SAS Forum infected/underattack ?????

[iroc9555]

I tried to go to SAS forum after Avast! detected in my IE 8 Favorite SAS forum link as INI:shortcut-inf[trj]

WOW what a surprise 1 Web Shield detection and 13 Network Shield detections. Too many to attach screenshoot of alerts so here is the Avast! report:

Web Shield:
02/11/2012 20:47:56     -http://forums.superantispyware.com/|>{gzip} [L] HTML:Script-inf (0)

Network Shield:
02/11/2012 20:47:56     -http://forums.superantispyware.com/ [L] URL:Mal (0)
02/11/2012 20:47:56  -http://forums.superantispyware.com/public/style_images/master/advanced_search.png [L] URL:Mal (0)
02/11/2012 20:47:56    -http://forums.superantispyware.com/images/forum-top.png [L] URL:Mal (0)
02/11/2012 20:47:56    -http://forums.superantispyware.com/public/style_images/master/icon_quicknav.png [L] URL:Mal (0)
02/11/2012 20:47:57    -http://forums.superantispyware.com/public/style_images/master/branding_bg.png [L] URL:Mal (0)
02/11/2012 20:47:57 -http://forums.superantispyware.com/public/style_images/master/profile/default_large.png [L] URL:Mal (0)
02/11/2012 20:47:57    -http://forums.superantispyware.com/public/style_images/master/f_icon.png [L] URL:Mal (0)
02/11/2012 20:47:57    -http://forums.superantispyware.com/public/style_images/master/maintitle.png [L] URL:Mal (0)
02/11/2012 20:47:57    -http://forums.superantispyware.com/uploads/profile/photo-thumb-20915.jpg [L] URL:Mal (0)
02/11/2012 20:47:57    -http://forums.superantispyware.com/uploads/av-10620.png [L] URL:Mal (0)
02/11/2012 20:47:57    -http://forums.superantispyware.com/public/style_images/master/cat_minimize.png [L] URL:Mal (0)
02/11/2012 20:47:57    -http://forums.superantispyware.com/public/style_images/master/top.png [L] URL:Mal (0)
02/11/2012 20:47:57    -http://forums.superantispyware.com/public/style_images/master/feed.png [L] URL:Mal (0)


Afterward my start page did not want to start up. I had Internet but when IE 8 and FF 16.0.2 were applied I got "Page not found". I ran MBAM and did not find anything so I tried again and this time my browsers started with my start page.

I did run all the programs requested. Besides AdwCleaner which found some old IE 7 app to edit DHTML, the rest I believe are clean. However I will appreciate if any of you gent would take a look at them just in case.

I think Avast! just save my skin. Thank avast! 

[iroc9555]

Here are my 2 OTL logs.

[true indian]

You are not alone!! even I am having URL MAL on SAS forum 

[Geoffo]

Me too, my scan moved c\:users/favourites/superantispyware.com.indexpage.url to the virus chest. Name of file infected said was INI shortcut-inf[trj]. What's going on? Also my scan hangs at 58% for ages and then all of a sudden whizzes up to 99%, it hasn't done that before?

[mikaelrask]

it sounds like the forum of sas might have been hijacked.

http://forum.avast.com/index.php?topic=47096.0

[Geoffo]

it sounds like the forum of sas might have been hijacked.

http://forum.avast.com/index.php?topic=47096.0

Pretty useless link that, no mention of the SAS forum being hijacked - and it's a 2009 topic!!

[mchain]

Here, in avast! Free/Pro/Suite:  http://forum.avast.com/index.php?topic=108477.0

[DavidR]

I would suggest a search of the Wilders forums as that is where these things normally get discussed when it isn't possible to discus them on the SAS forum if your AV is blocking it.

However, this is a bit strange in that it is only an issue at the forums. sub-domain as it is possible to visit    hXXp://www.superantispyware.com/ without an alert.

The multiple alerts isn't so much of an issue as essentially it is only the one alert on the forum.superantispyware.com sub-domain, so each connection to an image in that sub-domain would also trigger an alert.

My main interest is the very first alert you listed.

Web Shield:
02/11/2012 20:47:56     -http://forums.superantispyware.com/|>{gzip} [L] HTML:Script-inf (0)

As that page appears to be loading a compressed script file - the |>{gzip} bit at the end as the HTML:Script-inf is a script injection alert.

The problem is once you get sufficient avast users getting a web shield alert on a site, that (through the avast! community) will eventually lead to the inclusion in the network shields malicious sites list. So this particular alert needs investigation as I suspect once that is resolved the network shield alerts would also be resolved.

[iroc9555]

The multiple alerts isn't so much of an issue as essentially it is only the one alert on the forum.superantispyware.com sub-domain, so each connection to an image in that sub-domain would also trigger an alert.

My main interest is the very first alert you listed.

Web Shield:
02/11/2012 20:47:56     -http://forums.superantispyware.com/|>{gzip} [L] HTML:Script-inf (0)

As that page appears to be loading a compressed script file - the |>{gzip} bit at the end as the HTML:Script-inf is a script injection alert.

I agree with you DavidR that detection is the main concern.

Since Piriform forum was also detected as infected in an earlier topic yesterday I am taken no risks. I am pretty sure my logs are clean but I am waiting for Essexboy to take a look at my OTL logs.

Thank you.

[essexboy]

Looks clean young sir... Any problems ?

[iroc9555]

Thanks Essexboy.

No, no problems right now. Thanks again, and thanks for the young sir too.

[essexboy]

Run OTL and hit the cleanup button to remove the tools you have used 

[iroc9555]

Run OTL and hit the cleanup button to remove the tools you have used 

Yes sir. I was waiting for your "all good specialist clean up his tools after everything is done" speech. 

[essexboy]

Do you want the whole 9 yards 

[iroc9555]

Do you want the whole 9 yards