avast gives url:mal error - cannot open my website!

On my windows machine my avast scanner gives me an error and won’t let me load my page. When I uninstall avast or use my Linux machine it works fine, but I have customers that unfortunately use avast.

http://www.raceonusa.com

How am I supposed to troubleshoot this?

I tried clicking on real-time shields > web shields, it just tells me that the web shield started and stopped, gives me no information about the blocked website. The logs there are completely useless.

On the “blocked site” error message it has a “More Information” link, which is merely a sleazy sales gimmick that forwards you to avast’s website to buy the full version, it gives no information about the error message.

This is completely misleading because my website has no viruses, yet Avast is making it sound like it does.

Avast reckons it is infected, and for this I trust Avast

This is completely misleading because my website has no viruses, yet Avast is making it sound like it does.
yea right......well it is not only avast that does not like that website

VirusTotal - raceonusa.com.htm - 9/42
http://www.virustotal.com/file-scan/report.html?id=1707cde04d04eff02d828d50cf38041ec33636feb20879b65e983897a9bfa4e1-1282065420

URL Void - iFrames detected
http://www.novirusthanks.org/services/scan-websites-for-iframes/

Ok so I’ve seen you helping out lots of ppl on this forum and on a previous forum you were going over how to fix run dll viruses…

If you would help me I would greatly appreciate it!! So every time I boot up my computer, it gives me an error message in some RUNDLL box… so I’m pretty sure that is the virus I have… Anyway… I’ve downloaded AVG, Malewarebytes, and OTL and none of them can locate the virus and get it off my computer. AVG spots something and will move it to virus vault but it just comes back the next day. I can’t get on internet explorer or everquestII, but that is the only two I am noticing right now that it isn’t allowing me to get on. Could you please, please help!!

oh I’m sorry I posted in the middle of this forum, I am very new to this website and can’t figure out how to send PM’s so I apologize =(

Dude. Go hijack someone else’s thread. What does that have to do with iframes?!!?

Sorry… I don’t quite know how to deal w this website yet. :confused:

Nothing to do with iframes… I just couldn’t figure out how to send a PM that’s all. I’ll figure it out soon. Sorry. =(

I had an Iframe (code provided by google) on my webpage,
http://www.w3schools.com/tags/tag_iframe.asp

Which isn’t a virus. Sure it could be if it was pointing to a webpage that had viruses, but mine was pointing google’s talk badge. So there’s no virus here.

The default talk badge points to an Iframe. I check to see if the url was manipulated and it wasn’t. Still pointing to google…
http://www.google.com/talk/service/badge/New

I’ve removed the iframe badge and replaced it for a no-frills simple version.

No “viruses” detected…
http://www.virustotal.com/url-scan/report.html?id=2da16f3fb08e2180b0e8dcad4e2f405c-1282064803
Google Webmaster tools reports this site as Clean as well.

I’ve disabled avast , rebooted, started, stopped, and still avast say “URL:mal” same ambiguous error message. I’m thinking that avast keeps a database of “virus” urls, when does this refresh?

Now I’m getting this?!? “JS:ScriptIP-inf [Trj]” Argh! I supposedly have a “trojan horse” now according to Avast, yet google and virustotal say I don’t? This is driving me nuts.

Is there an actual log file? So I can see what is supposedly causing this?

well it know apear clean

VirusTotal - raceonusa.com.htm - 0/42
http://www.virustotal.com/file-scan/report.html?id=61bd29f8609427eb0a7e2751ba7eabd0aac1cf78aae6c706a35497bbac8b0d40-1282077860

Yeah that’s the weird thing it look clean now, can you view it on your computer with Avast running? http://www.raceonusa.com
I just get error messages from avast warning me about a supposed Trojan Horse, but how is that possible if all the virus scanning sites give it a clean bill of health?

http://www.raceonusa.com/|>{gzip}

If i trie to go there on my avast comp i get a block…

one strange thing, my last VT scan is showing clean but if you open the one you posted (VT URL scan ) and look on top of it, there is a " View downloaded file analysis " click it and you have avast/GData detection… ???

Hello,

Your website is currently hacked and used to distribute malware → that’s why we started to block your domain. You will have to remove malicious scripts which was added into your website - php/exe/java/etc (It would be nice, if you can collect them and send them in password protected archive to virus@avast.com).

All the files (hack) should be located inside this folder (and are still there - checked 5 minutes ago):


hxxp://www.raceonusa.com/Home/exemple.com/

Regards

PS: We will not remove your domain from blocklist until you fix the problem.

My ftp shows no such directory, also when I try that url with (http) it does not find a page.

hxxp://www.raceonusa.com/Home/exemple.com/ hxxp://www.raceonusa.com/Home/example.com/ hxxp://www.raceonusa.com/home/exemple.com/ hxxp://www.raceonusa.com/home/example.com/

I try http://www.raceonusa.com/home/ but there are no errors on the page that I or my host can find. I even downloaded the entire site and scanned with Avast with POP and there are no viruses.

