Avast WEBforum
Other => Viruses and worms => Topic started by: raceonusa on August 17, 2010, 06:07:31 PM
-
On my windows machine my avast scanner gives me an error and won't let me load my page. When I uninstall avast or use my Linux machine it works fine, but I have customers that unfortunately use avast.
http://www.raceonusa.com (http://www.raceonusa.com)
How am I supposed to troubleshoot this?
I tried clicking on real-time shields > web shields, it just tells me that the web shield started and stopped, gives me no information about the blocked website. The logs there are completely useless.
On the "blocked site" error message it has a "More Information" link, which is merely a sleazy sales gimmick that forwards you to avast's website to buy the full version, it gives no information about the error message.
-
This is completely misleading because my website has no viruses, yet Avast is making it sound like it does.
-
Avast reckons it is infected, and for this I trust Avast
-
This is completely misleading because my website has no viruses, yet Avast is making it sound like it does.
yea right......well it is not only avast that does not like that website
VirusTotal - raceonusa.com.htm - 9/42
http://www.virustotal.com/file-scan/report.html?id=1707cde04d04eff02d828d50cf38041ec33636feb20879b65e983897a9bfa4e1-1282065420
URL Void - iFrames detected
http://www.novirusthanks.org/services/scan-websites-for-iframes/
-
Ok so I've seen you helping out lots of ppl on this forum and on a previous forum you were going over how to fix run dll viruses..
If you would help me I would greatly appreciate it!! So every time I boot up my computer, it gives me an error message in some RUNDLL box.. so I'm pretty sure that is the virus I have.. Anyway.. I've downloaded AVG, Malewarebytes, and OTL and none of them can locate the virus and get it off my computer. AVG spots something and will move it to virus vault but it just comes back the next day. I can't get on internet explorer or everquestII, but that is the only two I am noticing right now that it isn't allowing me to get on. Could you please, please help!!
*oh I'm sorry I posted in the middle of this forum, I am very new to this website and can't figure out how to send PM's so I apologize =(*
-
Ok so I've seen you helping out lots of ppl on this forum and on a previous forum you were going over how to fix run dll viruses..
If you would help me I would greatly appreciate it!! So every time I boot up my computer, it gives me an error message in some RUNDLL box.. so I'm pretty sure that is the virus I have.. Anyway.. I've downloaded AVG, Malewarebytes, and OTL and none of them can locate the virus and get it off my computer. AVG spots something and will move it to virus vault but it just comes back the next day. I can't get on internet explorer or everquestII, but that is the only two I am noticing right now that it isn't allowing me to get on. Could you please, please help!!
*oh I'm sorry I posted in the middle of this forum, I am very new to this website and can't figure out how to send PM's so I apologize =(*
Dude. Go hijack someone else's thread. What does that have to do with iframes?!!?
-
Sorry.. I don't quite know how to deal w this website yet. :/
Nothing to do with iframes... I just couldn't figure out how to send a PM that's all. I'll figure it out soon. Sorry. =(
-
This is completely misleading because my website has no viruses, yet Avast is making it sound like it does.
yea right......well it is not only avast that does not like that website
VirusTotal - raceonusa.com.htm - 9/42
http://www.virustotal.com/file-scan/report.html?id=1707cde04d04eff02d828d50cf38041ec33636feb20879b65e983897a9bfa4e1-1282065420
URL Void - iFrames detected
http://www.novirusthanks.org/services/scan-websites-for-iframes/
I had an Iframe (code provided by google) on my webpage,
http://www.w3schools.com/tags/tag_iframe.asp
Which isn't a virus. Sure it could be if it was pointing to a webpage that had viruses, but mine was pointing google's talk badge. So there's no virus here.
The default talk badge points to an Iframe. I check to see if the url was manipulated and it wasn't. Still pointing to google..
http://www.google.com/talk/service/badge/New
I've removed the iframe badge and replaced it for a no-frills simple version.
No "viruses" detected..
http://www.virustotal.com/url-scan/report.html?id=2da16f3fb08e2180b0e8dcad4e2f405c-1282064803
Google Webmaster tools reports this site as Clean as well.
I've disabled avast , rebooted, started, stopped, and still avast say "URL:mal" same ambiguous error message. I'm thinking that avast keeps a database of "virus" urls, when does this refresh?
Now I'm getting this?!? "JS:ScriptIP-inf [Trj]" Argh! I supposedly have a "trojan horse" now according to Avast, yet google and virustotal say I don't? This is driving me nuts.
Is there an actual log file? So I can see what is supposedly causing this?
-
well it know apear clean
VirusTotal - raceonusa.com.htm - 0/42
http://www.virustotal.com/file-scan/report.html?id=61bd29f8609427eb0a7e2751ba7eabd0aac1cf78aae6c706a35497bbac8b0d40-1282077860
-
Yeah that's the weird thing it look clean now, can you view it on your computer with Avast running? http://www.raceonusa.com
I just get error messages from avast warning me about a supposed Trojan Horse, but how is that possible if all the virus scanning sites give it a clean bill of health?
http://www.raceonusa.com/|>{gzip}
-
If i trie to go there on my avast comp i get a block....
one strange thing, my last VT scan is showing clean but if you open the one you posted (VT URL scan ) and look on top of it, there is a " View downloaded file analysis " click it and you have avast/GData detection.. ???
