Author Topic: Avast Malware Blocked Warning  (Read 11655 times)

0 Members and 1 Guest are viewing this topic.

Richard42

  • Guest
Avast Malware Blocked Warning
« on: January 11, 2011, 04:43:49 PM »
Hello everyone, I have been using the free edition of Avast for a few years now and I'm very happy with the product.  Ok to the problem at hand, last weekend and to present every time I visit a forum which I am a member of my Avast alerts me about a Malware threat which it blocked.

Could this be a false positive?

I'm running WinXP on IE8 with Avast5 free edition, I also have free editions of Malwarebytes Anti Malware and Super Anti Spyware, and both have come up clean.  I ran a deep scan only last week on all of them and all came back clean, so I a bit confused to what is going on and hope someone out there can help.

Info...

Object: http:/clientscript/vbulletin_md5. (Parts of this line I removed)
Infection: HTML:Iframe-inf
Action: Connection aborted
Process: C:\Program File\Internet Explorer\iexplore.exe

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Avast Malware Blocked Warning
« Reply #1 on: January 11, 2011, 05:17:06 PM »
Whilst avast's web shield is both very hot and accurate on these types of detection, we need the URL to even hope to investigate.

Change the http to hXXP in the full URL of the alert, this is enough to break the link so it isn't active and allow it to be investigated.

Sites getting hacked are one of the greatest threats now.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Richard42

  • Guest
Re: Avast Malware Blocked Warning
« Reply #2 on: January 11, 2011, 05:23:10 PM »
Full line.

hxxp:www.ww2f.com/clientscript/vbulletin_md5.js?v=410


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Avast Malware Blocked Warning
« Reply #3 on: January 11, 2011, 07:20:32 PM »
How did you access that URL as I see nothing in the direct link ?

Using some other tools to analyse that javascript file URL doesn't reveal anything. Of course there is always the possibility that what was there may have been cleaned up.

So are you still getting an avast alert ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Richard42

  • Guest
Re: Avast Malware Blocked Warning
« Reply #4 on: January 12, 2011, 04:29:58 PM »
Avast is still alerting me, I access the forum via a created app on my IE8 Browser.  I have six others and there has been no issue with them.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Avast Malware Blocked Warning
« Reply #5 on: January 12, 2011, 04:44:06 PM »
Obviously we can't access it that way, so we can't check out why you are having the problem and we aren't.

So I would suggest that you try accessing the page, etc manually and see if you still get the alert, probably not. In which case it is likely to be something in or what the app does that triggers the avast alert.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline scythe944

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2913
    • My Tech Blog
Re: Avast Malware Blocked Warning
« Reply #6 on: January 12, 2011, 04:47:16 PM »
Richard has apparently started a thread on that forum, and someone else got a warning from Norton or something. http://www.ww2f.com/counter-battery-fire/49709-malware-warning.html
For generic computer (not avast) problems, you can also visit my forum for help: http://www.jacobytech.net/forum

Richard42

  • Guest
Re: Avast Malware Blocked Warning
« Reply #7 on: January 12, 2011, 04:56:38 PM »
Just tried the link from my bookmarks and was clear, what I will do is to keep an eye on the situation by opening the forum via the browser button and bookmark and see what the results are.  If it as suggested could be the browser button then I shall remove it and just use my bookmark link.

I will post here over the weekend with the results.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast Malware Blocked Warning
« Reply #8 on: January 12, 2011, 04:59:26 PM »
It's back again -

Richard42

  • Guest
Re: Avast Malware Blocked Warning
« Reply #9 on: January 15, 2011, 01:42:06 PM »
Still getting it but it looks like the forum there has the problem, good see Avast doing its job.


OttoBomb

  • Guest
Re: Avast Malware Blocked Warning
« Reply #10 on: March 11, 2011, 01:56:59 AM »
I found this thread during my remediation efforts on this forum.  I'm the admin at trying to deal with this outbreak.

