JS:Redirector blocking site. Others report clean.

[stavstav]

Hi stavstav,

Redirecting scripts can mean real trouble depending as to what silent download site you are actually being redirected to by a particular malscript. If you give us the non-cklickable URL written like hxtp or -http or wXw, we can scan the site for the actual redirecting script that is there, and give you an explanation about the established risks involved. I absolutely won't go to a site flagged in that way. That is why I advised that particular proxy, because the script will then stay at that security proxy site. You can also decide to disable javascript on the proxysite and then you do not run any risk whatsoever.
That is why a lot of educated browser users have NoScript add-on installed in Firefox or the NotScripts extension in Google Chrome (easy to toggle, great for protection) installed, so redirecting and other javascript malware cannot get to endanger their comp via their browsing.

Malcoded (obfuscated) javascript is one main online browsing threats as there are furthermore malicious iFrame (also function through malcoded javascript), SQL attacks etc..

So now I hope you understand why you have to take notice as avast rings an alarm via one of the shields while visiting a particular infected site. The avast guys do everything to be as accurate as can be in flagging these threat-sites, believe me. And I keep an eye out every day that there isn't a single suspicious URL that does not enter that avast sinkhole (as there are others like for instance Pondus, Asyn, spg Scott, and many others here),

polonus

Thank you Polonus for the detailed reply, I appreciate that.

The site I'm talking about is: wxw.abeforum.com - it would be great if you could have a look.

As for idoproxy - I forgot to update you guys, but accessing the abeforum via idoproxy still gets Avast to alert the threat and block it.
I did try the marking idoproxy's "block scripts" option and then accessing the forum, and that worked ok for the forum's main page, but then I couldn't navigate to any sub forums / specific threads (the screen would remain empty, except for the
Home" link that leads back to idoproxy.

Again, thank you very much for the detailed answer.
I'll wait to see what your scan will yield.

Stav.

[Asyn]

The site I'm talking about is: wxw.abeforum.com - it would be great if you could have a look.

Sucuri: http://sucuri.net/malware/malware-entry-mwjs159 (See screenshot)

[stavstav]

The site I'm talking about is: wxw.abeforum.com - it would be great if you could have a look.

Sucuri: http://sucuri.net/malware/malware-entry-mwjs159 (See screenshot)

Asyn, what does all this mean? (sorry, I'm clueless at that.. 

[Asyn]

The site I'm talking about is: wxw.abeforum.com - it would be great if you could have a look.

Sucuri: http://sucuri.net/malware/malware-entry-mwjs159 (See screenshot)

Asyn, what does all this mean? (sorry, I'm clueless at that.. 

Click on the link.

[stavstav]

Click on the link.

I'll clarify my question (I did click on the link before asking) -
what does "The desktop must be cleaned first. Use multiple AVs if necessary, since this virus is very good at hiding from the current AV that is running." mean?
What is "the desktop" - is that my personal computer?
And what are "multiple AVs" (what's an AV)?

[polonus]

Hi stavstav,

The message you clicked on is intended for webmasters whose websites got infected through an infected desktop computer with that particular script. The virus is a so-called password stealer and all of the website code will become infected through it eventually and then it will try to infect unprotected users that visit those infected sites to further infect, and so on and so forth.
So as long as the site is still infected with this particular malscript, please stay away from it and inform the webmaster there that he should cleanse his site or get help to get it cleansed. You could ask him to visit this thread for info.
He initially got infected through a wordpress vulnerability via timthumb.php: see: http://wewatchyourwebsite.com/wordpress/tag/string-prototype-testharc/
Despite of the fact that the site is given clean here: http://urlquery.net/report.php?id=3949
and also here: http://siteinspector.comodo.com/public/reports/383186
Sucuri still marks it as infected here:
-http://www.abeforum.com/forum.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/register.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/faq.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/search.php?s=f8a062fcd4000c2527b41933393b23fa&do=getdaily&contenttype=vBForum_Post
-http://www.abeforum.com/calendar.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/memberlist.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/forumdisplay.php?s=f8a062fcd4000c2527b41933393b23fa&do=markread&markreadhash=guest
-http://www.abeforum.com/showgroups.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/search.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/search.php?s=f8a062fcd4000c2527b41933393b23fa for Google UA
The infected status is confirmed here: http://www.UnmaskParasites.com/security-report/?page=www.abeforum.com  verdict: 1 suspicious inline script found
The hoster of the site Ace Data Centers, Inc. =  AS11798 has 1967 Blacklisted URLs (not reassuring these security data) What is going on via these blacklisted URL's, a whole scala of
online malevolence, like there are:
...malicious URLs? Yes  
...badware? Yes  
...botnet C&C servers? Yes  
...exploit servers? Yes  
...Zeus botnet servers? No  
...Current Events? Yes  
...phishing servers? Yes  
...spam servers? No  
...spam bots? Yes  
...spam activity? No  (above info found here: http://sitevet.com/db/asn/AS11798)

polonus