Web Shield detected a threat but I can't figure what happened

[REDACTED]

Hello, I apologize in advance if my syntax is incorrect or my information is insufficient but I desperately need help. Earlier tonight I tried to access my bank account via Safari on an Early 2011 macbook pro. I HAD NO OTHER TABS OPEN and all my other browsers were completely quit. Nothing else was running but Safari. Suddenly, the Avast Web Shield gave me an infection warning stating that HTML:Framer-inf [Trj] had been blocked. The apparent URL source was
hxtp://bidr.trellian.com/r2.php?e=YPEC5m4ENXkTeshL2U8CDUqFIH1F6Ew%2Bk1yUQj%2FOSteLh2u8iotro3%2BWoagg%2FzFow9%2BOFMrF6Ic2v63ZNejseFRaUjTXj%2FGmwSdEyd%2F2wWOlbD1NIgudHZyqu2%2B2f%2Bsq0%2FENmMMTERb1g257crDye6dj%2FIydUvkHquQAqbIbQS8CZu1iRk3G8ORm83krAYyWsJerY%2FnR92kAEXPiRdi6qZ%2Bl%2FS7SvWKZ4Heja87MPOJDnB4vk8lydLQzs5uTQrxcWIrBIP%2ByNcH7%2FzuGBGvYI%2BdUeedhlYgqufGMW5rEnS48olKzFRUXQlfP1J2dPrmRt%2FxkTrFRH1pmSg9FJucIYL1eMnuZQvaFvChmJOhqgJHt0f%2B65bRZP5ntS1Wq4Q7mFNwR6kO3qlfidJu4tObjof37RkJp80Rkd1LJdfeCVhY%2FrihOvr%2BeWCwLmDNfJ138kWSHsn6fJCc134Q4lxs5EzujecJdCXKT6mg%2FNMriumydLoTrh2jDpffsd7qiw30TxGwUYHnA6QO6c8BIBKiM%2B76rg5eXbZUH%2Bw0tIORbfd%2BtCUkarka%2B%2Fe3d5PDMLnZ3x7vw30veHxl8AwW1EozM%2B03AwYJyb8l0%2FCEOCAssKgvGB38J%2FfVJcg%3D%3D
^
Wouldn't click on that if I were you

But like I said I had no other tabs or browsers open. NONE. Additionally I was running private mode as I always do when I access sensitive info. I immediately shut my computer down, went to another, changed my password, then reactivated my mac and ran a Full System Scan via Avast.
0 infected files were found
33 were unable to be scanned

I'm running OSX El Capitan (10.11.6) on an Early 2011 Macbook Pro (13 inch)

I find it terrifying that this happened RIGHT as I logged into my bank account. Could something in my computer have tried to contact this malicious domain while I was doing that in order to get my bank info?? Any help would be appreciated. If you need more info I'll be more than happy to provide. Just tell me how to get it please. Thank you for reading.

[Pondus]

Malicious site
https://virustotal.com/en/url/4382f311391971fb838dcbb2bf26759a67b516225ca7936691c6ca537566ff37/analysis/1476682896/

urlQuery > http://urlquery.net/report.php?id=1476683321874

https://global.sitesafety.trendmicro.com/index.php

[REDACTED]

Hello and thank you for the reply. However, while that URL is verifiably malicious, I don't understand how that could have happened when no other browsers or tabs were open and I was in  Bank of America website? Do I have something on my computer or is it the bank's server? Any idea what I could do if it is my computer? Thanks

[Pondus]

I think it is related to a ad network, see picture in top right corner here (click to enlarge) > http://urlquery.net/report.php?id=1476689941603

[Eddy]

Xan, please make the link not clickable.
e.g. change http to hxxp or something

[polonus]

Here you see why Webshield blocking is so vital at times where we link to malicious external links.
This especially so where these links do not come blocked by a good script- or adblocker of sorts.

Look here what we got: https://www.virustotal.com/pl/url/b5a558eb5f1242743bcd6cdfd0c528941c13868627b9cee58e6f132d6fe275be/analysis/1476700744/

And on that IP and the malware it is involved in apparently: https://exchange.xforce.ibmcloud.com/ip/103.224.182.206
and  http://www.liveipmap.com/103.224.182.206
and  https://ransomwaretracker.abuse.ch/ip/103.224.182.206/

So according to the darkest scenario after visiting that link you could have landed at ransomeware and not longer been able to use your device.
So like Eddy says, break that link or I ask moderation to do that for us.

polonus

[REDACTED]

Alright. I don't know much about this but I think my browsers have all been hijacked by some spyware. Unless you all think it's a bad idea I will be wiping my OS and reinstalling later tonight. Thank you all for your responses  .

[polonus]

Hi xan50063,

As avast webshield blocking saved you from going there, you were not threatened by actually going there.
So you are safe.

polonus

[REDACTED]

Well the thing is if no other tabs were open and all other browsers were completely closed while on the https verified Bank of America website something is wrong. My working theory is that something on my computer that the Avast file shield was unable to detect tried to contact this known malware domain to upload key logged credentials of my bank account. It might be an overreach but the fact that the web shield stated "infection detected" as I pressed enter and accessed my bank account indicates to me that something on my computer was acting without my knowledge. I was also able to access my account in that moment without any block from Avast. If the site I was visiting was itself the source of the infection I would have gotten a big red screen saying "Infection detected." Instead only the pop up to the right of the screen came up and logged the event in the Avast web shield history. But the account itself was totally unblocked and verified via https. The site I was visiting (https://www.bankofamerica.com/) was therefore totally legitimate.

[Eddy]

If you want us to check the system, follow the instructions > https://forum.avast.com/index.php?topic=53253.0

[Pondus]

If you want us to check the system, follow the instructions > https://forum.avast.com/index.php?topic=53253.0

I'm running OSX El Capitan (10.11.6) on an Early 2011 Macbook Pro (13 inch)

as far as i know HTML:Framer-inf [Trj]  means a redirect is detected

[REDACTED]

Thanks everyone. I wanted to let everyone know of my experience and see if there were any known reasons for why this might occur to warn future potential victims. But I wiped the OS and reinstalled already so there's nothing left to check. I was afraid of what might otherwise happen. I wish I could have helped more but I needed my computer working and secure. Thanks for all of your responses! Much appreciated.

[Pondus]

But I wiped the OS and reinstalled already so there's nothing left to check.

You cant use the tutorial Eddy linked to anyway since you have a Mac ... it is for PC only

[REDACTED]

Ladies and gentlemen, for everyone who has been dealing with this problem specifically with Safari, I discovered the source. As I stated before I wiped my OS and reinstalled due to a strange web shield warning that popped up unexpectedly and without apparent provocation. But to my horror, shortly after reinstalling, the warning popped up again. This time it occurred many times and randomly as I attempted to use the browser. I wiped out the caches, preferences files, deleted all the configuration files and it still kept popping up. Finally, within the browser itself, I deleted all of my bookmarks on a recommendation by an obscure forum.

The problem was solved.

It turns out an old bookmark (there were hundreds within several folders I never used anymore) was contacting it's domain for its corresponding metadata (images and basic site info). But the site was probably hacked by a redirect recently. So every time it contacted the domain to perform the update, BAM, webshield detected the attempt and blocked it thus causing all the disconcerting "infection detected" popups. So ultimately it probably wasn't even dangerous lol. But there you go.

[REDACTED]

@xan50063:

A VERY late THANK YOU!!!!!!!!!!

saved me from shooting my macbook with my Glock 9!!!!!