False Positive at Arashiy.ifensi.com (http://arashiy.ifensi.com/bbs/index.php)

[king12200]

WELL i would like to report a similar PROBLEM and this happend only in a few hours!
i was viewing my Profile at friendster that has an IFRAME SCRIPT to it its working fine!!
but because of a LAGG AT my PC i have to END task Iexplorer.exe but i acsidentaly select the rundll.exe and my background program gut shotdown!(avast,realtek,Nvidea.etc)but insted of restarting my PC i open the Iexplorer once again and go to my web serfing!! i didnt notice that the avast ant virus was shotdown aswellT_T so now that i notice it it was 2 hours to late i quikly restart my PC to run avast once agin! my PC werks fine after that i think no damage has bin done!! and i seem to remember avast updating its database!! after that i go back to the net serfing going to forums etc. but when i view my Profile that got the Iframe script i keep geting this BLOCK/report that the site im trying to view has a virus/worm but the site was just fine cople of hours ago!!

this is the information i got!

Code: [Select]

04.01.2009  04:27:09  Network Shield: blocked access to malicious site dns://h1.ripway.com [ C:\WINDOWS\system32\svchost.exe ]
04.01.2009  04:27:12  Network Shield: blocked access to malicious site dns://h1.ripway.com [ C:\WINDOWS\system32\svchost.exe ]
04.01.2009  04:28:09  Network Shield: blocked access to malicious site dns://h1.ripway.com [ C:\WINDOWS\system32\svchost.exe ]
04.01.2009  04:29:51  Network Shield: blocked access to malicious site dns://h1.ripway.com [ C:\WINDOWS\system32\svchost.exe ]
04.01.2009  04:30:35  Network Shield: blocked access to malicious site dns://h1.ripway.com [ C:\WINDOWS\system32\svchost.exe ]
04.01.2009  04:39:26  Network Shield: blocked access to malicious site dns://h1.ripway.com [ C:\WINDOWS\system32\svchost.exe ]
04.01.2009  16:49:25  Network Shield: blocked access to malicious site dns://h1.ripway.com [ C:\WINDOWS\system32\svchost.exe ]
04.01.2009  16:59:25  Network Shield: blocked access to malicious site dns://h1.ripway.com [ C:\WINDOWS\system32\svchost.exe ]
04.01.2009  17:00:45  Network Shield: blocked access to malicious site dns://h1.ripway.com [ C:\WINDOWS\system32\svchost.exe ]
04.01.2009  17:03:27  Network Shield: blocked access to malicious site dns://h1.ripway.com [ C:\WINDOWS\system32\svchost.exe ]
and this is the scan i made about the reported virus/worm

Code: [Select]

Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: 6DC41806d01
FileID: 5
Virus Description: HTML:Iframe-inf

and

Code: [Select]

Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\blits\LOCALS~1\Temp\_avast4_\unp204468688.tmp
FileID: 0000000005  Original file name: C:\Documents and Settings\blits\Local Settings\Application Data\Mozilla\Firefox\Profiles\tsn9bsq8.default\Cache\6DC41806d01  New folder: C:\DOCUME~1\blits\LOCALS~1\Temp\_avast4_\unp204468688.tmp\5

Scan files in the temporary folder: C:\DOCUME~1\blits\LOCALS~1\Temp\_avast4_\unp204468688.tmp
C:\DOCUME~1\blits\LOCALS~1\Temp\_avast4_\unp204468688.tmp\5  HTML:Iframe-inf
------------------------------------------------------------------------------------------
Action was completed successfully!
if this is an otentic virus/worm please let me know!
and sorry about my ENGLISH^^ im not to good at ENGLISH

[kubecj]

h1 dot ripway dot com host various malware. I've checked friendster profiles few minutes ago, but didn't spot anything - it looks like a local infection modifying the Friendster pages on your computer.

Can you provide us with the url which makes the alarm sound and also can you check the source code of the page for the malicious url?