-
Hello,
Your website is currently hacked and used to distribute malware -> that's why we started to block your domain. You will have to remove malicious scripts which was added into your website - php/exe/java/etc (It would be nice, if you can collect them and send them in password protected archive to virus@avast.com).
All the files (hack) should be located inside this folder (and are still there - checked 5 minutes ago):
hxxp://www.raceonusa.com/Home/exemple.com/
Regards
PS: We will not remove your domain from blocklist until you fix the problem.
-
My ftp shows no such directory, also when I try that url with (http) it does not find a page.
hxxp://www.raceonusa.com/Home/exemple.com/
hxxp://www.raceonusa.com/Home/example.com/
hxxp://www.raceonusa.com/home/exemple.com/
hxxp://www.raceonusa.com/home/example.com/
I try http://www.raceonusa.com/home/ but there are no errors on the page that I or my host can find. I even downloaded the entire site and scanned with Avast with POP and there are no viruses.
Avast also sets off it's alarm with a generic new html page.
http://www.raceonusa.com/test.html
Even though this page is totally clean: http://www.virustotal.com/file-scan/report.html?id=325251f964f9a4ba36bc8eabdbdd7f94cbe7adfea1aa1636ecbe19bc5a09a979-1282171896
Avast false-positive classified my site as a "virus" site from my iframe which was from google. Now I cannot get any of my pages to load without avast going nuts.
-
jsejtko is one of the virus analysts in the Avast Virus Labs team and if he says your site is infected, believe me you have a problem.
You don't say what the pop-up alert is, I suspect it is the Network Shield, blocking the complete domain and not the actual hXXp://www.raceonusa.com/test.html page.
So even if that page is actually clean, the block is on the domain as jsejtko mentioned in his post and not the physical page test.html.
-
All the files (hack) should be located inside this folder (and are still there - checked 5 minutes ago):
hxxp://www.raceonusa.com/Home/exemple.com/
Here's what he said, but I do not have such a directory on my server.
no /Home/exemple.com or example.com or lowercase home , that folder does not exist on my server, I even downloaded the entire site and scanned it with avast with POP mode enabled and disabled and it found nothing.
I also deleted my main /js java script directory , changed themes, nothing seems to delete this "virus". Is there another website than can give a non vague answer as to what file is supposedly effected?
Because this just says:
Avast 4.8.1351.0 2010.08.18 JS:ScriptIP-inf
Avast5 5.0.332.0 2010.08.18 JS:ScriptIP-inf
But it doesn't tell me which .js file is supposedly infected or what directory it's in or anything and having removed most directories I'm running out of options here.
http://www.virustotal.com/file-scan/report.html?id=57e2d3ab8c28712868313763312bf7da7536e2bebbe608cda2cf30c21a1cc3dc-1282181932
-
All the files (hack) should be located inside this folder (and are still there - checked 5 minutes ago):
hxxp://www.raceonusa.com/Home/exemple.com/
Here's what he said, but I do not have such a directory on my server.
I CAN see that page, and carelessly I forgot to insert "view-source:" before the URL and I almost got infected... Java started just after I opened that page :'(
And here is the collected malwares hosted / linked from that page, avast detects all of them:
http://www.mediafire.com/?fdcviu5bwc4whxb
Password: virus
I don't know why you can't see that page, but this kind of infection usually cached accessed IP addresses and denies accessing from same IP. Maybe this is the cause?
-
Virus total says it's clean:
http://www.virustotal.com/url-scan/report.html?id=3ad10458e75c11999598c13cef7c11fc-1282232164
I replaced the hxxp with http.. Am I doing something wrong here?
http://www.raceonusa.com/Home/exemple.com/
http://www.raceonusa.com/Home/example.com/
http://www.raceonusa.com/home/example.com/
I also tried "example" instead of "exemple", same thing, virus total says its clean, but is also says Virus Report not available, so maybe the page does not exist?
For instance if I do
view-source:http://www.raceonusa.com/Home/exemple.com/
I get nothing.
Furthermore I don't even know why someone would even go to "Home/exemple.com/" that's not a link on any of my pages or part of my page structure.
Is "Home/exemple.com/" shorthand for something?
-
Michael Hicklen || Staff 08/19/2010 10:07
Hello Edward,
Honestly, there is a distinct possibility this is a false positive. Try installing a fresh copy of Magento to a subfolder and running virustotal on it. I've scoured your files and I can't find anything ever remotely malicious. I think the heuristic scanners are just too sensitive and are detecting javascript as malicious.
Michael Hicklen
Level 2 Support
SimpleHelix, LLC
866.963.0424
We would love to hear your testimonials about us:
http://www.ratepoint.com/profile/4550
How would you rate this reply? Poor Excellent
I think I'll try this, I had to copy view source text to a new raceonusa.com/test.html and remove text bit by bit to see what was causing it, turns our that the JS that I remove is actually the default from magento and not laced with any viruses. Also the default .js files that the HTML is loading are ones I replaced from the default install, yet avast still says it's got a "JS:ScriptIP-inf" error. Only if I delete all Java script, including the original default magento java script then it passes as clean. I even ran the JS files separately in virustotal - they are totally clean.
