Avast WEBforum
Other => Viruses and worms => Topic started by: eficbf on January 14, 2009, 04:11:25 PM
-
Hello,
I am getting a "A virus was found alert" alert when I browse to a particular website all other websites are fine. The Malware name identified is HTML:script-inf. The computer I am connecting from doesn't appear to have any viruses on scan or boot scan. As far as I am aware there shouldn't be any malware on the site I'm browsing to. Is there possibly an issue with the website code that could be generating this message?
-
What is the URL that the detection is on ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
Modify the link so it isn't active to avoid accidental exposure, change the http to hXXp.
The detection is I assume by the web shield and the only option it gives it Abort Connection, e.g. drop that download (so it shouldn't be on your system) ?
-
The site could be hacked... or could have encrypted code (suspicious)... better will be knowing which site it is...
-
Hello,
Thanks for the responses. The site in question is www.icbf.com I've checked the log and it seems that the warning comes up when you go to the web page it doesn't look like there is a virus on the PC.
-
Hello,
Thanks for the responses. The site in question is www . icbf . com I've checked the log and it seems that the warning comes up when you go to the web page it doesn't look like there is a virus on the PC.
It returned clean with Dr. Web. But avast is triggering it. Maybe you should edit the link to not leave it live in forums.
-
The site in question is using webstat.net, which we block. Can you get in the contact with the owners and ask them if they're sure about webstat.net credibility and if they have the contact with them?
The scripts of webstat.net are very suspicious, they have no contacts, no about us, no ToS and the email used in domain registration is invalid.
UPDATE: Sent mail to 9 different @webstat.net addresses, all of them returned as non-deliverable. Scripts are three times obfuscated, with the bottom layer having iframe somewhere to China.
-
Jindrich,
Thank you for the reply. We'll check into this and see what the webstat.net site is being used for.
-
Hi Jindrich,
The webstat.net reference has been taken out of the code and the website is running fine now. Thank you for your help.
Eddie.
-
I'm just interested if it was there by purpose or by hack ;)
-
The reference was there on purpose it had been used at one stage to collect web stats but I've been told that the code was actually commented out some timte ago on the website.
-
I am getting The Malware name identified is HTML:script-inf.
The side is hxtp://vsedlyavsex.com/forum/forumdisplay.php
As far as I am aware there shouldn't be any malware on the site I'm browsing to.
Any suggestions??
Thanks
-
I am getting this same exact thing with a website I USED to be able to visit till earlier this year.
hXXp://www.boogiezone.com
Everyone else I know can see it, but I get a warning and then it aborts the connection.
Please help me!
Thank you.
-
Hi kirari, welcome to the forum :)
Could you please modify your link to make it unclickable (i.e. chage http to hXXp) to prevent others potentially becoming infected.
Please see:
http://www.UnmaskParasites.com/security-report/?page=www.boogiezone.com
Unfortunately it would appear as though it has been hacked.
UnmaskParasites has picked up on the object that is causing the alert.
There is an inline script pointing to a fake google analytics site. (Look at the spelling --> anaiytics )
This is a method of quietly infecting sites as it is harder to spot.
-Scott-
-
Hi Scott!
thank you for the welcome and thanks for replying.
So I have to wait for the site to get rid of it?
Because this is a site I would like to visit again since it's a community I'm active in :)
Does the unmaskparasite do anything to the pc?
-
Does the unmaskparasite do anything to the pc?
No it is an Security report of the website
-
Hi kirari,
You're welcome :)
Essentially yes, the site owner needs to remove the script on the page.
As said already, UnmaskParasites is a tool that checks the web pages, and doesn't do anything to your pc.
-Scott-
-
Hi, I don't mean to be necro-posting but I just recently had the same problem, when visiting http://na. square-enix .com/music/cm/profile/, of all places.
And the area is littered with this occurence, as a heads up. Either this is a bug, or someone just really hates S-E's music.
-
There is a problem in the way they appear to be loading images, I get three alerts. See image1, that shows alerts on what are meant to be .gif files, but they aren't .gif files, but html files, see image2. In those alerts all the pages are identical (see virustotal scan results below) and all point to a domain which I believe is malicious, b35.info and this is confirmed by avast, see image3.
http://www.virustotal.com/file-scan/report.html?id=ce6e35385286c6ac51bcdc7eff84bc1b6b8a9d3c1da7088cbd6a7e3e00f8f3c9-1285031785 (http://www.virustotal.com/file-scan/report.html?id=ce6e35385286c6ac51bcdc7eff84bc1b6b8a9d3c1da7088cbd6a7e3e00f8f3c9-1285031785)
So it appears to me that this site has been hacked.
