HTML:Script-inf detected in every html file on my computer

[Treblesum81]

Hi,

Sorry if this has been dealt with before, but some searching didn't seem to return a similar issue to mine. During my monthly virus scan today, Avast came back with a report of 9000 infected files. When I viewed the report, every last one of them was an html file (and if not every last one on my computer, at least the vast majority) and nearly all of them are infected with HTML:Script-inf, though a few are also infected with HTML:Iframe-inf or HTML:RedirME-inf, and I'm guessing there might be some others in there somewhere as I've not taken the time to scan all 9000 listings. Anyway, owing to the fact that a massive chunk of those html files are help and documentation files for several GIS and Image processing programs that I own, I do not want to do anything that will remove my access from them, such as moving them to the chest or deleting them. The problem is, however, that selecting the option to repair all failed for all. In addition to the large number of files infected on my computer, I've also noticed the Avast window popping up when I'm trying to access common websites (e.g. Yahoo and Facebook) with warnings which include the infections listed above and also a new one called URL:Mal. How can I get rid of this infection without losing my files?

Thanks,
Greg

[Gargamel360]

Update thy virus definitions.

https://blog.avast.com/2011/04/11/false-positive-issue-with-virus-defs-110411-1/

[DavidR]

@ Treblesum81
This is likely to be as a result of an FP in a VPS update 110411-1, update to 110411-2 should resolve it.

As far as I'm aware this only effected the script-inf signature, but update and check the others as they are similar signatures with the -inf suffix.

[Treblesum81]

Thanks for the information. I updated and am now rescanning.

Thanks again,
Greg

[polonus]

Hi Gargamel,

Does all these postings about the vrus update glitch mean that a lot of users aren't on automatic update?
There was only a 45 minute outing before the new update arrived. I missed it all together, but after the slow down with the servers eased off (while everybody was trying to get the "fixed" update) everything went back to normal and now seems just fine. As avast says on their blog there was no harm done to any internal file of any computer with avast installed, so everybody can normally pick up what they were doing after getting the update you mentioned,

polonus

[Gargamel360]

Hi Gargamel,
Does all these postings about the vrus update glitch mean that a lot of users aren't on automatic update?

Hope not,  some people might have a good reason to go manual but most I imagine would/should stay auto. 

I missed it all together

Yeah, me also, lucky 

[polonus]

Hi Gargamel360,

Well I have to admit they handled this webshield glitch very professionally, considering the enormous amount of users depending on the avast solutions. No internal files were ever affected and updating was halted until everyone could get the fresh update that fixed it.
I haven't seen other av solutions do this, that is why I think avast is getting better all the time all of the time,

polonus

[variety5160]

I was hit with this html script inf problem today.  Did a full scan and avast found problems but could not deal with them all.  Avast wanted to give it a try in a boot scan which was my next move anyway so here we are.  Boot scan is finding html script inf in all sorts of places.  I am on auto updates.

[Lisandro]

variety5160, before doing anything else, update your virus definitions and only rescan after that.
Also, never directly delete a file but rather sent all (infected) to Chest (if any).

[boedakpinank]

i have a site, my personal site, when i opened it with avast

program version 6.0.1203
virus definition : 110815-1

but still can't open the site, this message appears

Infection Details
URL:   hxxp://www.adexxx.com/|%3E{gzip}
Process:   file://C:\Program Files %28x86%29\Mozilla Firefox\firefox.exe
Infection:   html:Script-inf

why this happened?when i try to open my site using another computer, it run well

fyi my site using wordpress with latest update

thanks

[Pondus]

@boedakpinank

according to Sucuri, your website is infected. See attached screenshot (click to enlarge)

Sucuri malware info:
http://sucuri.net/malware/malware-entry-mwjsanon7
http://sucuri.net/malware/malware-entry-mwjs67473

WordPress Sites Hacked with Superpuperdomain dot com (Attacking Timthumb.php)
http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain-com-attacking-timthumb-php.html

VirusTotal - HTML scan
http://www.virustotal.com/file-scan/report.html?id=1cb442f74daede4c13da72f058bf276f43856ce9e51b4d3a8ed627d10b8f0013-1313493287

[spg SCOTT]

boedakpinank, welcome to the forum

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.

As pondus has shown, the script is added at the very end of the page. It is what is causing the detection and will have to be removed.

Scott

[polonus]

Hi boedapinank,

Do as spg SCOTT ask you, make the link non-click-through (-http or hxtp or wxw) so users cannot get infected by cliccking the live link by mistake...

Also look here: http://www.unmaskparasites.com/web-page-options/?url=http%3A//www.adeiskandar.com
See one of the external references (last*) infected via count.php
This site also infected these sites through the last three days:
e.g. -mmoblog.pl/, -firma-contabilitate.com/, -aventia.no/.
Maliious software contains 4 scripting exploits.
This site is being hosted on 1 network, e.g. AS43239 (SPETSENERGO) with malicious URLs see:
http://sitevet.com/db/asn/AS43239
Site is being cleansed at the moment: see Checking: -https://apis.google.com/js/plusone.js
File size: 3206 bytes
File MD5: 7cdf99d71c920719386659d35c23931f
-https://apis.google.com/js/plusone.js - Ok
(intial source of grandscale online infection, link now dead, was, see below)
Checking: -http://superpuperdomain2.com/count.php?ref=
File size: 0 bytes
File MD5: d41d8cd98f00b204e9800998ecf8427e (PASSWORD Lookup)
-http://superpuperdomain2.com/count.php?ref= - cannot get file attributes with error: No such file or directory
-http://superpuperdomain2.com/count.php?ref= - read error!

Checking: -http://feedjit.com/serve/?vv=693&tft=3&dd=0&wid=34023ff69163ec99&pid=0&proid=0&bc=FFFFFF&tc=000000&brd1=012B6B&lnk=135D9E&hc=FFFFFF&hfc=CC921E&btn=C99700&ww=200&wne=7&wh=Live+Traffic+Feed&hl=0&hlnks=0&hfce=0&srefs=1&hbars=0
File size: 30.98 KB
File MD5: b4bc497ac048511c19024da607e00859

-http://feedjit.com/serve/?vv=693&tft=3&dd=0&wid=34023ff69163ec99&pid=0&proid=0&bc=FFFFFF&tc=000000&brd1=012B6B&lnk=135D9E&hc=FFFFFF&hfc=CC921E&btn=C99700&ww=200&wne=7&wh=Live+Traffic+Feed&hl=0&hlnks=0&hfce=0&srefs=1&hbars=0 - Ok

Checking: -http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl
Engine version: 5.0.2.3300
File size: 36.62 KB
File MD5: 4b69cd8f594e06e19f4b348ee41c8f6e

-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl - archive HTML
>-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl/Script.0 - Ok
>-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl/Script.1 - Ok
>-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl/Script.2 - Ok
>-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl/Script.3 - Ok
-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl - Ok

polonus

[polonus]

Hi boedapinank,

Here you can read an update to info on

the malware infection that has been affecting thousands of WordPress sites with the vulnerable timthumb.php script

from: http://blog.sucuri.net/2011/08/update-to-the-superpuperdomain2-com-malware.html (linksource Sucuri Research blog source author: dd http://blog.sucuri.net/author/dd )

polonus

[boedakpinank]

thanks all for your reply...i will repair it soon...

regards

ade iskandar