Author Topic: Icefilms dot info  (Read 7615 times)

0 Members and 1 Guest are viewing this topic.

Offline Pholover

  • Jr. Member
  • **
  • Posts: 55
Icefilms dot info
« on: December 02, 2015, 06:04:26 AM »
It seems icefilms dot info has a Trojan or some kind of virus loading.  Now I can't visit the site.  Before I had Adblocker so it prevented ad viruses .  How do I get back visiting the site again?

Thanks

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Icefilms dot info
« Reply #1 on: December 02, 2015, 07:34:29 AM »
Quote
How do I get back visiting the site again?
When website owner have cleaned it ...


Quote
It seems icefilms dot info has a Trojan or some kind of virus loading.
How do you know; is it avast alerting? .... what does avast say?


Offline abruptum

  • Massive Poster
  • ****
  • Posts: 2460
Re: Icefilms dot info
« Reply #2 on: December 02, 2015, 11:06:04 AM »
How do you know; is it avast alerting? .... what does avast say?
Avast alerts are different :

  http://forum.icefilms.info/viewtopic.php?f=161&t=108980

Latest warning :

  http://imgur.com/MTUgB82

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Icefilms dot info
« Reply #3 on: December 02, 2015, 11:06:52 AM »
« Last Edit: December 02, 2015, 11:10:25 AM by Eddy »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Icefilms dot info
« Reply #4 on: December 02, 2015, 03:55:06 PM »
There is code that goes to xpc dot googleusercontent proxy I do not trust: http://toolbar.netcraft.com/site_report?url=http://xpc.googleusercontent.com
For that code consider: http://www.domxssscanner.com/scan?url=https%3A%2F%2Foauth.googleusercontent.com%2Fgadgets%2Fjs%2Fcore%3Arpc%3Ashindig.random%3Ashindig.sha1.js%3Fc%3D2  has some strange iFrame code, it is Shindig, the OpenSocial container: http://shindig.apache.org/
it has front-end SPOF with <script src="//html5shim.googlecode.com/svn/trunk/html5.js">

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Icefilms dot info
« Reply #6 on: December 02, 2015, 04:27:03 PM »
There is adsbypasser code there, landing at: -http://ads.comeadvertisewithus.com/ads/ads.js  flagged by VT....

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pholover

  • Jr. Member
  • **
  • Posts: 55
Re: Icefilms dot info
« Reply #7 on: December 02, 2015, 05:05:11 PM »
I got this from avast.
http://imgur.com/JxKFmP7

So it's false positive or it's a real threat?

Thanks

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Icefilms dot info
« Reply #8 on: December 02, 2015, 05:14:43 PM »
Why don't you still haven't ask avast ?
https://blog.avast.com/tag/false-positive/

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Icefilms dot info
« Reply #9 on: December 02, 2015, 05:50:05 PM »
+1

While the site does not seem 100% "kasher" (fit for use) to me,
asking Avast in this case seems like a good idea.

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pholover

  • Jr. Member
  • **
  • Posts: 55
Re: Icefilms dot info
« Reply #10 on: December 02, 2015, 06:40:54 PM »
Fair enough, I emailed them, so lets see.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Icefilms dot info
« Reply #11 on: December 03, 2015, 09:54:21 AM »
This is most likely not an FP. There are many domains that are highly suspicious on the same IP, and we block all of them. Avast complains about icefilms[.]info loading scripts from one of these domains (specifically get[.]scorepresshidden[.]info/1400/get.scorepresshidden.info).

Just in case anyone is interested, this is the active domain list 8):

Code: [Select]
65[.]111[.]190[.]170
data[.]awakebottlestudy[.]com
data[.]bitlearnreplace[.]info
data[.]branchroughlend[.]info
data[.]causingcopeirritating[.]info
data[.]detailtoothteam[.]com
data[.]drydenhereaftercursive[.]info
data[.]explainidentifycoding[.]info
data[.]filingspendsection[.]com
data[.]fincastavancessetti[.]info
data[.]flagagreebelieve[.]com
data[.]forevermelodicheidegger[.]info
data[.]friesmeasureretain[.]info
data[.]halpeperglagedokkei[.]info
data[.]houseprogramingweight[.]info
data[.]ikzikistheking[.]com
data[.]initialcontroledge[.]info
data[.]jointspellgot[.]com
data[.]likablescaldfelted[.]info
data[.]lockscalecompare[.]com
data[.]nuclersoncanthinger[.]info
data[.]officerrecordscale[.]info
data[.]oileddaintiessunset[.]info
data[.]poundaccordexecute[.]info
data[.]replacingobservedlose[.]info
data[.]requiredcollectfilm[.]info
data[.]requritungerryworkvi[.]info
data[.]retainguaninefluorite[.]info
data[.]runreproducerow[.]com
data[.]scorepresshidden[.]info
data[.]shipthankrecognizing[.]info
data[.]stabletrappeddevote[.]info
data[.]suffusefacultytsunami[.]info
data[.]tracereplacedtransfer[.]info
data[.]witlessostentatiousripple[.]info
data[.]wizenedjogger[.]info
data[.]droppedstayreply[.]info
data[.]immaterialportmanteausurvivor[.]info
data[.]lendincludevary[.]info
data[.]quithappenbetting[.]com
datas[.]attracteffectclub[.]info
data[.]committeemenencyclopedicrepertory[.]info
data[.]unansweredhairierfoggy[.]info

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Icefilms dot info
« Reply #12 on: December 03, 2015, 02:35:46 PM »
Hi HonzaZ,

Thanks for confirming.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pholover

  • Jr. Member
  • **
  • Posts: 55
Re: Icefilms dot info
« Reply #13 on: December 03, 2015, 04:40:08 PM »
Hi,  so if it's not an FP, perhaps, icefilms must have fixed the issue?
I can access the site no problem now.
Not sure if I should be concerned.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Icefilms dot info
« Reply #14 on: December 03, 2015, 05:09:52 PM »
Whenever you are not redirected like for instance described here: https://warosu.org/g/thread/51019832
See: http://urlquery.net/report.php?id=1449158426776
For that IP see: https://www.virustotal.com/nl/ip-address/104.28.3.119/information/
and https://www.threatcrowd.org/ip.php?ip=104.28.3.119
Certainly would like to adblock this external link: https://www.virustotal.com/nl/domain/cdn.wwwpromoter.com/information/
They like to promote to us they aren't a scam: https://forums.digitalpoint.com/threads/wwwpromoter-com-is-scam-or-legit.2757383/  but WOT reports show differently: https://www.mywot.com/en/scorecard/wwwpromoter.com?utm_source=addon&utm_content=popup
And what about this: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MSIL-WX/detailed-analysis.aspx
https://www.mywot.com/en/scorecard/asset.pagefair.net?utm_source=addon&utm_content=contextmenu

Apart from the adult content on website, you are exposed to unethical adware at any moment,
therefore caution should be used and adblocker and script blocker visors should stay up and enabled...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!