This appears to be the offending script tag on the page that tries to load these .gif images (that aren't images), image4
-
I'm seeing this on another part of their website http://na. square-enix.com
It appears that S-E may not even really use this area, instead using http://square-enix.com/na (no virus in this version)
I called their customer support recently and had denied that any viral/worm activity exists on their [North American] website. I gave them the malware identity before hanging up; I just don't want to see anyone get hurt, on both sides of the web spectrum.
I pray they investigate it.
Luckily I use Mac AND Windows, and I guess if it wasn't for me using Windows, I would have been completely naive of this situation. I'm perhaps one of the few Mac users out there that doesn't use the Mac version of Avast! (sorry Alwil, I have my reasons).
-
Some sites get hacked and the owners are blissfully unaware and some completely adamant they aren't infected.
-
I've just started getting this problem, seemingly with the latest virus signature update. It seems to be almost exclusively affecting Google. There's no problem simply accessing the www.google.co.uk website but when I try to log into iGoogle I get this message, specifically stating the URL: http://www.google.co.uk/ig?hl=en|>{gzip}.
I am also getting this when I log onto the members section of www.dooyoo.co.uk (members.dooyoo.co.uk) although I can actually access the website despite the message! I also get the message in Dooyoo when I do a site search (Dooyoo seems to use Google as it's search engine!)
Getting a strong suspicion that this is a false positive as these website are reputable and have no previous history of security issues. :-\
-
I just got several emails and phone calls about viruses on several websites, including some internal Sharepoint websites that aren't accessible via the web.
It seems like all of my locations with Avast (which is all of them...) are complaining about warnings as of about 4pm EST.
I submitted one as a false positive before I left work, then on my way home the emails and phones calls started.
I really think this one is a false positive and I hope it will be fixed in the next update.
-
Never mind. https://blog.avast.com/2011/04/11/false-positive-issue-with-virus-defs-110411-1/
-
Total newbie here, and someone who doesn't know alot about computers!!!
I had no problems earlier today accessing the sites i visit on a daily basis but this evening i have had ton's of problems. Is there any threat to my computer??? Anything i can do??? Will the problem be fixed??? If So, when??? If i can access it (haven't tried yet) am i safe to use internet banking???
Sorry if they are all really dumb questions, like i said i do not understand the problems and my colleague at work i usually ask is on leave for 2 weeks!
-
Hi. New member here. Subscribed because of this problem.
Edit: Never mind. Fixed thanks to Scythe944's message (#22) Cheers guv' :)
-
Total newbie here, and someone who doesn't know alot about computers!!!
I had no problems earlier today accessing the sites i visit on a daily basis but this evening i have had ton's of problems. Is there any threat to my computer??? Anything i can do??? Will the problem be fixed??? If So, when??? If i can access it (haven't tried yet) am i safe to use internet banking???
Sorry if they are all really dumb questions, like i said i do not understand the problems and my colleague at work i usually ask is on leave for 2 weeks!
-
avast is a disaster today.. WHAT IS GOING ON?
-
avast is a disaster today.. WHAT IS GOING ON?
Well, I followed the suggestion of running a boot scan, and since it couldn't repair, I quarantined them...it started moving Microsoft Shared files before I lost power. Now I can't even boot. A real virus might have been better.
-
Well, I followed the suggestion of running a boot scan, and since it couldn't repair, I quarantined them...it started moving Microsoft Shared files before I lost power. Now I can't even boot. A real virus might have been better.
Well I am glad I read this because I need to reboot due to this mess and was going to run a boot scan. I won't now!
SHAME on avast for allowing this to occur.. it has disrupted everyone's life terribly!
I am not happy .. nearly removed avast (which I paid for) from my PC. I knew the warnings were fake but could not make them stop!
I have had to leave one up so no more new ones will pop up. DISASTER.
Thanks again for your post!
-
DO NOT RUN ANY SCAN >>> UPDATE MANUALLY TO NEW VPS 110411-2 (you were getting false positives through a bad VPS update, ie 110411-1)
edit: restore quarantined stuff as well
-
Hi there!
Well, it was a false alarm.
Anyway, yesterday I had to move to chest some thousands of files because of this problem and I have a quick question: Can I restore them from the chest? How? And if I do it, will everything be as good as it used to be?
I'm quite sad, because this happened only on the 3rd day of my brand new pc, after I had finally setup everything as I wanted them to be :(
Please assist in above questions!
Thank you,
-
Can I restore them from the chest? How?
Yes. Right click in the chest to see the options.
