Recurring Warning on Site I haven't visited:

[acornstwo]

This morning I got a warning that a site I'd visited has a virus or worm, and that the site has been blocked and I'm in no danger. The thing is, I didn't navigate to that site, and for the past nine mornings or so, I've gotten the same message. Yesterday I cleared all my cookies and ran a virus/trojan scan on my computer, which turned up nothing. Apparently, that didn't help.

Here's the data I got in the warning:

File name: http://www.bookcityjackets.com/blog/about/
Malware name: HTML:Iframe-inf
Malware type: Virus/Worm
VPS version: 100417-0, 04/17/20

Somebody help?

[nmb]

You are safe and you have been successfully protected by avast!

Even google says that this site is suspicious.

nmb

[DavidR]

Do you happen to have that site on a live bookmark (firefox) or some sort of RSS feed subscription ?

[Pondus]

you can try to empty your temp files and cache with ATF Cleaner, it may help

http://www.softpedia.com/get/Security/Secure-cleaning/ATF-Cleaner.shtml
(if you have firefox or opera you must select on top of the program)

Here are some key features of "ATF Cleaner":

· Cleaning of all user temp folders, administrator only can use this feature.
· Cleaning of the Java cache, which seems to be harbouring more and more malware
· Cleaning for the Opera browser, including Operas cache, cookies, history, download history, saved passwords and visited links

[polonus]

Hi acornstwo,

Please make your link non-clickable through hxtp or wXw
There is an external suspicious iFrame  hidden link: htxp://globalwat.com/counter/in.cgi?two
Then there is a suspicious inline script

Code: [Select]

try {^^var pageTracker = _gat._getTracker^^("UA-935^^2248-1");pageTracker._trackPageview();} catch(err... broken ^^ by me polonus NoVirusThanks report: http://scanner.novirusthanks.org/file/2e6b965acd30d5104f987db14c0cbd61/YWJvdXQ=/
gives F-PROT6 20100417 6.3.3.4884 IFrame.gen

polonus

[nmb]

Hello sir pol,

In fact I did observe and also posted here the iframe. But I think its inside the html. So the site is not hacked but with the person who has coded the website must have put the iframe inside the code, is it? Generally, hacked iframes will be outside </html> ain't it?

nmb

[polonus]

Hi nmb,

Look at the unmasked parasites report there the iFrame script is external and hidden,
the suspicious inline script is outside HTML

But also this is this code there

Code: [Select]

<script id=__ie_ondomload defer=true src=//:></script> found there,
a known IE leak,

polonus

[DavidR]

It is the iframe that nmb mentions as avast considers it a malicious site and firefox safe browsing considers an attack site, see images.

Also see http://www.virustotal.com/analisis/ca2e87b1a9d4b0e0d148720f6e43eb88896ecbf6dab07a1dc698bdbeac8adbd2-1271613913 scan on that page source.

So the alert by avast is correct, but that doesn't get away from the fact the OP isn't intentionally visiting the site, so answers to my original question may shed some light in why the visit is being initiated.

[polonus]

@DavidR Malicious software includes 2 trojan(s).
http://www.malwareurl.com/search.php?domain=&s=91.212.198&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

polonus

[DavidR]

Yes, but that is rather immaterial since avast is alerting on the bookcityjackets.com site. The major issue is that the OP isn't visiting that site, so something is connecting to it.

Just a shame we haven't heard back from the OP, so I wouldn't waste any further time speculating or expanding on the original alert until we get some feedback/answers on what we have already covered.

[polonus]

Hi DavidR,

Yes, you are right, but I would like to get something conclusive on this. Hope they will report back,

polonus

[acornstwo]

Wow! What a lot of response - thanks! I'm back now. Sorry, I was away most of the day, and didn't expect such kindness.

DavidR, I think you may have given me my answer. I do use the Firefox Speed Dial extension, and have quite a few sites bookmarked that way. I'm a bookish sort, and had thought it sounded like a site I would like. So when I looked at the "shopping" tab of my Speed Dial, there it was. I deleted it, and have high hopes I won't get the same message tomorrow.

Pondus, I'll check out the ATF cleaner, too. Thanks for the suggestion.

And thanks again to all of you, for your help.

[DavidR]

No problem, glad I could help.

You will get used to prompt responses in these forums, they are very active

That is the problem with those types of extension, RSS feeds or live bookmarks, they visit the sites in the background and in doing so both the network and web shields will check that connection. So when removed I think your problem will be over.

It is possible that the bookcityjackets.com site may have been hacked as I believe it would be strange for a domain in the USA to have a an iframe which has reference to a domain (globalwat.com) in Russia. This looks like it is pretending to be a counter.

It may be worth checking out the bookcityjackets site again in a while to see if they have got rid of this or not.

Welcome to the forums.

[acornstwo]

Thanks again, DavidR.

[polonus]

Hi acornstwo,

You can also check the status here from time to time: http://www.sitetruth.com/yhoo.html
Give in the domain name there...

polonus