Infection: HTML:Iframe-inf

[Thunder Bird]

Hi

This morning I went to access http://www.kat.ph/releases/ and Avast reported :

Infection Details

URL: http://www.kat.ph/releases/

Process: file://C:\Program Files\Mozilla Firefox\...

Infection: HTML:Iframe-inf

Warn your friends to avoid this website

It is only URLs on the KAT site that Avast reacts to.

I have since checked this URL with Virus Total which gives the site a clean bill of health.

Is it possible that this is a false positive or do I have an infection in my computer ?

Thunder Bird.

[Gargamel360]

Sounds like the Web Shield blocked something.....so no, you don't have an infection, it would be blocked, it just mentions your firefox process because that is what you where browsing with at the time.

Virus Total url scanner doesn't give an "scan" like the Web Shield, it just runs the url by some reputation analyzers, so you can't use it to approximate if its a FP or not like you could using VT's file scanner for a local detection. 

[Thunder Bird]

Can some other forum members try to access http://www.kat.ph/releases/ ?

Does Avast give you the same warning report as I received ?

Thunder Bird.

[Thunder Bird]

OK looks like no one is prepared to test it.

I have carried out a boot time scan and Avast found nothing.

Went to Firefox and fired up  http://www.kat.ph/releases/
 
Avast still reports that Script Shield has blocked a threat.
 
Infection Details

URL: http://www.kat.ph/new/

Process: file://C:\Program Files\Mozilla Firefox\...

Infection: HTML:Iframe-inf

So it would appear that I still have a problem.

Thunder Bird.

[Sirmer]

Hello,
this site contained malicious script but it is fixed now.
Regards,
Jan

[DavidR]

Can some other forum members try to access hXXp://www.kat.ph/releases/ ?

Does Avast give you the same warning report as I received ? 

Whilst this now appears to have been resolved (cleaned up in the site as Sirmer mentioned), when posting links to suspect sites don't make them active (as in the example in the quoted text):
e.g. - 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

[KAT_ph]

Hi everybody,

I'm one of the Kickasstorrents team members and I've just registered here hoping you'll help me to solve this issue with malware detected on our site kat.ph.

Since today our members start to reporting about some kind of malware on the site, everyone of them was using Avast. I was just checked malware section for kat.ph in Google Webmaster Tools - everything is Ok there. Seems like it's Avast only detection.

Can somebody please explain me where is malware living on our site (if there is any)? I believe our site is clear cause nobody detects us except Avast. In case it's really clear - what is the right way to remove that scary alert for our visitors?

Thanks in advance,
Chris

[Thunder Bird]

Unfortunately for me this problem has not disappeared.

Avast keeps putting http://wXw.kat.ph/releases/ in the Avast Virus Chest

Or any other page on that site.
 
Then when I scan the file after it is put in the virus chest I get an OK ?

If I ask for properties I get
 
Original file name               http://wXw.kat.ph/releases/
 
Size of file                     2398
 
Category                         Infected File
 
Virus description                HTML:Iframe-inf
 
Can be restored ?                No   (Yet a scan in the chest of that file comes up OK ?)
 
I have carried out a full CClean prior to the above
 
I have run Malwarebytes which gave me a complete clean bill of health (No infected files)
 
I have compared notes with another Avast user and his Avast does not report anything untoward on the Kickass site.
 
Obviously there is something hiding in my computer somewhere that is keeping this thing alive.
 
I do have one file in my virus chest which I believe may hold the key to this problem.

P.S. DavidR I followed your advice and 'modified' my post and changed the URL from www to wXw as you suggested to break the link and avoid accidental exposure but obviously this does not work.

By the way DavidR I am not fully conversant with the term "Übertechnical" what does it actually mean ?
 
I did a Google on  "Übertechnical" and came up with http://www.fuelfixer.co.uk/wrong-fuelpetrol-in-diesel-faqs/technical/

Thunder Bird.

[DavidR]

Well Übertechnical is just a forum ranking/term chosen my the forum Administrators. Basically it equates to very, very, very, frequent poster.

Your modification of the link doesn't work because you have http in the URL, if you have that in it then you have to apply it to the http, hXXp (as in my example in the quoted text). If you are posting a URL with just the www part (no http element) then you apply it to that, wXw. So you have to break the first element of the URL or the link will be active, although would fail as here wouldn't be a wXw in the real URL.

I still don't get an alert on hXXp://wxw.kat.ph/releases/ link, so I don't know if this is an issue with something in firefox as your original process is concatenated, Process: file://C:\Program Files\Mozilla Firefox\... (the \... bit at the end). Though I suspect it would be firefox.exe, but it would be nice to confirm.

If it were some malware on your system rather than the site then I would expect it to be happening on all/many locations and not just restricted to this one URL.

Start with clearing your browser cache in firefox (the Clear Recent History option).

[Thunder Bird]

DavidR

Though I suspect it would be firefox.exe, but it would be nice to confirm.

You are correct it is indeed firefox.exe

If it were some malware on your system rather than the site then I would expect it to be happening on all/many locations and not just restricted to this one URL.

No it is only happening on the one site.

Start with clearing your browser cache in firefox (the Clear Recent History option).

That was one of the first things that I tried.

Update After I selected three files from my virus chest to submit to the virus lab I noticed Avast had stopped responding.

I had to shut my computer down and reboot to get Avast up and running again.

First time I have ever had Avast stop from responding. 

Thanks for your help DavidR.

Thunder Bird.

[DavidR]

You're welcome.

Weird that it is only happing on that one site, good in a way as it is unlikely to be on your system.

[Thunder Bird]

Weird that it is only happening on that one site, good in a way as it is unlikely to be on your system.

Guess again DavidR.

It was on my system (as I suspected)and I have found the way to get rid of it.

It is now gone and my problem is solved.

There was an infection in my computer causing Avast to report false positives.

Which was something I had suspected at the beginning of this thread..

Thunder Bird.

[lady_daerwen]

Ok just Ive just tried visiting Kat, and Im getting avast malware annoying pop up thingees everytime I open a page.

Im using IE9. Im in New Zealand if that makes any difference!

any help to turn this annoying bleep bleep off would be really helpful

regards
Me.

Go the Mighty All Blacks ( otta be a rugby fan to understand that)

[lady_daerwen]

Ok just Ive just tried visiting Kat, and Im getting avast malware annoying pop up thingees everytime I open a page.

Im using IE9. Im in New Zealand if that makes any difference!

any help to turn this annoying bleep bleep off would be really helpful

regards
Me.

Go the Mighty All Blacks ( otta be a rugby fan to understand that) 

I cant seem to reply to anyone on here either. I smell a conspircy lol

[spg SCOTT]

Ahhh...Finally we are getting somewhere...

I now have got an alert on this site. (after trying for a while, FireFox wouldn't play, but IE does)

I am not sure exactly which file this is from, but it appears to be javascript that detects the browser and sets a cookie. (not completely sure)

At the end of this file, is an iframe. That is what is causing the alert.

Now that file has to be identified. I didn't get a normal alert, on this file, so I am not sure. It was an odd detection and location. (unp999.tmp in an avast folder - by FSS - though a little OT here)