-
Hi raceonusa,
This site is malicious, so make all links non-click-through putting htxp wXw
Threat Report
Total threats found: 1
Drive-By Download
Threats found: 1
Here is a complete list:
Direct link to: htxp://www.raceonusa.com/index.php/raceonusa-hiflex-type-298b-complete-8-piece-wide-body-kit-lexus-sc-series-92-00-2-door.html
Location: htxp://www.raceonusa.com/?gclid=CNfPw4TquaMCFeQD5QodpESTYw
As recommended in Matt Cutts blog to prevent Fake glid,
you can change the search engine spider response to a tagged page, by adding:
User-agent: *
Disallow: *gclid=*
polonus
-
Brand new install, straight ftp of new install files to website:
Brand new unzipped straight from Magento's site:
hxxp://www.raceonusa.com/magento1411/index.php/install/
(I haven't even installed or touched files, I just unzipped the raw magento installation just downloaded it today)
Results in avast "virus", so either it's a false positive or Magento Commerce has a virus in their latest zip file.
http://www.virustotal.com/file-scan/report.html?id=c5d439c72e4965d51d90c20458e82314b9e5155e08bf3cce56b691e2efda8657-1282255096
I even scanned it from my windows virtual box just now and avast says my website files are virus free.
This has got to be a false positive, it's my domain that's setting off the alarm bells, nothing to do with malicious code.
My system is free of viruses and running Ubuntu linux on the desktop and centos on the server. My host Simple Helix confirms that there is no virus. This is something in Avast's database flagged my domain most likely. Any Java on my domain sets it off, how can I certify my website off of this hyper sensitive level?
How do I get them to lift this ban?
I think this whole nightmare is because Avast incorrectly assumed my google iframe chat box was an "iframe" virus, even though the code is verbatim copied from Google's recommended default for the chat box.
-
Hi raceonusa,
This could be part of click fraud malware in gclid (google code), if you scan your domain at Norton Safe Web. There was where I found the drive by download malware together with the location where it was to be found, so not only avast flags this, Norton too. it is a malware injection, there is not much you can do, unless you are the hoster,
polonus
-
I just had norton rescan my site:
http://safeweb.norton.com/report/show?url=raceonusa.com
totally clean, no viruses.
Is there a way to open a site dispute with avast?
-
Is there a way I can fight / contest this virus? Like a re-submit your site feature or something?
Norton web scan says it's completely clean now, all I had Norton do what rescan.
The only one that's giving me an error is Avast and it's a false positive, how I can get them to rescan my site?
Sure G-data also has a false positive and that's because it uses Avast as one of it's engines to scan.
http://antivirus.about.com/od/antivirussoftwarereviews/gr/gdatasuite2010.htm
-
Is there a way I can fight / contest this virus? Like a re-submit your site feature or something?
Norton web scan says it's completely clean now, all I had Norton do what rescan.
The only one that's giving me an error is Avast and it's a false positive, how I can get them to rescan my site?
There is still an infection that jsejtko said, so unfortunately it's not a false positive. I can see this (attached image) via three proxy.
Maybe Norton web scan only scans top page of your website (I can't find any infection in your top-page so far) so it says yours clean.
It seems "JS:ScriptIP-inf" applies blacklisted URLs in "<script>" tags without reserve so some innocent pages may get involved. :-\
Can't you see Home/ directory on your server? I don't intend to attack / criticize you, only wonder why you can't find it on your server.
-
I do not have a home directory, how is possible that it appears on your side?
(check out the attached remote file directories I can view, hidden files are visible) no /Home directory.
I checked my htaccess and have nothing in there with "exemple" or that malware ip.
Also when I try to run
view-source:http://www.raceonusa.com/Home/exemple.com/
Firefox Ubuntu = blank
Windows XP virtual box Firefox = blank
Windows XP virtual box IE = ...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=windows-1252" http-equiv=Content-Type></HEAD>
<BODY></BODY></HTML>
Are you getting redirected to /Home/exemple.com for some reason? What are the steps that lead you there. I'm not sure how it's doing this.
-
just some info, Opera browser is also blocking hxxp://www.raceonusa.com
-
just some info, Opera browser is also blocking hxxp://www.raceonusa.com
So is IE8!
The webpage you tried to access is infected with a virus or other malware. Do not attempt to disable the avast! Web Shield in order to access the site.
http://www.avast.com/lp-security-information-pp?utm_campaign=Virus_alert&utm_source=pa_50_0&utm_medium=prg_systray&utm_content=en-us
-
Hi YoKenny,
finjan or rather M86security now, also detects it:
SecureBrowsing
htxp://www.raceonusa.com/
Finjan SecureBrowsing has analyzed the above web address as it currently exists on the web.
The analysis indicates that:
Potentially malicious behavior was detected on this page
What to comment further,
polonus
-
***
Click the image below to see Opera's warning taken just 2 mins ago.
***