-
Check out this post as you don't want to restore all files (existing ones in the chest before this and any temp internet files, pointless, etc. It also shows how to speed up the process of restoring those that you have to.
http://forum.avast.com/index.php?topic=75999.msg628755#msg628755 (http://forum.avast.com/index.php?topic=75999.msg628755#msg628755)
Remember that restoration only moves a copy back to the original location, it doesn't remove the item from the chest. That is effectively a back-up until you know the file is back in the original location, then you can delete those files from the chest, also using the same shortcut process in the post link above.
-
Hi DavidR,
Was I glad I was doing something else at the time of the "avast update glitch" and missed that update alltogether, I came back on when all had been turned back to normal again and only the webforums and updating was still quite slow (around 10 at night CET).
Because I was not alone missing the wrong update I think only part of avast users were affected. But those that got a hunch that something was not right would have better closed down their computers (if that had been an option) and wait for the dust to be settled. What is the best procedure to act in case such a scenario will repeat, despite of the fact that avast will do all sorts of tests to prevent a rehearsal?
polonus
-
Thank you so much for the support!
So, as far as I understand, I'll just restore all files and my pc will be as I'd never had this problem, right?
(as explained before it's a brand new installation, therefore there was nothing else in the chest - all files there are just the ones I moved there last night)
Once again thank you!
"In Avast we trust!"
-
So, as far as I understand, I'll just restore all files and my pc will be as I'd never had this problem, right?
Yep, that's how it should work. ;)
-
Hi DavidR,
Was I glad I was doing something else at the time of the "avast update glitch" and missed that update alltogether, I came back on when all had been turned back to normal again and only the webforums and updating was still quite slow (around 10 at night CET).
Because I was not alone missing the wrong update I think only part of avast users were affected. But those that got a hunch that something was not right would have better closed down their computers (if that had been an option) and wait for the dust to be settled. What is the best procedure to act in case such a scenario will repeat, despite of the fact that avast will do all sorts of tests to prevent a rehearsal?
Well it didn't take avast long to realise there was something wrong with the update, presumably the communityIQ function and they blocked the update servers to limit the spread of the bad update. Once the VPS fix was done that was uploaded to the servers and they were unblocked.
So many users will have been blissfully unaware, due to a) their time zone, b) the VPS update duration delay (default settings, etc.) or the computer wasn't switched on. However, with 125 million active users that could still amount to a lot of users effected, like yourself I was unaware of the problem, other than the forums being virtually inaccessible for a few of hours.
-
Thank you so much for the support!
So, as far as I understand, I'll just restore all files and my pc will be as I'd never had this problem, right?
(as explained before it's a brand new installation, therefore there was nothing else in the chest - all files there are just the ones I moved there last night)
You're welcome.
Yes, that is about it, once you have restored the files and they are in the original location you can delete the contents of the chest. A copy remains there on restoration just in case it didn't work (otherwise you would lose the only copy).
-
My system crashed because of the problem and it took a good effort to get it to reboot. Now that it is up my programs all seem to be working. I did run system restore ( to an earlier date) twice in the process. My thinking is that I can skip trying to restore all the program files in the Virus Chest.
Is this a correct assumption.
Thank you,
John
-
Is this a correct assumption.
If you did run a system restore: Yes. :)
-
Is this a correct assumption.
I honestly don't know as I don't know what system restore would actually cover as it is far from perfect, it may not cover .htm or .html files (as it isn't a comprehensive backup solution), which appear to be the only file types effected in this. I also don't know how the system restore might impact on avast itself and whether the files would be in the chest or not.
The other point is that if the majority of these were in the temp internet files folder then there is little point in restoring files to a temp location.
So only files in locations other than temp locations should be considered for restoration. Check the link I gave in Reply #32 above on how to go about this process.
-
I honestly don't know as I don't know what system restore would actually cover as it is far from perfect, it may not cover .htm or .html files
System restore does cover these files.
-
Actually the majority of files removed from my computer were program files. Perhaps this is because when Avast kept telling me that I had a threat I ran a system scan. I only glanced at the files and started to do a boot scan because Avast recommended it. The boot scan seemed to have stalled so I shut the power off because it the boot scan showed no progress bar on the screen and did not respond to the escape key.
I just did some better checking.
Most of the files are Program App data ( not sure what these are) , followed by program files that seem to be limited to several games and Turbo Tax. The games I could care less about, and more importantly Turbo Tax functions. Lastly some temp files.
When my computer failed to reboot and windows failed to initially repair windows start-up I assumed some system files must have been removed. I scrolled through the files by type and do not see any off these so windows must have hung on trying to load up the program files.
