Author Topic: Another blocked site, possible FP?  (Read 10623 times)

0 Members and 1 Guest are viewing this topic.

saluqi

  • Guest
Another blocked site, possible FP?
« on: July 10, 2010, 10:23:15 PM »
I'm using Avast Free 5.0.594, definitions 100710-1.  When I try to access this site http://aumha.net/viewtopic.php?f=27&t=44253 I get a MALWARE BLOCKED warning BV:AutoRun-AG (Wrm) and access to the site is blocked.  That was also the case yesterday, with yesterday's definitions.  AumHa staff have scanned the site and can't find anything dangerous.  What to do?

The site is a page on the AumHa forum dealing with virus and antivirus.   The name of the thread is "bumpy tasty trojan".  I can access the second page of the thread, but not the first.

If this is not the right forum for this question, please tell me where to post it <G>.

Thanks,

John

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76031
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Another blocked site, possible FP?
« Reply #1 on: July 10, 2010, 10:27:20 PM »
Report    2010-07-10 22:25:57 (GMT 1)
Website    aumha.net
Domain Hash    e95f70b1b91d5344668cc1878f6a5b92
IP Address    64.130.45.31 [SCAN]
IP Hostname    aumha.net
IP Country    US (United States)
AS Number    7859
AS Name    PAIR-NETWORKS - pair Networks
Detections    0 / 17 (0 %)
Status    CLEAN
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33933
  • malware fighter
Re: Another blocked site, possible FP?
« Reply #2 on: July 10, 2010, 11:00:15 PM »
Hi saluqi,

Finjan also finds it clean. Here it is also found benign: http://jsunpack.jeek.org/dec/go?report=2943fbc6076b7204f053f9b6c2345327f5dc69b2
Make the address non-click-through by putting hxtp or wXw, because avast still flags it,
DrWeb URL checker:
Checking: htxp://aumha.net/viewtopic.php?f=27&t=44253
Engine version: 5.0.2.3300
Total virus-finding records: 1553539
File size: 69.76 KB
File MD5: 8fb8dcc4e332f466c6e1dec666844d96

htxp://aumha.net/viewtopic.php?f=27&t=44253 - archive HTML
>hxtp://aumha.net/viewtopic.php?f=27&t=44253/Script.0 - Ok
htxp://aumha.net/viewtopic.php?f=27&t=44253 - Ok

polonus
« Last Edit: July 10, 2010, 11:06:59 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37617
  • Not a avast user
Re: Another blocked site, possible FP?
« Reply #3 on: July 10, 2010, 11:51:26 PM »
I get no warning from avast

NoVirusThanks - INFECTED - 1/16
http://scanner.novirusthanks.org/analysis/5e5ec21edde647d38e64f2e396533612/dmlld3RvcGljLnBocA==/

probably a FP  that GData have not updated for yet ?
« Last Edit: July 11, 2010, 12:20:37 AM by Pondus »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76031
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Another blocked site, possible FP?
« Reply #4 on: July 10, 2010, 11:56:51 PM »
I get no warning from avast

Hi Pondus,
I do get the warning...
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37617
  • Not a avast user
Re: Another blocked site, possible FP?
« Reply #5 on: July 11, 2010, 12:12:00 AM »
do you have update 100710-2  ???

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Another blocked site, possible FP?
« Reply #6 on: July 11, 2010, 12:16:08 AM »
This is a good test...
Generally avast picks the infection before Dr. Web (that misses a lot) and NoVirusThanks the same.
Please, inform the last position. Should we believe on avast or on the others?
The best things in life are free.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76031
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Another blocked site, possible FP?
« Reply #7 on: July 11, 2010, 12:21:03 AM »
do you have update 100710-2  ???

Yes..!!
Don't know, why it's blocked here and not blocked at your machine...!??
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76031
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Another blocked site, possible FP?
« Reply #8 on: July 11, 2010, 12:27:44 AM »
Should we believe on avast or on the others?

Well, even avast seems to be not sure... ;D
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48654
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Another blocked site, possible FP?
« Reply #9 on: July 11, 2010, 02:05:34 AM »
I get a warning here. Wonder if it's something on that forum rather than the link itself ???
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

saluqi

  • Guest
Re: Another blocked site, possible FP?
« Reply #10 on: July 11, 2010, 02:13:32 AM »
I have the update (100710-2) and it's still blocked.

Getting to that site is not a life or death matter, it's just curiosity - but of course I don't like to be blocked when I can't understand why.

I can get to other pages on that forum, and even the second page on that same thread, without difficulty.  It's only that one page that is being blocked.

John

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76031
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Another blocked site, possible FP?
« Reply #11 on: July 11, 2010, 02:15:17 AM »
I get a warning here. Wonder if it's something on that forum rather than the link itself ???

We all wonder what's going on... ;)
As Pondus is on the same VPS and also has a similar system but no alert...!??
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89348
  • No support PMs thanks
Re: Another blocked site, possible FP?
« Reply #12 on: July 11, 2010, 02:32:31 AM »
For whatever reason there would appear to be packed file run when you click on that link, see image 1 and that is what I think avast is alerting on (that is what the gzip bit in the location indicates, image 2).

There is also another javascript file that is loaded that has some obfuscated script in it, but I don't think that that is the problem.

What I do believe the true problem is, is that someone has posted an autorun script in the first post (image 3), that should have been posted as an image as the text of the contents of an autorun.inf file wouldn't be differentiated from actual code, hence the malware name BV:AutoRun-AG [Wrm] as to all intents an purposes avast believes that is what it is an autorun script.

This happens with monotonous regularity when someone posts the actual code on a page.
« Last Edit: July 11, 2010, 02:36:23 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76031
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Another blocked site, possible FP?
« Reply #13 on: July 11, 2010, 02:36:55 AM »
Thanks, David..!
Still I don't get why Pondus didn't get the alert...!??
Meanwhile I'm more interested in that, than what's going on on that site.. ;)
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89348
  • No support PMs thanks
Re: Another blocked site, possible FP?
« Reply #14 on: July 11, 2010, 02:40:39 AM »
You're welcome.

I have no idea why Pondus didn't get an alert based on the fact he didn't give any information, browser and any security add-ons. etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security