Avast says my page is infected - how?

[Anthony Miller]

Hello,

A gentleman from UKIP tells me that this page
hxxp://www.pearshapedcomedy.com/TimTyler.html
(not the whole of my site) is infected?
The virus warning he gets is

http://www.aemiller.net/virus.jpg

This is very confusing as other virus scanners cannot identify a virus in the HTML.

The warning is very confusing. 
It seems to insinuate my website uses favicons (it doesn't - there is no ico file)
Neither is there a gzip file as insinuated by the gzip reference on the warning.
You can see the files the page actually references here
hxtp://www.pearshapedcomedy.com/TimTyler_files/
It claims there is an Iframe-inf but I cant find such a thing.
Is it suggesting that an Iframe is trying to write a favicon?
The warning is not very helpful in helping me solve the problem ...if there is one.

I pretty much wrote the page myself using an old dreamweaver template, seamonkey and hand coding
so unless I have coded it myself how can there be a virus in there?

I will admit my code is probably a bit rubbish and something of a Frankenstine's HTML monster
but is it actually dangerous or is this, as I suspect, a false positive?

[DavidR]

It isn't that an iframe it trying to write to a favicon, but that when trying to load a favicon a compressed file is being loaded. The {gzip} just means compressed, not specifically that file type, this is commonly a compressed javascript script file being loaded, or attempted to load.

It isn't uncommon as a possible hack to hijack the favicon.ico to have a script or command instead of the image. Whilst you say you don't use a favicon when a page loads your browser tries to find a favicon and load it.

So it is possible for a hacker to place a favicon.ico if not used or substitute it if you do use one.

Check for the presence of a favicon.ico file, you might also check of a custom 404 page as that can also be hijacked.

####
That said I have checked it on some analysis sites and come up clean (but it is somewhat strange when the alert is indicating a file that you say you don't use):
- There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for:  * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

- If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review, etc. A link to this topic also wouldn't hurt.

NOTE: Please modify your active links to prevent accidental exposure to a suspect link. e.g. change the http to hxxp - hxxp://www.pearshapedcomedy.com/TimTyler.html

[Anthony Miller]

There is no gzip file or ico being referenced.  I have reported it as a false positive.
I dont know why you want me to remove the reference to a page that isn't infected but I have modified it.

I do understand ico and favicon viruses but it is clearly damaging to my business for Avast
to go around telling people my site has a virus when it doesnt
and if Avast knows and doesn't fix this then it is libeling us ...
...not to mention preventing people from reading our content.
Something I will respond to by being very rude about them in the back of pubs.

I mean ...sorry ...this is a cock-up, isn't it?  Own up.
I mean it isn't just WRONG it's completely our the tree wrong.
A simple scan of the source code should show that no *.ico or *.gzip file is being referenced
and I have demonstrated to you there is no such file on my site.
There's only one java script that connects to analytics.
It's a completely static page ...so ...how?

Cus I dunno

[Michael (alan1998)]

Obviously you did not read all of DavidR's post. He said. If you think it's a false postive report it!. I should also mention. We are volunteers, not official employees. So complaining to pubs when most people are drunk will not help you.

I will have Milos or Polonus come check your your website to point out the issue.

[Milos]

Hello,
there is iframe, which leads to "malkm.com" an this is blocked.

Milos

[Anthony Miller]

It's all very well to say report it as a false positive but how do I know anything will be done about it?
I could get blacklisted by a large number of virus scanners by mistake which could be an expensive lesson to learn from
so one is understandably concerned... how many other people's sites are being banned by
what seems to me to be automated paranoia?  I wonder...

I did read DavidR's post and my response is that having reported it as false positive already
I am not impressed with Avast's lack of alacrity in responding.
To them it is just another bit of dodgy code I suppose ... but ... anyway ...whatever

[Anthony Miller]

Hello,
there is iframe, which leads to "malkm.com" an this is blocked.

Milos

Why?  Is it a problem with the web hoster?
Also there is no such reference in my html?

[Asyn]

I am not impressed with Avast's lack of alacrity in responding.
To them it is just another bit of dodgy code I suppose ... but ... anyway ...whatever

See Milos' answer above..!!

[Anthony Miller]

I am not impressed with Avast's lack of alacrity in responding.
To them it is just another bit of dodgy code I suppose ... but ... anyway ...whatever

See Milos' answer above..!!

There's no such link in my page?
Is it in another page?

Even if this was true [which it isn't] why is it okay to disable my page for referencing another website?
Am I responsible for the content of external websites now.
I put malkm.com into google to see what would happen
it defaults to our webhost's missing page site
or something that looks like it or a parked domain of some kind

Ironically if you put our home page in it doesn't flag up anything as wrong
Just on this particular page ...?  Odd

[Milos]

I am not impressed with Avast's lack of alacrity in responding.
To them it is just another bit of dodgy code I suppose ... but ... anyway ...whatever

See Milos' answer above..!!

There's no such link in my page?
Is it in another page?

Even if this was true [which it isn't] why is it okay to disable my page for referencing another website?
Am I responsible for the content of external websites now.
I put malkm.com into google to see what would happen
it defaults to our webhost's missing page site
or something that looks like it or a parked domain of some kind

Ironically if you put our home page in it doesn't flag up anything as wrong
Just on this particular page ...?  Odd

Hello,
yes, it's there. See the screenshot from reply #1.

Milos

[Anthony Miller]

Sorry I cant see any screenshot in your reply, Milos
Maybe it's my firewall can you email me it
mraemiller (AT) aemiller (DOT) net

[Milos]

Sorry I cant see any screenshot in your reply, Milos

Hello,
I wrote screenshot on reply #1 (from DavidR).

now I added screenshot of the page with that iframe.

Milos

[Anthony Miller]

Okay I can see it now but that screenshot is NOT from the TimTyler.html page but another page
If you cant tell me which page I cant fix it

[Milos]

Okay I can see it now but that screenshot is NOT from the TimTyler.html page but another page
If you cant tell me which page I cant fix it

Hello,
it's from "pearshapedcomedy.com" on the main page there is link to some page that does not exist and server return error 404 with that iframe.

Milos

[Anthony Miller]

Sorry Dead Links are NOT Viruses

Neither is it Avast's initial complaint about my website
about ico and gzip files

If you cant even get the page your quoting code from right it's a bit Laurel and Hardy, isn't it?