Now I am afraid to reboot the thing with Avast installed. I updated the definitions and is asking me to reboot my machine.
As you can tell I am just a novice compared to most of you, so your advise is valued.
Thanks,
John the Hungarian in Nashville.
-
I sure wish I missed that faulty definition update, too. Now I have 3000+ files in the chest.
They all are program files that came from either Tax Cut or my flight simulator game.
Since I'm not too advanced as a user, I don't know if these files will be missed if I don't restore them.
Any advice would be appreciated.
-
Any advice would be appreciated.
Use your latest system restore point.
-
I sure wish I missed that faulty definition update, too. Now I have 3000+ files in the chest.
They all are program files that came from either Tax Cut or my flight simulator game.
Since I'm not too advanced as a user, I don't know if these files will be missed if I don't restore them.
Any advice would be appreciated.
Check the info I have given in Reply #32 (reproduced below).
Check out this post as you don't want to restore all files (existing ones in the chest before this and any temp internet files, pointless, etc. It also shows how to speed up the process of restoring those that you have to.
http://forum.avast.com/index.php?topic=75999.msg628755#msg628755 (http://forum.avast.com/index.php?topic=75999.msg628755#msg628755)
Remember that restoration only moves a copy back to the original location, it doesn't remove the item from the chest. That is effectively a back-up until you know the file is back in the original location, then you can delete those files from the chest, also using the same shortcut process in the post link above.
-
This is what my scan log is showing me after last night ,when i did a boot scan(that i stopped at 60% because the drive was full),not knowing about the update...what can i do next? the only thing i haven't tried is deleting them...restore or move to chest is not working,the error is still there.I don't want to lose any important files,there are like 1000 files "infected"...pls help,thanks
-
Since those detections are on .htm files within .cab (cabinet, archive file) and since you tried to repair, that option couldn't be done it failed. So the .cab files and their contents should still be in the original location.
If you chose any other options and or you managed to send some to the chest then you should try to follow the actions mentioned in my post above yours to restore the relevant files from the chest.
-
http://support.microsoft.com/kb/825933
MSOCache files aren't extremely important.
Anyway, take David's advise and restore the files. If it says the file already exists, tell it to replace the existing files.
-
Thanks for the help
-
I have 2 laptops. This one has the Professional 3 year version of Avast. My other one has the free version.
This computer has not had a problem with script-inf.
The other computer has had a major problem.
I got the Malware error message as I loaded GoodleChrome. I put it in the Chest. Then I updated Avast, although it updates every few hours anyway.
The problem continued to occur.
I have tried several Boot Time scans and thousands of my files are reported to be infected with Script-inf. They all appear to be .htm files.
I do not know why one version of avast has not even reported the Malware and the other did report it but appears to have let it through.
Incidentally after one of the scans, I read my Emails which are read into both computers. The professional version of avast reported no problems. The free version reported a Trojan Horse in one email (this was after the malware problem had started occuring). Again, I do not understand why the free version is identifying situations which the professional version appears not to.
Regards
Roy Turner
-
Your difference is likely to be the auto update interval, by default the free auto update check interval is 240 minutes, 4 hours. This was, as far as I'm aware all over in under that time frame.
Once this was noticed to be a problem, under an hour the update servers were blocked to limit spread and only unblocked once a new corrected VPS was uploaded to the update servers.
The default update check interval is shorter on the pro version, so you got the latest (bad) update sooner. I don't thing the email alert was/is related to that update or technically it wouldn't have effected the system which didn't get the 110411-1 update. Plus as you sat was a trojan detection not the -inf ones associated with the FP.
-
This one took over my Win7 PC a couple of days ago, and I ended running a boot version of Avast! (under instructions, of course!), which told me that a countless number of files had been infected.
I couldn't find any way of ascertaining precisely HOW the infection occurred; and I should dearly like to know in order to avoid this happening again.
Did I miss something? - was Avast! actually telling me how it had got in?
-
DAMMIT! - I forgot to add that I was completely unable to access this forum at the time: not a single link to it on the Avast! site was working.
I sent a grumpy email, to which there was reply; but at least I can get in now...
-
With many thousand people trying to access the forums it at the same time it was effectively under a DDoS attack, making it almost inaccessible.
There was an entry on the avast blog http://blog.avast.com/ so should you be unable to access the forums, check the blog or avast on facebook http://www.facebook.com/avast
-
Well, DavidR, übertechnical person that you are, I observe you say nothing in response to my actual question.
IS there an answer?
-
I only responded to the post directly above mine as I didn't have any information to answer it with any certainty.
