Blocks site esthus.in (favicon.ico)

[BloodySoul]

Good day.

More recently, there was a problem, avast blocking site http://esthus.in cursing at favicon.ico
What caused this?
How can I fix this situation?

Sorry for my bad English.

[Pondus]

Only detected by avast!  no detection on other web scanners....

VirusTotal - HTML scan
http://www.virustotal.com/file-scan/report.html?id=97c55f9f649cde9377d52c30c0057ba5d3fb247adb41bdc118185b05e63237b0-1315648545

[Asyn]

Also clean on Sucuri and URLVoid.

[BloodySoul]

Thank you for your answers.
Who can fix this?
Many clients use Avast. They have to unplug it so visit the site: (

[BloodySoul]

Domain Alias: esthus.su http://www.virustotal.com/file-scan/report.html?id=8a49c9ff1eeff00ecb002fa727d71e183e1f50219757cc57130f7b84946671e5-1315652264
Clean

Domain esthus.in Avast detected, why?

[Pondus]

Who can fix this?

If it is False Positive... avast!

you can report it here   http://www.avast.com/en-no/contact-form.php?loadStyles&subject=SALES

see dropp down menu > Report False Virus Alert On Website

[polonus]

Hi BloodySoul,

Here it is given clean: Checking with DrWeb's URL checker:
-http://esthus.in/js/jquery.min.js
File size: 78.33 KB
File MD5: 272d1908ee08e2dca212fc3bb634182c

-http://esthus.in/js/jquery.min.js - Ok
esthus.in/js/jquery.min.js benign (checked with unpacker)
Checking: -http://esthus.in/
Engine version: 5.0.2.3300
Total virus-finding records: 2572207
File size: 23.05 KB
File MD5: c58452b2cbc6fde4f0e346777af9f3de

-http://esthus.in/ - archive HTML
>-http://esthus.in//Script.0 - Ok
>-http://esthus.in//Script.1 - Ok
>-http://esthus.in//Script.2 - Ok
>-http://esthus.in//Script.3 - Ok
-http://esthus.in/ - Ok

Given clean here: http://www.urlvoid.com/scan/esthus.in
Safe: http://siteinspector.comodo.com/public/reports/328673
No alerts detected: http://urlquery.net/report.php?id=2763
This outbound link had issues: http://www.google.com/safebrowsing/diagnostic?site=vkontakte.ru
with 5 scripting exploit, 1 exploit
Another outbound link, see: http://www.urlvoid.com/scan/liveinternet.ru
(suspicious)
The block could however have been because of malware from here (now dead:
-http://update.esthus.su/Esthus-Updater.exe, see: http://xml.ssdsandbox.net/view/12cdc9e2df89887d14c82e57e9270579 )
AS Name: ESERVER eServer.ru - hosting operator
IPs allocated: 5376
Blacklisted URLs: 4

I see no further immediate issues here,

polonus

[DavidR]

Well the Network Shield blocks the site (image1) due to the frequency of alerts from the Web Shield (as you mention on the favicon.ico file). This file is one of the most frequently hacked as it is displayed/loaded for all pages, so check the contents of this file, it may have script inside it.

If the networks shield is taken out of the equation, then the Web Shield alerts (image2) as there appears to be a compressed {gzip} obfuscated script file loaded with the index/home page, see image extract of the contents of this file (image3).

[BloodySoul]

What should I do?

[BloodySoul]

It's all because of back links to http://vkontakte.ru and http://liveinternet.ru ?
It's a well-known services
Help, how now?

[polonus]

What is important is the source of the favicon. So open your AV log file and see where the .ico is sourced. If the icon comes from a website and you can trust that site, you can assume it is safe. If it comes from a source unknown to you, consider it to be malicious. There is also a possibility it could be a FP.
Check the IP here, it is new: http://hosts-file.net/?s=liveinternet.ru
This is flagged there as EMD, so called high risk site,
On the other hand vkontakte.ru is given an all green,
see: http://hosts-file.net/default.asp?s=vkontakte.ru
and http://www.urlvoid.com/scan/vkontakte.ru

polonus

[BloodySoul]

If the icon comes from a website and you can trust that site, you can assume it is safe.

favicon.ico is taken from my site, http://esthus.in/favicon.ico

There is also a possibility it could be a FP.

Please explain what is FP?

Sorry for my bad English.

[polonus]

Hi BloodySoul,

This malware possibly has been flagged: -http://www.liveinternet.ru/favicon.ico
That should not be there now  because the unknown malware is now dead.
http://www.virustotal.com/file-scan/report.html?id=13bea65aa11d1a0b141f15922caf9f5dcae9c458f195c9f655845c5052d6a9e4-1315662138
see: http://urlquery.net/queued.php?id=2764  No alerts detected - image-x-icon
Maybe trying to get it outbound gets it flagged by avast, then it is a false positive.
FP means false positive detection ложных срабатываний обнаружения
So you should report that to avast, and see if they agree,

приветствовать,

polonus

[BloodySoul]

I've already written a letter.
Ie I expect that my site will be removed from the database and it will work?


Thx polonus.

[polonus]

Hi BloodySoul,

Until then users can leave avast installed can still visit your site here: via http://www.idoproxy.com ,and this without any ill effects,

polonus