://warosu.org/g/thread/51019832
See: http://urlquery.net/report.php?id=1449158426776
For that IP see: https://www.virustotal.com/nl/ip-address/104.28.3.119/information/
and https://www.threatcrowd.org/ip.php?ip=104.28.3.119
Certainly would like to adblock this external link: https://www.virustotal.com/nl/domain/cdn.wwwpromoter.com/information/
They like to promote to us they aren't a scam: https://forums.digitalpoint.com/threads/wwwpromoter-com-is-scam-or-legit.2757383/ but WOT reports show differently: https://www.mywot.com/en/scorecard/wwwpromoter.com?utm_source=addon&utm_content=popup
And what about this: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MSIL-WX/detailed-analysis.aspx
https://www.mywot.com/en/scorecard/asset.pagefair.net?utm_source=addon&utm_content=contextmenu
Apart from the adult content on website, you are exposed to unethical adware at any moment,
therefore caution should be used and adblocker and script blocker visors should stay up and enabled...
polonus