Still blocked by Avast (only) yet site is testing clean

[Elle1971]

Ok... second time of typing as my "captcha" didn't match.

My website has been blocked by a large number of Avast users for over a week. I have been right through the files via FTP. I have also run it through online scanners, both of which (Sucuri and webinspector) agree that it is clean.

No other virus/malware checkers seem to be flagging anything.

I have messages Avast twice now via http://www.avast.com/contact-form.php?loadStyles  but have received no reply, or any form of acknowledgement.

I am now spending a considerable amount of time defending my hardearned business reputation across various social networks against trolls who have nothing better to do than slate people and things they know nothing about.

My website is spainbuddy dot com

Can someone please please PLEASE help!

One desperate lady

Elle x

[Secondmineboy]

Sucuri: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fspainbuddy.com Clean
URLQuery: http://urlquery.net/report.php?id=5234176
Quettra: http://www.quttera.com/detailed_report/spainbuddy.com Clean
Zulu:http://zulu.zscaler.com/submission/show/98e5401479006605cdc45b41e64c51bd-1379087638 Benign
Virustotal scan is clean.

I will notify polonus about this.

[Elle1971]

Steven - thank you for giving me the first positive response I've had in a while.

Very much appreciated.

Elle xx

[Secondmineboy]

polonus is notified, he will look over the site and the scansi run, and will run scans himself maybe.

But he is offline now, so please wait some time.

[Para-Noid]

When I scanned using Quttera I found nine suspicious files. http://quttera.com/detailed_report/www.spainbuddy.com 

[Secondmineboy]

My search is for htxp://spainbuddy.com, yours is for htxp://www.spainbuddy.com

I think that is the point.

[Pondus]

probably a IP Block....

if you looke here  http://urlquery.net/report.php?id=5234176  and scroll Down to Recent reports on same IP/ASN/Domain

you find this domains using same IP that have alerts on it, see here detected Detected RedKit exploit kit URL pattern     http://urlquery.net/report.php?id=5234545
Sucuri report  http://sitecheck.sucuri.net/results/www.dailycruisebargains.com/

[Secondmineboy]

And this is why it is being blocked i think...................

Thats like bad Advertisements which carry Scripts or something like that.

[polonus]

We have to check on these redirects from that site:
URLs that redirect found in: http://spainbuddy.com/

1: htxp://www.gandy-draper.com/openx/www/delivery/avw.php?zoneid=24&cb=INSERT_RANDOM_NUMBER_HERE&n=ab826f56 -> htxp://www.gandy-draper.com/openx/www/images/46c3fd36def631da4ac2480821857606.jpg
2: htxp://www.booking.com/?aid=357636&tmpl=searchbox&width=685&calendar=1& -> htxp://www.booking.com/
and this in line 07:shr.src = 'htxps://dsms0mj1bbhn4.cloudfront.net/assets/pub/shareaholic.js?ver=7.0.3.6';
flagged as potentially suspicious by Quttera's  -> htxps://shareaholic.com")}.call(this),/*! as
dsms0mj1bbhn4.cloudfront.net/assets/pub/shareaholic.js?ver=7.0.3.6
Severity:    Potentially Suspicious
Reason:    Detected procedure that is commonly used in suspicious activity.
Details:   Too low entropy detected in string [['=%26=%26=%260=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=']] of length 344 which may point to obfuscation or shellcode.

polonus

[Secondmineboy]

1: Norton: http://safeweb.norton.com/report/show?url=gandy-draper.com CLEAN
AVG: http://www.avgthreatlabs.com/website-safety-reports/domain/gandy-draper.com/ CLEAN
Sucuri: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.gandy-draper.com%2Fopenx%2Fwww%2Fimages%2F46c3fd36def631da4ac2480821857606.jpg
Virustotal: https://www.virustotal.com/de/url/342683c35177c46225a41b98986b44a420694a1c4616f281af6f382fcd9bb91d/analysis/1379092487/ CLEAN

[Secondmineboy]

1:

Comodo: http://app.webinspector.com/public/reports/17070505
URLQuery: http://urlquery.net/report.php?id=5237790
Zulu: http://zulu.zscaler.com/submission/show/a4b279961de04f277894fcd239a5f36d-1379092798
Quettra: http://www.quttera.com/detailed_report/www.gandy-draper.com
Wepawet: http://wepawet.iseclab.org/view.php?hash=5a0cc76560daf9bd24a133ce6022e16a&t=1379092845&type=js

[Elle1971]

Thanks Pondus - IP Blocking I can get around - I can pay my hosts for a dedicated IP on that server. I shall look into that in the morning. Alternatively, if I flag that site up to the hosts... they may be able to do something at their end to it.

Thanks for the feedback Polonus.

I don't understand how the ads are bad in openx? Gandy-Draper is our own company by the way... and that's where the openx is hosted. .com is the website and .net is the hosting account. We've been using it for organising our advertising for a few years now, and never with any issues until recently.

• The first one is a banner that invites people to advertise on the same website
  
  
• The second one - Booking.com is well... booking.com - a vacation booking website. Well established respected etc etc etc
  
  
• The line 7 is a Shareaholic plugin... which although have been causing issues for many of us this week... are standard sharing tools on 100,000s of websites. Mind you after this week, they can go jump of a tall building. Their plugin has stopped working in Firefox. I'm looking for a decent alternative as we speak.

So... if I delete those 3 items from my site - will that mean it is clean for Avast purposes? Even though it's testing clean anyway? Or does Avast simply dislike the way that openx redirects links?

Oh God I'm so confused... and so frustrated and upset after all the hassles. I do appreciate the help and time you are putting into this - so thank you all so much... Pondus, Polonus and Steven.

Elle x

[Secondmineboy]

2: (http://www.booking.com)

Norton: http://safeweb.norton.com/report/show?url=booking.com
AVG: http://www.avgthreatlabs.com/website-safety-reports/domain/booking.com/ (Please read the comments)
Sucuri: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.booking.com
Virutotal: https://www.virustotal.com/de/url/4cd89a208b2758b99a8f2ea32080267680959baf0943315ab5bd1b1e5e7cc536/analysis/1379093164/
TrendMicro: http://global.sitesafety.trendmicro.com/result.php
URLQuery: http://urlquery.net/report.php?id=5238395
Comodo: http://app.webinspector.com/public/reports/17070558
Zulu: http://zulu.zscaler.com/submission/show/4229ca78a6a0ca8f74a229dff5975940-1379093312

[Secondmineboy]

So actually Booking.com is safe.

These alerts should be gone when these things will be removed, but please wait for polonus reply.

These banners could have a bad advertiser or the websites that they are linking to could be hacked or infected.

[Secondmineboy]

Polonus is not online now.

You can check back later if you want.

Just save the Thread to your favorites in your browser.