Avast Free detects URL:Mal on my site. How can I fix it?

Avast Free Antivirus / Premium Security
1

Hello, all.

I’m employed in education in Russia (sorry for my poor english).
My company has web site http://www.licey1547.msm.ru/.
Some time ago a lot of my visitors started to complain that Avast blocked the site because it is infected by virus URL:Mal.

I myself use DrWeb antivirus, and it reports no problem on the site.

How can I realize why Avast desided that my site has this virus?
And how can I fix it? (I dont think that I can convince my visitors to throw Avast away :slight_smile:

thanks in advance to all, who can help me.

2

For what it’s worth avast did pop-up “malware blocked”.

3

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0

Please, edit the links to not-live ones (change http for hxxp, for instance or add spaces between the url).

Check here how to clean and make a website secure.

The vast majority of malware today is distributed over the web, mostly by means of hacked (otherwise legitimate) sites. The attacker usually injects malicious some scripts into some (or all) pages on the site, waiting for an unsuspecting user to visit the site and possible infect his/her machine.

And this is where avast’s detection capabilities really excel. Its abilities to detect these web-based malicious scripts are second to none, and thanks to the Web Shield and Script Blocking providers, they are used exactly when needed, doing an excellent job stopping the web-based malware right on the entry point.

4

The problem is avast didn’t only popup message but it blocked page loading at all.

5

Tech, thank you for helpful advice.

I am webmaster myself. I have checked site as far as a can and found nothing wrong.

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0
It seems that this is not the case: as I can see on my computer (no avast) all images are visible and there are no error messages.

I have checked my page on hidden iframes and didn’t found them.

6

Please modify the link in your first post to make it unclickable.
VirusTotal shows that only avast and Gdata detect 3/44 so its more than likely a false positive

http://www.virustotal.com/file-scan/report.html?id=34369680d69a405aa3713fe41cde7cb373ee597d36ec0443ac72761ea73af317-1315029147

7

My site is powered by Joomla 1.0 (russian translation and some custom modules)
Maybe the problem is in Joomla URL generation?

It always replaces ampersand sign in URL with & code, for instance:


http://www.licey1547.msm.ru/index.php?option=com_content&task=view&id=293&Itemid=53

but no other software considers it a malformed URL

Does avast have any log file, where I can find more details about what it considered “mailformed URL”?
(I’m already tired trying to guess what is wrong with my site ???)

8

Seems I am having a similar issue.

Over the past 2 weeks my website which is powered by Wordpress all of a sudden started poping up Malware URL blocked.

I’ve searched for encrypted, obfuscated script or iframe but none were found.

I had the site scanned but it has turned up clean

http://www.virustotal.com/url-scan/report.html?id=f00409cfddda46427aae4ebf1842c3d2-1315045924
http://www.avgthreatlabs.com/sitereports/domain/prattephoto.com/domain-search-widget/www.avg.com.au

I’ve contacted my web host on several occasions and they report no threats to the site.

Is there a log file that can provide more accurate results as to where the detection are made as I am at a loss.

http://prattephoto.com/

9

@apratte

sorry but you are infected, try this http://sitecheck.sucuri.net/scanner/

Malware entry: MW:JS:2368 http://sucuri.net/malware/malware-entry-mwjs2368

also see latest on Sucuri blog http://blog.sucuri.net/

10

@Pondus

Thank you very much, your information was very helpful in resolving my website infection.

Sucuri
web site: http://prattephoto.com
status: Verified Clean
web trust: Not Blacklisted

;D

11

craigb, thank you very much for your testing my site at virustotal.
As we can see, only avast and GData (sorry, I dont know this antivirus) reports problem.

By the way, what is HTML:Script-inf, maybe someone can explain this?

Pondus, I tried this on my site too, and it reports my site is clean.

Also I posted requiest to my antivirus support (DrWeb) and they reported me no wrong objects on the site.

The porblem remains: what does it mean “HTML:Script-inf” and how can I fix it?
Maybe avast developers should fix it? :wink:

12

You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles

13

Asyn, thank you very much, your link appears to be the most useful of all this advices :slight_smile:

That is reply from avast support

Hello,

it was a false positive and will be fixed in the next VPS.

Best regards

Alena Varkockova

And they did fixed it, so I’m happy again :slight_smile: :stuck_out_tongue:

14

You may want to go to to the Russian forum area:
http://forum.avast.com/index.php?board=28.0

15

You’re welcome…!