Author Topic: HTML:Script-inf detected in every html file on my computer  (Read 9410 times)

0 Members and 1 Guest are viewing this topic.

Offline Treblesum81

  • Newbie
  • *
  • Posts: 2
HTML:Script-inf detected in every html file on my computer
« on: April 12, 2011, 12:23:50 AM »
Hi,

Sorry if this has been dealt with before, but some searching didn't seem to return a similar issue to mine. During my monthly virus scan today, Avast came back with a report of 9000 infected files. When I viewed the report, every last one of them was an html file (and if not every last one on my computer, at least the vast majority) and nearly all of them are infected with HTML:Script-inf, though a few are also infected with HTML:Iframe-inf or HTML:RedirME-inf, and I'm guessing there might be some others in there somewhere as I've not taken the time to scan all 9000 listings. Anyway, owing to the fact that a massive chunk of those html files are help and documentation files for several GIS and Image processing programs that I own, I do not want to do anything that will remove my access from them, such as moving them to the chest or deleting them. The problem is, however, that selecting the option to repair all failed for all. In addition to the large number of files infected on my computer, I've also noticed the Avast window popping up when I'm trying to access common websites (e.g. Yahoo and Facebook) with warnings which include the infections listed above and also a new one called URL:Mal. How can I get rid of this infection without losing my files?

Thanks,
Greg

Offline Gargamel360

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2346
  • Memento Mori
Signature?  But I gots no pen....

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85959
  • No support PMs thanks
Re: HTML:Script-inf detected in every html file on my computer
« Reply #2 on: April 12, 2011, 12:30:26 AM »
@ Treblesum81
This is likely to be as a result of an FP in a VPS update 110411-1, update to 110411-2 should resolve it.

As far as I'm aware this only effected the script-inf signature, but update and check the others as they are similar signatures with the -inf suffix.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Treblesum81

  • Newbie
  • *
  • Posts: 2
Re: HTML:Script-inf detected in every html file on my computer
« Reply #3 on: April 12, 2011, 12:32:35 AM »
Thanks for the information. I updated and am now rescanning.

Thanks again,
Greg

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: HTML:Script-inf detected in every html file on my computer
« Reply #4 on: April 12, 2011, 12:35:08 AM »
Hi Gargamel,

Does all these postings about the vrus update glitch mean that a lot of users aren't on automatic update?
There was only a 45 minute outing before the new update arrived. I missed it all together, but after the slow down with the servers eased off (while everybody was trying to get the "fixed" update) everything went back to normal and now seems just fine. As avast says on their blog there was no harm done to any internal file of any computer with avast installed, so everybody can normally pick up what they were doing after getting the update you mentioned,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Gargamel360

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2346
  • Memento Mori
Re: HTML:Script-inf detected in every html file on my computer
« Reply #5 on: April 12, 2011, 12:44:08 AM »
Hi Gargamel,
Does all these postings about the vrus update glitch mean that a lot of users aren't on automatic update?
Hope not,  some people might have a good reason to go manual but most I imagine would/should stay auto. 
I missed it all together
Yeah, me also, lucky  ;)
Signature?  But I gots no pen....

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: HTML:Script-inf detected in every html file on my computer
« Reply #6 on: April 12, 2011, 12:57:57 AM »
Hi Gargamel360,

Well I have to admit they handled this webshield glitch very professionally, considering the enormous amount of users depending on the avast solutions. No internal files were ever affected and updating was halted until everyone could get the fresh update that fixed it.
I haven't seen other av solutions do this, that is why I think avast is getting better all the time all of the time,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline variety5160

  • Newbie
  • *
  • Posts: 1
Re: HTML:Script-inf detected in every html file on my computer
« Reply #7 on: April 12, 2011, 01:30:10 AM »
I was hit with this html script inf problem today.  Did a full scan and avast found problems but could not deal with them all.  Avast wanted to give it a try in a boot scan which was my next move anyway so here we are.  Boot scan is finding html script inf in all sorts of places.  I am on auto updates.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: HTML:Script-inf detected in every html file on my computer
« Reply #8 on: April 12, 2011, 02:44:41 AM »
variety5160, before doing anything else, update your virus definitions and only rescan after that.
Also, never directly delete a file but rather sent all (infected) to Chest (if any).
The best things in life are free.

