Avast WEBforum

Avast Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: iphigirl on April 20, 2011, 02:45:10 PM

Title: HTML:RedirBA-inf [TRJ]
Post by: iphigirl on April 20, 2011, 02:45:10 PM
Today I am trying to load my forum and suddenly AVAST! block it saying "HTML:RedirBA-inf [TRJ] " could anyone tell me what is wrong with my forum?!?

http://z6.invisionfree.com/BlessedWings/index.php?http://s6.invisionfree.com/BlessedWings/index.php
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Zyndstoff (aka Steven Gail) on April 20, 2011, 03:00:02 PM
Update the virus definitions, pls.
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 19, 2011, 11:31:39 AM
Do not want to create a new topic. But I have the same key problems. Avast was blocking my site with a notice that there is a virus, but other antivirus software did not find any virus on my site

Site address: www.magnum-blog.pp.ua

Maybe this is just another false alarm?

Technical support is silent on this issue, but for me it is important
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: ady4um on September 19, 2011, 11:46:34 AM
If you already confirm this with

http://www.virustotal.com (http://www.virustotal.com)
http://virscan.org/ (http://virscan.org/)

and other additional alternatives as jotti.org and sucuri.net among others

then you can:

_ report a false positive here:
http://www.avast.com/contact-form.php?loadStyles (http://www.avast.com/contact-form.php?loadStyles)

_ send virus report or "possible FP /unconfirmed malware" or similar subjet to:
virus@avast.com

Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Asyn on September 19, 2011, 11:52:58 AM
Do not want to create a new topic.

Why..???

Report    2011-09-19 11:11:57 (GMT 1)
Website    magnum-blog.pp.ua
Domain Hash    10c12538e247ec8a04962c84aa8f6481
IP Address    78.47.94.244 [SCAN]
IP Hostname    zoxt.sioru.com
IP Country    DE (Germany)
AS Number    24940
AS Name    HETZNER-AS Hetzner Online AG RZ
Detections    0 / 23 (0 %)
Status    CLEAN

Report    2011-09-19 12:14:07 (GMT 1)
IP Address    78.47.94.244
IP Hostname    zoxt.sioru.com
IP Country    DE
AS Number    N/A
AS Name    N/A
Detections    0 / 26 (0 %)
Status    CLEAN
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 19, 2011, 12:14:26 PM
I do not know how can this be, the site does not contain viruses. But avast still continues to block it.

He scolds partly on html tag <base href="http://www.magnum-blog.pp.ua/" />

If you remove it, instead of the previous virus, he begins to see on the site HTML: Script-inf

How can this ever be?
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Asyn on September 19, 2011, 01:18:01 PM
See Reply #3. ;)
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Pondus on September 19, 2011, 01:46:39 PM
can you post a screen shot of the avast warning ?
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 19, 2011, 02:02:11 PM
Sorry but at this point I do not have such an opportunity
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Asyn on September 19, 2011, 02:05:23 PM
can you post a screen shot of the avast warning ?

Here it is.
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 19, 2011, 02:44:08 PM
can you post a screen shot of the avast warning ?

Here it is.

Thank you.

Tell me, what was written in details?
You have a button "details" in the screen shot
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Asyn on September 19, 2011, 02:48:35 PM
1. Thank you.
2. Tell me, what was written in details?

1. You're welcome..!
2. Nothing important. ;)
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 19, 2011, 02:51:01 PM
I understand that nothing important. But for me it's important.
It's still my site
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Asyn on September 19, 2011, 03:07:08 PM
I understand that nothing important. But for me it's important.
It's still my site

Why don't you click on it yourself..???
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 19, 2011, 03:10:37 PM
I understand that nothing important. But for me it's important.
It's still my site

Why don't you click on it yourself..???

Due to the fact that I have is a different antivirus

P.S: Sorry for my english
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Asyn on September 19, 2011, 03:16:26 PM
Due to the fact that I have is a different antivirus

I see.
So ask the one who reported it to you to provide the link.
As mine is in German and wouldn't help you much. ;)
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: ady4um on September 19, 2011, 03:25:38 PM
@Magnum,

If you can concentrate on sending this to Avast as a possible FP as instructed in reply #3, you could gain some time (instead of passively waiting for someone from Avast Team to see and read this topic).

The "details" (at least for now) is not specifically for "you" (your site), so that's why is not *that* important.

If it is indeed a FP, then Avast will solve this and your friend (and everyone else that has Avast) will be able to get to your site without problems, but for that to happen as promptly as it can, you should probably report this as suggested.
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 19, 2011, 03:44:35 PM
@Magnum,

If you can concentrate on sending this to Avast as a possible FP as instructed in reply #3, you could gain some time (instead of passively waiting for someone from Avast Team to see and read this topic).

The "details" (at least for now) is not specifically for "you" (your site), so that's why is not *that* important.

If it is indeed a FP, then Avast will solve this and your friend (and everyone else that has Avast) will be able to get to your site without problems, but for that to happen as promptly as it can, you should probably report this as suggested.

These requests have already been sent to specialists avast.
This was done primarily
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: DavidR on September 19, 2011, 04:26:53 PM
There is a packed obfuscated script file being loaded {gzip} with the home page (image 1), is this meant to happen ?

See image2 for an extract of the obfuscated file being loaded.

So I'm not sure this is a false positive, but it certainly needs investigation, I know you have said you reported it. But if you didn't use the link in Reply #3 I would use that as that seems to have a faster response.

