Author Topic: How can I look at a Warning that popped up earlier today?  (Read 7683 times)

0 Members and 1 Guest are viewing this topic.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: How can I look at a Warning that popped up earlier today?
« Reply #15 on: October 09, 2013, 09:54:57 PM »
Polonus is a Website Analyst from the forum.

If you want a check of your system or if you are get infected in future there are also malware removers in this forum.
Just open a post in the viruses and worms section and follow the guide logs in assist to clean malware at the top of the section.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6700
  • Trust only what you test yourself!
Re: How can I look at a Warning that popped up earlier today?
« Reply #16 on: October 09, 2013, 10:15:45 PM »
These might help
https://asafaweb.com/Scan?Url=wallpaper.com
https://asafaweb.com/Scan?Url=care2.com

Both appear to have excessive headers which can be easily exploited.
Care2(dot)com appears to have clickjacking and cookies issues.

Personally I would be very wary of using either site. Both pose malware and privacy issues.
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

goodwitch

  • Guest
Re: How can I look at a Warning that popped up earlier today?
« Reply #17 on: October 09, 2013, 10:16:29 PM »
Thanks I'll remember that I can come here too.  Back in June I was advised to run Combofix and it deleted so many files that was the big headache.  I then got help from BleepingComputer.com but it took a long time to get everything sorted out again.  I run Malwarebytes every week now as well as full daily scans of Avast and also Sophos Virus Removal tool and Eset online scanner every month.  Have been told I'm too cautious these days.  But it never hurts to stay as safe as possible.

Have to close the computer for today, but will check in first thing in the morning.  Thanks a million for all the help.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: How can I look at a Warning that popped up earlier today?
« Reply #18 on: October 09, 2013, 10:34:38 PM »
Hi goodwitch and also Steven Winderlich,

Will try to cover this general IP block, as that is what I think it is, and I came up with this in depth  information for you. Para-Noid was right on spot with his assumption!  ;D

In a sense Steven Winderlich may be right there is no actual malware at the site at this moment, also as the avast! detection is a general one, URL:Mal, which could also be a general IP block (because of malware residing there). Here the most likely cause for the flag is that that site is known to be a notorious malvertiser in the Russian Business Network, see: http://urlquery.net/report.php?id=6500985 IDS alert for "ET RBN Known Malvertiser IP (17) ", hence a general IP block. * The Current IP is pulled in realtime so may differ from the IP we have on record. And this info comes from a scanner that flags this site also:
http://hosts-file.net/?s=care2.com There are domain or netblock problems -> http://hosts-file.net/?s=Help#ipresolve
This is a site with a PSH qualification, that means a PHISHING site, Severity: High Risk.
The recommended security scan at Sucuri's provides us with the following info:
Sucuri
web site:    care2 dot com
status:    Site blacklisted, malware not identified
web trust:          Site blacklisted* .    * = Site found to be used on spam campaigns (either forum, comment or SEO spam).
    *Cached results from more than 2 days ago.

Security report (Warnings found):
error       Blacklisted:      Yes
error       Likely compromised:      Yes

This VT report may be the reason why avast! Web Shield may block that IP:
https://www.virustotal.com/en/ip-address/63.146.170.87/information/
Furthermore the Project Honey Pot system has detected behavior from the IP address 63.146.170.87 that is consistent with that of a Bad Web Host.

Code to be checked: d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/110;s=1;d=14;w=728;h=90 benign
[nothing detected] (iframe) d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/110;s=1;d=14;w=728;h=90
     status: (referer=www.care2.com/)saved 5063 bytes 891a0bdc31476e3e662b1fe5381599a27a23a151
     info: [iframe] d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/
     info: [script] d7.zedo dot com/bar/v17-010/d3/jsc/gl.js
     info: [iframe] yads.zedo dot com/ads3/a?
     info: [decodingLevel=0] found JavaScript
     error: undefined variable Image
     error: line:5: TypeError: Image is not a constructor
     suspicious:  -> http://www.mywot.com/en/scorecard/d3.zedo.com?utm_source=addon&utm_content=popup-donuts
Report quote  there from Puddin Tame
Quote
multi-site tracking, profile building, click hijacking, and deceptive ads that look like legitimate items (e.g. a news article) but are actually adverts. Zedo is so large (and likely profitable!) that they probably don't engage in out and out evil behaviour like spreading viruses, but the basis of their entire business is collecting as much of your information as possible, with or without your consent."
 