Since you said it took over your PC two days ago, I suspect this would probably be related to the FP in the VPS update 110411-1. But without information on what you were doing when the first alert occurred, some examples of effected files, location, etc. and what you subsequently did I guessing ?
But this topic from page 3 starts to give information on that bad VPS update.
Some after getting the web shield alerts on sites they tried to visit, subsequently ran both regular on-demand scans and boot-time scans. This compounded the problem with the bad VPS update as it would then be scanning htm files in your browser cache and possibly other local folders. If they had a matching script content then avast would detect/alert on that as it would if you were browsing.
So people could have hundreds or thousands of htm files in the browser cache, plus whatever might be in local folders or contained within archive files.
So if your case 'could' well be down to this FP - Essentially this wasn't an infection getting into your system but a false positive on scripts that were contained in certain .htm files and running the additional scans compounded it.
-
I only responded to the post directly above mine as I didn't have any information to answer it with any certainty.
Since you said it took over your PC two days ago, I suspect this would probably be related to the FP in the VPS update 110411-1. But without information on what you were doing when the first alert occurred, some examples of effected files, location, etc. and what you subsequently did I guessing ?
But this topic from page 3 starts to give information on that bad VPS update.
Some after getting the web shield alerts on sites they tried to visit, subsequently ran both regular on-demand scans and boot-time scans. This compounded the problem with the bad VPS update as it would then be scanning htm files in your browser cache and possibly other local folders. If they had a matching script content then avast would detect/alert on that as it would if you were browsing.
So people could have hundreds or thousands of htm files in the browser cache, plus whatever might be in local folders or contained within archive files.
So if your case 'could' well be down to this FP - Essentially this wasn't an infection getting into your system but a false positive on scripts that were contained in certain .htm files and running the additional scans compounded it.
i have found that a virus has been detected named html script inf while visiting this website
http://howtoformatacomputer.com/ it does seems fake or hacked.... is this warning true or false positive??? is it still my system??how severe can this virus be??
-
I have no idea why you quoted my previous post as it would appear unrelated to this issue from April 2011.
The point of the web shield detections are to attempt to block it from getting on to your system, by dropping/aborting the connection considered infected. So it shouldn't be on your system, but you can do an avast scan for confirmation, clear your browser cache/temp internet files folder is also advisable.
When posting a link to a suspect site break the link, please modify your post by changing http to hXXp to prevent accidental exposure to an infected/suspect site.
Whilst only avast detects this, that doesn't mean it is incorrect as many aren't even checking for this much less able to detect it (VirusTotal results (http://www.virustotal.com/file-scan/report.html?id=9c6f644c2ef0a2d26017591eed50a20ecca866bd21903546cd9a10f5804f30b6-1317306167)). But there appears to be a packed obfuscated {gzip} file being loaded with the home page, see image1 background of the contents of this file and foreground of the alert information.
Another site Securi (http://sitecheck.sucuri.net/scanner/ (http://sitecheck.sucuri.net/scanner/)), agrees with avast the site is infected, see image2. So the site may well have been hacked.
-
@DavidR
it was my first post ,so i was not sure about how to post for help...won't do that in future :)
-
@DavidR
it was my first post ,so i was not sure about how to post for help...won't do that in future :)
Not a problem, now that you know ;D
-
Avast added site dev.shrem.ru (http://dev.shrem.ru) in the blacklist and detected html:script-inf virus. I checked various antivirus but only avast detected virus. Why? On this website virus?
-
The site in question is using webstat.net, which we block. Can you get in the contact with the owners and ask them if they're sure about webstat.net credibility and if they have the contact with them?
The scripts of webstat.net are very suspicious, they have no contacts, no about us, no ToS and the email used in domain registration is invalid.
UPDATE: Sent mail to 9 different @webstat.net addresses, all of them returned as non-deliverable. Scripts are three times obfuscated, with the bottom layer having iframe somewhere to China.
I know this is a very old thread but after doing a Google search and finding it with my exact problem, I am going to try and ask once again, for you to check out my problem. I do have a current thread with no response as yet from Avast.
I get the HTML:Script-inf warning and the web site http://abc7.com/live/23343/ comes up with either a URL:Mal or HTML:Script-inf. I have accessed our local news website for a long time with no issues.
Please advise.
Rejoicingmom
-
It is a problem with the site and not your computer as I get the same alerts
-
It is a problem with the site and not your computer as I get the same alerts
Many on the chat forum have no problem though. If it was the website, wouldn't more than just myself be shut down? Did you try the website and got the same info? Could it not be a false positive?