Alert of a possibly unexist url connection within a website?

[REDACTED]

I was tring to find another Chinese game website since 4399.com is having trojan and find a problem that avast alert a blocked url within the site www.9377.com.

The blocked url was hxxp://tk.279wo.com/cppt.php?id=5411
But urlquery cannot find it: http://urlquery.net/report.php?id=1410177886752
I got a scan timeout: http://urlquery.net/report.php?id=1411910864519
The entire domain: hxxp://tk.279wo.com/ is blocked as I found a different issue here http://tieba.baidu.com/p/3319915298 (written in chinese)

Is this flase alert?

[polonus]

@rickyyeung,

We have an IP address and a badness history here:
https://www.virustotal.com/nl/ip-address/113.107.149.229/information/ 
and then you will see that this is exactly for the domain you mention.
 
And the latest detection there is for adware: https://www.virustotal.com/nl/file/5e7d8371cc13eced358121c5e969478bccd55d4951af4f7750318fb2812d4e29/analysis/
another one for NSIS/TrojanDownloader.Chindo.C
Another source for info on this issue can be found here: http://totalhash.com/network/ip:113.107.149.229
For instance: http://totalhash.com/analysis/697e945297fdab467a694b711553299d34f9be3f
And here we only get a flag by Avira for TR/Dropper.Gen
(so more likely to be a false positive when only 1 detection is found).

See also: http://totalhash.com/analysis/e6143685784ec2c36895483626c36fbdfed6066b
So all generic finds/detections and no substantial malware i.m.h.o. but in the realm of (avoidable) adware.

I got some info via PMs on existing problems here where you linked to in Chinese
(I am aware that the issue also plays within the Google Chrome Browser)
Re: 【教程】解决win8 x64卸载Avast后wan微型端口感叹号无法上网问题 
I mean the win8 x64 uninstall Avast solution for the problem.
But as in how-far this is related here, I do not know.
Anyway thanks for reporting and mention these issues in a mail send to virus@avast.com and point out to this your link,

祝你今天愉快 - Have a nice day!

polonus

[polonus]

Sometimes one just have to be teneacious and search on. Here we traced it, bingo!
http://urlquery.net/report.php?id=1411912734280
Blacklist alerts NS-BH / malwaredomains.com   
Verified / Added   Severity   Domain   Comment
2014-07-26   2   cnzz.mmstat dot com   troj/clicker-gl
2014-07-26   2   pcookie.cnzz. dot com   troj/clicker-gl

Block these domains in a Personal Blocklist. But it seems site has been cleansed of these troj/clicker-gl redirects as they were seen last 5 days ago (23rd they were flagged, 28th they were not)
Here the thorough analysis of the malware at hand: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Clicker-GL/detailed-analysis.aspx
But now given as probably harmless and file safe to be used: https://www.virustotal.com/nl/url/9b9e8892e4bbe96954ec94599b19e13ea879ddc0336911b2756f64f293554b87/analysis/1368335593/  -> to analysis: https://www.virustotal.com/nl/file/cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda/analysis/1368267268/

Damian aka polonus

[REDACTED]

But it seems site has been cleansed of these troj/clicker-gl redirects as they were seen last 5 days ago

So cnzz really host trojan virus before I thought avast unblocked that within 24 hours when I did report it last month.

By the way you messed up the two
its hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1723263213 and hxxp://pcookie.cnzz.com/app.gif?&cna=uwGvDMLSmBECAcOfjNj1N+Ql
not hxxp://pcookie.cnzz.com/9.gif?abc=1&rnd=1723263213

For instance: http://totalhash.com/analysis/697e945297fdab467a694b711553299d34f9be3f
And here we only get a flag by Avira for TR/Dropper.Gen

This one is a legit Chinese online game, which is likely clean.

[polonus]

Just checked the mix-up-ed ones (slip of the cut and paste function  )

But the latest verdict says that it is probably safe to use and harmless: https://www.virustotal.com/nl/file/cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda/analysis/1411810025/
and https://www.virustotal.com/nl/file/cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda/analysis/1411810025/
just a GIF89a!,L;

polonus

P.S. also use this tool in fore-coming analysis: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fpcookie.cnzz.com%2Fapp.gif%3F%26cna%3DuwGvDMLSmBECAcOfjNj1N%2BQl&useragentheader=&acceptheader=    result GIF89a

�
���!�

,

L
;

D