Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: HS2234 on March 16, 2012, 02:42:39 PM
-
Avast blocked a malware on a site but... It still let the site go through.. it didint abort the connection?? whats wrong???
using latest version of chrome btw
-
It's only the Web Shield that will abort connections, which shield gave you the warning ?
-
Web sheild....
-
Strange ??? any info on the detection, right clicking the avast ball will allow you to choose show last popup.
-
Its like HTML:iframe or something.. Wel since I use chrome I guess I am safe??
-
Hi HS2234,
Can you give the URL as a non-live-link, so hxtp or wXw etc.? Then we can see what may be out there?
polonus
-
You can scan the site's url at VirusTotal https://www.virustotal.com/
-
its like dsp/mediaagency.com/dsp.php.... is their anyway so I can copy and paste this?
here is a screen shot
-
Hi web shield may be blocking a payload coming from the web site and not the whole web site.
If u still have a hitch on it scan the following location:
C:\program files\google chrome
just trace the location and right click on the chrome folder and choose to scan with avast
-
its like dsp/mediaagency.com/dsp.php.... is their anyway so I can copy and paste this?
here is a screen shot
dsp.mediaagency.com is down.
Unable to connect to site.
-
its like dsp/mediaagency.com/dsp.php.... is their anyway so I can copy and paste this?
here is a screen shot
dsp.mediaagency.com is down.
Unable to connect to site.
see the screen shot
if u want the link I clicked on I can give it to u..
whats a payload
-
whats a payload
Sorry for not being specific.
I mean the site u visited must have loaded a further object from a third party site that was blocked and not the whole web site just the third party site.
whats the URL address of the site?
put it as xxx or hxxp
example: xxx.xxx.com is the site u visited.
xx.xxx.com/ga.js was blocked. [Hence, the JS part got blocked and not the actual xxx.com site.]
-
see the screen shot
web site: dsp.apsmediaagency.com
warn: Unable to properly scan your site. Site empty (no content).
-
hxxp://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CEoQFjAF&url=hxxp%3A%2F%2Fmoviereleaseschedule2012.com%2Fgo-GgDNwxy6BhI%2Fminecraft-12w09a-features-circle-brick-stone-and-new-sandstone.html&ei=v0tjT-zcOMbj0QHf6oy6CA&usg=AFQjCNFeERO2y2L2_5LV97K_RegCuiYG2A&sig2=Rt3W81L1BVM9g3vGq8fdYw
-
Make the link inactive by adding hxxp
EDIT:did the alert come on the google link as soon as u clicked on it or when the site loaded??
-
Yup
-
can u scan your C:\program files\google chrome folder please
though u describe u got the alert as soon as u clicked on it...i think that avast didnt block blocked the link but a payload of it.
-
I scanned it.. no virus found??
-
I scanned it.. no virus found??
thats a good sign indicates web shield blocked the bad thing accurately as it always does. :)
well can u tell me what u searched for on google to get hit with that avast alert?
-
In the OPs image, it clearly shows =|> {gzip} at the end of the URL, that is an indication that there is a compressed zip file being loaded and it is this which the web shield doesn't like and this would be blocked by the web shield.
That wouldn't stop the remainder of the site/page from opening, it is only when the detection is on an element within the .html/.htm/.php, page would the whole page be blocked.
-
@HS2234
Probably this was a hidden iFrame redirect. A "payload"???? Well viruses may also contain a payload that performs other actions, often malicious. That is called a (malicious) payload. Here we had an instance of suspicious code that the avast Webshield detected and flagged...
Probably it already has been cleansed there...
This was the code that was found there ealier with a scan at 2012-01-20 12:19:50 to be precise...
dsp.apsmediaagency dot com/dsp.php?class=MzM2fDcyOHg5MA== benign
[nothing detected] dsp.apsmediaagency dot com/dsp.php?class=MzM2fDcyOHg5MA==
status: (referer=wXw.google.com/trends/hottrends)saved 2590 bytes d9c4fb22ef1a7ab68360674e4b7b34e4421cf715
info: [decodingLevel=0] found JavaScript
error: undefined variable c1
error: line:24: SyntaxError: missing } in XML expression:
error: line:24: document.location.href = 'htXp:/amc.convomedia.com/p.php?r=' + c1 + '|' + c2 + '|' + c3;
error: line:24: ..... ultimately going -^ IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=1 HEIGHT=1 SRC="dsp_serve dot php?class=MzM2fFVTfDAuMDAwNTY3"^
@winmaltech Why you should copy what I already posted Can you give the URL as a non-live-link, so hxtp or wXw etc.? Then we can see what may be out there?
And if the vicitim should scan for evental remainders of that incident, he should scan the whole of Local -> Google etc.
polonus
-
its like dsp/mediaagency.com/dsp.php.... is their anyway so I can copy and paste this?
here is a screen shot
dsp.mediaagency.com is down.
Unable to connect to site.
Nope...... it is not down
http://www.downforeveryoneorjustme.com/http://dsp.apsmediaagency.com/dsp.php?class=ODE1fDE2MHg2MDA=
if you are quoting sucuri it say: Unable to properly scan your site. Site empty (no content).
and this you can see here urlQuery http://urlquery.net/report.php?id=32188
zscaler
http://zulu.zscaler.com/submission/show/46623d8d72a3d21b7871fac056170000-1331910339
-
its like dsp/mediaagency.com/dsp.php.... is their anyway so I can copy and paste this?
here is a screen shot
dsp.mediaagency.com is down.
Unable to connect to site.
Nope...... it is not down
That was because the OP misquoted the domain. ;)
-
Hi Pondus and Asyn,
Well with WebBug I executed GET for hxtp://dsp.apsmediaagency.com/dsp.php?class=ODE1fDE2MHg2MDA=
and got->
HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 16 Mar 2012 15:27:47 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 205
Connection: close
Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /dsp.php was not found on this server.</p>
</body></html>
polonus
-
I scanned local - google with avast and mbam.. nothin found.. But since chrome has sandbox nothing woulda happned right?
-
anybody?
-
you are safe and clean dont worry! ;)