[kubecj]

Me again - I was able to find non-malicious use of h1.ripway download on Friendster. I've removed the block and will block only 'bad' accounts. Will be in the next vps.

[king12200]

I think i have bin infected with a malware there 2 rundll32.exe runing now on my PC???

is this normal because i think when i havent installd my video card i cant see any rundll32.exe in my task manager!

when i installed it i can see 1 but now thers 2 runing! i think one of this is a virus! can you tell me how to identify if its i virus or not?

im going to run a boot scan now be back when its done

[polonus]

Hi king1220,

The rundll32.exe file is located in the folder C:\Windows\System32. In other cases, rundll32.exe is a virus, spyware, trojan or worm! Depending on circumstances two instances of rundll32.exe running is not abnormal,
check the file at virustotal.com. Additional info and how to check what is running on your PC here:
http://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/

polonus

[DavidR]

So where are these two files located ?

It is entirely possible that you may have more than one, if you are looking in the prefetch folder you might see something like this, RUNDLL32.EXE-147710F4.pf which is just an note of exactly where the actual file in on the HDD.

Other than that multiple copies usually indicates malware as polonus mentions.

[king12200]

Is it possible to uninstall avast anti virus and reinstall it???

because i think that the last update is the one responsible for this error!
ill tell you all if the problem is just gona come back!

[king12200]

hmmm i think the last update of avast is the one responsible for this

try viewing this html site file that i made!

Code: [Select]

http://www.freewebtown.com/kill12200/mizuho.html
thats the Overlay file that im using for my friendster profile
that html file has an Iframe script im using it to minimize the size of my code
try viewing this please and tell me if you get the same report!

[edit]
is ther a way to tell avast antivirus that HTML:Iframe-inf is not a virus?
or is it realy?

[DavidR]

Well WOT doesn't like it either, blocking the site before even avast gets a look in. http://www.mywot.com/en/scorecard/freewebtown.com and https://safeweb.norton.com/report/show?name=freewebtown.com%2Ffotos_orkut, but that is just one hosted site within the domain.

Though there is nothing in the WOT report that would I feel warrant avast blocking as it really should only be for sites with known malicious content and not something with some spurious reports. Of course I don't know where avast gets its blacklist of sites. http://www.aboutus.org/FreeWebTown.com

avast may also see ripway.com where there is a script link to, see image (lots of off-site scripts on this site) so it could be the ripway link as I believe it has been flagged before and is in a forum topic I believe.

However, when I bypassed WOT, I was able to enter the site without avast alerting, so ensure that you have the latest VPS update  (current version 090104-0). If you have the latest VPS and it still alerts then send an email to virus(at)avast(dot)com with false positive in the Subject, the URL in the email body with a link to this topic and a brief reason why you think it is an FP.

[king12200]

well i tryd updating avast once again
this is the report.

iAVS

Code: [Select]

Information about current update:
Total time: 27 s

- Vps: Updated
  (previous version: 090103-1, updated version: 090104-0)

Server: a658sm.avast.com (74.55.137.50)
Downloaded files: 8 (9.84 KB)
Download time: 6 s

Information about current update:
Total time: 6 s
and this is for Program update

Code: [Select]

- Program: Already up to date
  (current version 4.8.1296)
- Vps: Already up to date
  (current version 090104-0)

Server: download605.avast.com (75.125.192.114)
Downloaded files: 2 (0.02 KB)
i hope i can view my Profile soonT_T

[EDIT]
YESSSSSSSSSSSS^_^
avast has updated its V-database
weeee the i frame script is now OK^^
weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Thanks for the support and guidance
DavidR,polonus and kubecj
^_^ thanks
thanks for the links DavidR and polonus ive learnd some new things because of you^^

More power AVAST ELITES^_^

[DavidR]

You're welcome.

[polonus]

Hi king12200,

Come here often and in due time learn to help others also, welcome to our forums,

polonus