If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review (network shield and Web Shield), etc. a link to this topic might also help.
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 19, 2011, 04:36:55 PM
I still believe that this is a false alarm. because if we remove from the code page of the site:
<base href="http://www.magnum-blog.pp.ua/" />
and
<script type="text/javascript" src="http://www.magnum-blog.pp.ua/plugins/system/lknlightbox/lknlightbox.js"></script>

avast no longer see the threat. So, what's so wrong with these two lines?

If you scan the file avast lknlightbox.js on the path above. That virus is not there
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Asyn on September 19, 2011, 04:37:48 PM
There is a packed obfuscated script file being loaded {gzip} with the home page (image 1), is this meant to happen ?

See image2 for an extract of the obfuscated file being loaded.

Interesting, Sucuri says clean though...
Guess we need a reply from the virus lab here.
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 20, 2011, 10:42:34 AM
Already found the cause for which the full antivirus complains to the site.
It just shocked me.
Site address for some unknown reason is in the black list antivirus.

As I checked out. simple.

The site has a service address, if you go through it, the antivirus is silent.

A response to my request no.

If interested I can give a service address
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: DavidR on September 20, 2011, 12:28:55 PM
Well I don't know if giving out the service address on-line would be wise.

So I don't know what the difference is between the two addresses, as it obviously isn't loading this {gzip} file at the start or the web shield would be alerting. When there are sufficient web shield alerts, that feedback goes through the CommunityIQ feature and eventually the site would be added to the the malicious sites list in the network shield.

So the question I asked before is still the same and remains unanswered:
There is a packed obfuscated script file being loaded {gzip} with the home page (image 1 in my last post), is this meant to happen ?

Plus why this file isn't loaded in the service address.
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 20, 2011, 12:47:43 PM
To be honest I did not understand which file?
On your picture, I saw only vague set of characters

Also, I checked the site on the local host. Avast there is nothing to see, although the files have not changed!
I just scanned them and avast there, too, he finds nothing.

I am more than confident that there is no infected file is razed
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: DavidR on September 20, 2011, 12:58:21 PM
That set of vague characters is the contents of the compressed file that is being loaded (which was image2), the first image is showing that avast is alerting on that compressed file being loaded by the page the /|>{gzip} bit at the end of the URL. I don't know what that is, but there must be something calling a file to be loaded.
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 20, 2011, 01:07:30 PM
But then the files should be loaded regardless of what the current address of the site. Files are the same
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: DavidR on September 20, 2011, 01:48:10 PM
Obviously that isn't the case or you would have an alert like I did in image1 when I visited the main site home page again.

I don't know why that is.
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Asyn on September 20, 2011, 01:50:44 PM
Obviously that isn't the case or you would have an alert like I did in image1 when I visited the main site home page again.

He isn't using avast... ;)
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 20, 2011, 01:56:45 PM
So this is a false alarm.
For example here is an alternative web address http://www.magnum.zoxt.net/
And you'll see that there is no virus there is no!

And yes, I do not use anti-virus for which the level of false positives is very high, and at times it surpasses avast
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: DavidR on September 20, 2011, 02:16:15 PM
You can't compare two different sites, if the software at one is of a different version or one site has been hacked you are going to get different results.

I don't get an alert at this site but I do at the other, so there has to be a difference.
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Magnum on September 20, 2011, 02:28:03 PM
You can't compare two different sites, if the software at one is of a different version or one site has been hacked you are going to get different results.

I don't get an alert at this site but I do at the other, so there has to be a difference.

This is not another site, this same site, just at a different address.
The same files.
Just the site two adrse (two domains)

Or do you not know such a thing?
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Asyn on September 20, 2011, 02:30:10 PM
So this is a false alarm.
For example here is an alternative web address http://www.magnum.zoxt.net/

Please remove my screenshot from your site...!!! >:(
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: DavidR on September 20, 2011, 02:32:10 PM
You can't compare two different sites, if the software at one is of a different version or one site has been hacked you are going to get different results.

I don't get an alert at this site but I do at the other, so there has to be a difference.

This is not another site, this same site, just at a different address.
The same files.
Just the site two adrse (two domains)

Or do you not know such a thing?

I know one thing, I'm done banging my head against a brick wall.

If you have reported it I will leave it too them to resolve if possible.
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Asyn on September 20, 2011, 02:48:14 PM
So this is a false alarm.
For example here is an alternative web address http://www.magnum.zoxt.net/

Please remove my screenshot from your site...!!! >:(

Thanks.
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Vortan on November 23, 2012, 11:09:54 AM
Good afternoon.
We have a problem with the fact that our site is blocked http://www.expert-centre.com.ua/ Avast Antivirus: (
The report specified that the threat on our website HTML: RedirBA-inf [Trj]
We have checked the site and found no threats. Can you unlock our website?
Have a nice day.
PS. I feel very sorry for my english: - [
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: Pondus on November 23, 2012, 11:22:12 AM
first...you should have createt your own topic in the virus and worms section....

url check by sucuri
http://sitecheck.sucuri.net/results/www.expert-centre.com.ua/

urlvoid
http://www.urlvoid.com/scan/expert-centre.com.ua/
Title: Re: HTML:RedirBA-inf [TRJ]
Post by: polonus on November 23, 2012, 11:24:49 AM
Also see how your site was being abused with exploit pack malcode: http://urlquery.net/report.php?id=77532
Also consider this report: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=expert-centre.com.ua

polonus