First of all, thanks to all in this thread.  I was better able to track the activity because of this.  Thanks you Richard42 specifically.  I always appreciate a members who actually gives a sh!t and looks for solutions rather than browsing along when they see a problem.

As well, props to avast itself.  It is he only AV product that specifically identified the source of the attack on the website itself.  All other products alerted me to the final IP source of the attack, but not the intermediate step on my own site.  This is obviously what I need to know to remediate the malware.

Among other attacks, it turns out that hackers had used a vulnerability in the forums SEO to overwrite a file and inserted a redirect:
hxxp:www.ww2f.com/clientscript/vbulletin_md5.js
This file has now been repaired and the software upgraded.

I've removed two other instances of infections, and I'm hoping a few of you might be able assist me in ensuring that I've stamped this out.  All I need is for a few of you to visit the site, and if you get any alerts, please post the "Object" portion of the warning here.  This way I can identify and remove the problem.  The attacks were targeting specific browsers, so if you can visit with more than one browsing tool, that would be even better.

Thanks all and keep up the good work avast!
« Last Edit: March 11, 2011, 01:58:42 AM by OttoBomb »

Sparxx

  • Guest
Re: Avast Malware Blocked Warning
« Reply #11 on: March 11, 2011, 10:00:01 AM »
Hi,
 as i'm now at work, and here i'm stuck with KAV(admin's  choice  ;D ) i tried to access the site with IE, FF, and Chrome, and it  seems clean, well from  KAV's "point of view"  :)

OttoBomb

  • Guest
Re: Avast Malware Blocked Warning
« Reply #12 on: March 11, 2011, 10:46:27 AM »
Thanks Sparxx, I truly appreciate the feedback.

I put a lot of time into remediation, and I'm glad to see it's done at least some good.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Avast Malware Blocked Warning
« Reply #13 on: March 11, 2011, 11:00:31 AM »
Report    2011-03-11 11:23:17 (GMT 1)
Website    ww2f.com
Domain Hash    de276e97f9c94027062c4c023d7beb83
IP Address    75.127.98.38 [SCAN]
IP Hostname    server.ww2f.com
IP Country    US (United States)
AS Number    3595
AS Name    GNAXNET-AS - Global Net Access, LLC
Detections    1 / 18 (6 %)
Status    SUSPICIOUS

http://www.google.com/safebrowsing/diagnostic?site=ww2f.com

Report    2011-03-11 11:07:13 (GMT 1)
IP Address    75.127.98.38
IP Hostname    server.ww2f.com
IP Country    US
AS Number    N/A
AS Name    N/A
Detections    0 / 26 (0 %)
Status    CLEAN
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

OttoBomb

  • Guest
Re: Avast Malware Blocked Warning
« Reply #14 on: March 12, 2011, 09:10:45 PM »
Report    2011-03-11 11:23:17 (GMT 1)
Website    ww2f.com
Domain Hash    de276e97f9c94027062c4c023d7beb83
IP Address    75.127.98.38 [SCAN]
IP Hostname    server.ww2f.com
IP Country    US (United States)
AS Number    3595
AS Name    GNAXNET-AS - Global Net Access, LLC
Detections    1 / 18 (6 %)
Status    SUSPICIOUS

http://www.google.com/safebrowsing/diagnostic?site=ww2f.com

Report    2011-03-11 11:07:13 (GMT 1)
IP Address    75.127.98.38
IP Hostname    server.ww2f.com
IP Country    US
AS Number    N/A
AS Name    N/A
Detections    0 / 26 (0 %)
Status    CLEAN

I appreciate this feedback Asyn, but what am I looking at?  According to the timestamps it indicates that the site was CLEAN at 2011-03-11 11:07:13 and then was rates SUSPICIOUS 14 minutes layer at 2011-03-11 11:23:17.  Is this accurate or are the Avast times off?