But they try to clear their slate here: http://www.mywot.com/en/forum/5423-zedo-is-not-spyware-or-malware?new=1348893595#new
go through the discussion there and make up your own point of view ( on a side-note: I personally  like to block such annoying pop-up ads, but that is me)

Then there are insecurities there flagged at Quttera's:
/polls/vote?pollID=35265&results
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [['<span class="comment-pages">Most Recent ... </span><span class="comment_link_selected">Oldest</span>']] of length 12025 which may point to obfuscation or shellcode.
For threat dump see: http://quttera.com/detailed_report/care2.com#ReportTabPotSusp
File size[byte]: 59429
File type: ASCII
MD5: B9ED749D954024F7F6285946D292B8FC
Scan duration[sec]: 0.427000

Well that more or less covers it all,

polonus
« Last Edit: October 09, 2013, 10:40:44 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: How can I look at a Warning that popped up earlier today?
« Reply #19 on: October 09, 2013, 10:38:37 PM »
So its most probaply an IP block i think?
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: How can I look at a Warning that popped up earlier today?
« Reply #20 on: October 09, 2013, 10:48:58 PM »
Most likely, Steven,
I did not ,look over the avast! team member's shoulder, but it is the nearest guess I can make.
It could also be a PHISH site block (also counts as URL:Mal as this is a general kind of website block detection).
Para-Noid made a fair and good assumption on basis of the asafaweb scan results.
So when goodwitch does not mind the tracking and the SEO spam he can visit the site,
I forewarned by the WOT report would shun that site and that zedo infotracking bunch.
To get convinced on even how zedo is being manipulated click tracking, read:
http://www.advertpro.com/docs/2.5/html/manual/thirdparty_zedo.html
But with NoScript extension and RequestPolicy active I can safely visit: htxp://www.care2.com/polls/vote?pollID=35265&results
without getting alerts.
and as always follow the avast! Shield alerts!
I know how accurate they are as I check them all the time all of the time.

polonus
« Last Edit: October 09, 2013, 11:14:57 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

goodwitch

  • Guest
Re: How can I look at a Warning that popped up earlier today?
« Reply #21 on: October 10, 2013, 07:58:48 PM »
Polonus and Steven, thank you so much for all your hard work looking into the 2 sites.  The original Avast warning was for the comment pic, not for Care2 itself.  I realize that the Care2 site has many problems and that others complain about the constant pop-ups.    I never see them though as I use Firefox 24.0 with it's pop-up blocker and also have AdBlock Plus installed, and WOT.  It is a revelation when I log-on using Internet Explorer that I keep without any add-ons as a test browser when Firefox doesn't work somewhere online, the site is then full of ads and pop-ups and it takes much longer to load pages than with Firefox.  I didn't understand everything in the reports at the links you posted, but did understand enough to be scared.  In the 3 years I have been using the site this is only the 2nd time Avast, (used AVG or MSE previously), has warned me about anything malicious, the first was also a malicious URL that was linked to a comment pic. and was also an Avast warning.

I've been spending most of my time online on Care2 and now am thinking it is time to leave.  It's going to really hurt though, have made many good friends there.  The Facebook security program thinks I am a corporation, wants a copy of government issued photo ID,  and as I will never post a photo of myself online I cannot get back into that account.  My Yahoo groups are now decimated due to the new NEO look and functionality that has made them almost impossible to navigate or post in.  Once again thank you for all the information.