Offline boedakpinank

  • Newbie
  • *
  • Posts: 2
Re: HTML:Script-inf detected in every html file on my computer
« Reply #9 on: August 16, 2011, 06:34:53 AM »
i have a site, my personal site, when i opened it with avast

program version 6.0.1203
virus definition : 110815-1

but still can't open the site, this message appears

Infection Details
URL:   hxxp://www.adexxx.com/|%3E{gzip}
Process:   file://C:\Program Files %28x86%29\Mozilla Firefox\firefox.exe
Infection:   html:Script-inf

why this happened?when i try to open my site using another computer, it run well

fyi my site using wordpress with latest update

thanks
« Last Edit: August 18, 2011, 03:37:06 AM by boedakpinank »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37130
Re: HTML:Script-inf detected in every html file on my computer
« Reply #10 on: August 16, 2011, 01:16:08 PM »
@boedakpinank

according to Sucuri, your website is infected. See attached screenshot (click to enlarge)

Sucuri malware info:
http://sucuri.net/malware/malware-entry-mwjsanon7
http://sucuri.net/malware/malware-entry-mwjs67473

WordPress Sites Hacked with Superpuperdomain dot com (Attacking Timthumb.php)
http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain-com-attacking-timthumb-php.html

VirusTotal - HTML scan
http://www.virustotal.com/file-scan/report.html?id=1cb442f74daede4c13da72f058bf276f43856ce9e51b4d3a8ed627d10b8f0013-1313493287
« Last Edit: August 16, 2011, 01:24:00 PM by Pondus »

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4124
  • There is no magic, only lost physics
    • spg SCOTT
Re: HTML:Script-inf detected in every html file on my computer
« Reply #11 on: August 16, 2011, 03:48:46 PM »
boedakpinank, welcome to the forum :)

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.

As pondus has shown, the script is added at the very end of the page. It is what is causing the detection and will have to be removed.

Scott
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: HTML:Script-inf detected in every html file on my computer
« Reply #12 on: August 16, 2011, 03:50:16 PM »
Hi boedapinank,

Do as spg SCOTT ask you, make the link non-click-through (-http or hxtp or wxw) so users cannot get infected by cliccking the live link by mistake...

Also look here: http://www.unmaskparasites.com/web-page-options/?url=http%3A//www.adeiskandar.com
See one of the external references (last*) infected via count.php
This site also infected these sites through the last three days:
e.g. -mmoblog.pl/, -firma-contabilitate.com/, -aventia.no/.
Maliious software contains 4 scripting exploits.
This site is being hosted on 1 network, e.g. AS43239 (SPETSENERGO) with malicious URLs see:
http://sitevet.com/db/asn/AS43239
Site is being cleansed at the moment: see Checking: -https://apis.google.com/js/plusone.js
File size: 3206 bytes
File MD5: 7cdf99d71c920719386659d35c23931f
-https://apis.google.com/js/plusone.js - Ok
(intial source of grandscale online infection, link now dead, was, see below)
Checking: -http://superpuperdomain2.com/count.php?ref=
File size: 0 bytes
File MD5: d41d8cd98f00b204e9800998ecf8427e (PASSWORD Lookup)
-http://superpuperdomain2.com/count.php?ref= - cannot get file attributes with error: No such file or directory
-http://superpuperdomain2.com/count.php?ref= - read error!

Checking: -http://feedjit.com/serve/?vv=693&tft=3&dd=0&wid=34023ff69163ec99&pid=0&proid=0&bc=FFFFFF&tc=000000&brd1=012B6B&lnk=135D9E&hc=FFFFFF&hfc=CC921E&btn=C99700&ww=200&wne=7&wh=Live+Traffic+Feed&hl=0&hlnks=0&hfce=0&srefs=1&hbars=0
File size: 30.98 KB
File MD5: b4bc497ac048511c19024da607e00859

-http://feedjit.com/serve/?vv=693&tft=3&dd=0&wid=34023ff69163ec99&pid=0&proid=0&bc=FFFFFF&tc=000000&brd1=012B6B&lnk=135D9E&hc=FFFFFF&hfc=CC921E&btn=C99700&ww=200&wne=7&wh=Live+Traffic+Feed&hl=0&hlnks=0&hfce=0&srefs=1&hbars=0 - Ok

Checking: -http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl
Engine version: 5.0.2.3300
File size: 36.62 KB
File MD5: 4b69cd8f594e06e19f4b348ee41c8f6e

-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl - archive HTML
>-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl/Script.0 - Ok
>-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl/Script.1 - Ok
>-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl/Script.2 - Ok
>-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl/Script.3 - Ok
-http://webcache.googleusercontent.com/search?q=cache:T5HDU4wqZo0J:www.adeiskandar.com/+http://www.adeiskandar.com&cd=1&hl=nl&ct=clnk&gl=nl&source=www.google.nl - Ok

polonus
« Last Edit: August 16, 2011, 03:53:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: HTML:Script-inf detected in every html file on my computer
« Reply #13 on: August 16, 2011, 06:00:44 PM »
Hi boedapinank,

Here you can read an update to info on
Quote
the malware infection that has been affecting thousands of WordPress sites with the vulnerable timthumb.php script
from: http://blog.sucuri.net/2011/08/update-to-the-superpuperdomain2-com-malware.html (linksource Sucuri Research blog source author: dd http://blog.sucuri.net/author/dd )

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline boedakpinank

  • Newbie
  • *
  • Posts: 2
Re: HTML:Script-inf detected in every html file on my computer
« Reply #14 on: August 18, 2011, 03:58:15 AM »
thanks all for your reply...i will repair it soon...

regards

ade iskandar