Avast WEBforum
Other => Viruses and worms => Topic started by: Jonhs on January 15, 2011, 07:49:42 PM
-
Avast! blocked norma-market.ru with reason URL:Mal.
All scans shows that this site is clear from any malware.
reports:
http://www.virustotal.com/url-scan/report.html?id=06bdf7a756b3e7ec89117580445146fb-1295097332
http://www.virustotal.com/file-scan/report.html?id=88fc453631d72df93074984b9cdb4d9147482bb5abcff143e831ec75967b7919-1295100893
http://vscan.urlvoid.com/analysis/6a6bf4dec039281257bfd10e62018f03/bm9ybWEtbWFya2V0LXJ1/
http://safeweb.norton.com/report/show?url=norma-market.ru
Low rep in Web of Trust. But the site is not in the list of services that are referenced in the comments.
http://www.malwaredomainlist.com/hostslist/hosts.txt - clear
http://www.malwaredomains.com/files/domains.txt - clear
-
Finjan (real time) detects adware.
http://www.finjan.com/Content.aspx?id=1190&url=http%3A%2F%2Fnorma-market.ru%2F&state=unsafe&category=Other&reason=Potential%20adware%20behavior%20was%20detected%20on%20this%20page&more=
-
***
http://www.UnmaskParasites.com/security-report/?page=norma-market.ru
Suspicious Inline Scripts :
Long suspicious script
document.write("< a href='hXXp://www.liveinternet.ru/click' target=_blank>< img src='//counter.yadr...
***
-
Long suspicious script
This is liveinternet.ru counter. Same FP reaction on some sites where it is installed.
from norma-market.ru
<!--LiveInternet counter-->
<script type="text/javascript">document.write("<a href='http://www.liveinternet.ru/click' target=_blank><img src='//counter.yadro.ru/hit?t14.6;r" + escape(document.referrer) + ((typeof(screen)=="undefined")?"":";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?screen.colorDepth:screen.pixelDepth)) + ";u" + escape(document.URL) + ";" + Math.random() + "' border=0 width=88 height=31 alt='' title='LiveInternet: показано число просмотров за 24 часа, посетителей за 24 часа и за сегодня'><\/a>")</script><!--/LiveInternet-->
new code from liveinternet.ru
<!--LiveInternet counter-->
<script type="text/javascript">document.write("<a href='http://www.liveinternet.ru/click' target=_blank><img src='//counter.yadro.ru/hit?t14.6;r" + escape(document.referrer) + ((typeof(screen)=="undefined")?"":";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?screen.colorDepth:screen.pixelDepth)) + ";u" + escape(document.URL) + ";" + Math.random() + "' border=0 width=88 height=31 alt='' title='LiveInternet: показано число просмотров за 24 часа, посетителей за 24 часа и за сегодня'><\/a>")</script><!--/LiveInternet-->
http://www.finjan.com/Content.aspx?id=1190&url=http%3A%2F%2Fnorma-market.ru%2F&state=unsafe&category=Other&reason=Potential%20adware%20behavior%20was%20detected%20on%20this%20page&more=
Possible that reason is same.
-
Hello,
this false positive wasn't caused by liveinternet.ru. It was false positive in our black list.
Regards
-
Thank you :)
-
Thank you :)
Glad you got it resolved with Avast, anyway. :)
-
-http://hosts-file.net/?s=liveinternet.ru and -http://www.urlvoid.com/scan/liveinternet.ru
-http://www.urlvoid.com/scan/norma-market.ru
-
Hi! I have the same problem with my site "r0b1n.org.ua" - URL:Mal. Avast blocking it. :(
I check my site with:
http://www.unmaskparasites.com/security-report/?page=r0b1n.org.ua
http://www.urlvoid.com/scan/r0b1n.org.ua
http://vscan.urlvoid.com/analysis/845905834378518cc78b2c0e944c688b/cjBiMW4tb3JnLXVh/
http://www.virustotal.com/url-scan/report.html?id=2ac9dc93337d06574682ec4145498cf8-1297177196
Please help. What should I do? ???
-
Please help. What should I do? ???
You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles
asyn
-
You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles
asyn
Oh, thank you, Asyn. I'll try it! :)
-
Oh, thank you, Asyn. I'll try it! :)
You're welcome..!
asyn
-
Hello,
r0b1n.org.ua should be fixed in current VPS. But it wasn't a same case, because norma-market was a false positive in our web shield but r0b1n.org.ua was really infected and now it's clean.
Regards
-
Developers AVAST help, please. Your antivirus is blocking the site www.fonariki.skrepka.pl.ua. You can check for the black list.
-
Developers AVAST help, please. Your antivirus is blocking the site wxw.fonariki.skrepka.pl.ua. You can check for the black list.
Please open a new topic.
-
My url http://foto.pro-digiworld.info/ avast is bloked. what is problem. Virus is not have on my site.
http://www.urlvoid.com/scan/foto.pro-digiworld.info - CLEAN
-
First always start a new topic when you have problems
you find the blue "NEW TOPIC" button in top right corner here http://forum.avast.com/index.php?board=4.0
Virus is not have on my site.
Sucuri say - INFECTED (click screen shot to enlarge)
Info: Description:Encoded javascript using a packer by Dean Edwards
http://sucuri.net/malware/malware-entry-mwjsdepack
Jotti - http://virusscan.jotti.org/en/scanresult/5e9dc6a884423cfac7109336a6e39e01a6ea6efe
-
This part of the code there is suspicious:
-foto.pro-digiworld.info/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js?ver=1.3.3 suspicious
[suspicious:2] (ipaddr:176.9.40.38) (script) -foto.pro-digiworld.info/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js?ver=1.3.3
status: (referer=-foto.pro-digiworld.info/)saved 9986 bytes fd7e089a6c10d591dc15faf54395bb5a8b74a1ea
info: [img] -foto.pro-digiworld.info/wp-content/plugins/nextgen-gallery/shutter/
info: [decodingLevel=0] found JavaScript
suspicious, see: http://urlquery.net/queued.php?id=15509
polonus