Avast also sets off it’s alarm with a generic new html page.
http://www.raceonusa.com/test.html
Even though this page is totally clean: http://www.virustotal.com/file-scan/report.html?id=325251f964f9a4ba36bc8eabdbdd7f94cbe7adfea1aa1636ecbe19bc5a09a979-1282171896

Avast false-positive classified my site as a “virus” site from my iframe which was from google. Now I cannot get any of my pages to load without avast going nuts.

jsejtko is one of the virus analysts in the Avast Virus Labs team and if he says your site is infected, believe me you have a problem.

You don’t say what the pop-up alert is, I suspect it is the Network Shield, blocking the complete domain and not the actual hXXp://www.raceonusa.com/test.html page.

So even if that page is actually clean, the block is on the domain as jsejtko mentioned in his post and not the physical page test.html.

All the files (hack) should be located inside this folder (and are still there - checked 5 minutes ago):
hxxp://www.raceonusa.com/Home/exemple.com/
Here's what he said, but I do not have such a directory on my server.

no /Home/exemple.com or example.com or lowercase home , that folder does not exist on my server, I even downloaded the entire site and scanned it with avast with POP mode enabled and disabled and it found nothing.

I also deleted my main /js java script directory , changed themes, nothing seems to delete this “virus”. Is there another website than can give a non vague answer as to what file is supposedly effected?

Because this just says:
Avast 4.8.1351.0 2010.08.18 JS:ScriptIP-inf
Avast5 5.0.332.0 2010.08.18 JS:ScriptIP-inf

But it doesn’t tell me which .js file is supposedly infected or what directory it’s in or anything and having removed most directories I’m running out of options here.
http://www.virustotal.com/file-scan/report.html?id=57e2d3ab8c28712868313763312bf7da7536e2bebbe608cda2cf30c21a1cc3dc-1282181932

I CAN see that page, and carelessly I forgot to insert “view-source:” before the URL and I almost got infected… Java started just after I opened that page :cry:

And here is the collected malwares hosted / linked from that page, avast detects all of them:
http://www.mediafire.com/?fdcviu5bwc4whxb
Password: virus

I don’t know why you can’t see that page, but this kind of infection usually cached accessed IP addresses and denies accessing from same IP. Maybe this is the cause?

Virus total says it’s clean:

http://www.virustotal.com/url-scan/report.html?id=3ad10458e75c11999598c13cef7c11fc-1282232164

I replaced the hxxp with http… Am I doing something wrong here?

http://www.raceonusa.com/Home/exemple.com/
http://www.raceonusa.com/Home/example.com/
http://www.raceonusa.com/home/example.com/

I also tried “example” instead of “exemple”, same thing, virus total says its clean, but is also says Virus Report not available, so maybe the page does not exist?

For instance if I do

view-source:http://www.raceonusa.com/Home/exemple.com/

I get nothing.

Furthermore I don’t even know why someone would even go to “Home/exemple.com/” that’s not a link on any of my pages or part of my page structure.

Is “Home/exemple.com/” shorthand for something?

Michael Hicklen || Staff 08/19/2010 10:07 Hello Edward,

Honestly, there is a distinct possibility this is a false positive. Try installing a fresh copy of Magento to a subfolder and running virustotal on it. I’ve scoured your files and I can’t find anything ever remotely malicious. I think the heuristic scanners are just too sensitive and are detecting javascript as malicious.

Michael Hicklen
Level 2 Support
SimpleHelix, LLC
866.963.0424

We would love to hear your testimonials about us:
http://www.ratepoint.com/profile/4550
How would you rate this reply? Poor Excellent

I think I’ll try this, I had to copy view source text to a new raceonusa.com/test.html and remove text bit by bit to see what was causing it, turns our that the JS that I remove is actually the default from magento and not laced with any viruses. Also the default .js files that the HTML is loading are ones I replaced from the default install, yet avast still says it’s got a “JS:ScriptIP-inf” error. Only if I delete all Java script, including the original default magento java script then it passes as clean. I even ran the JS files separately in virustotal - they are totally clean.

Hi raceonusa,

This site is malicious, so make all links non-click-through putting htxp wXw

Threat Report

Total threats found: 1

Drive-By Download

Threats found: 1
Here is a complete list:
Direct link to: htxp://www.raceonusa.com/index.php/raceonusa-hiflex-type-298b-complete-8-piece-wide-body-kit-lexus-sc-series-92-00-2-door.html
Location: htxp://www.raceonusa.com/?gclid=CNfPw4TquaMCFeQD5QodpESTYw

As recommended in Matt Cutts blog to prevent Fake glid,
you can change the search engine spider response to a tagged page, by adding:

User-agent: *
Disallow: *gclid=* 

polonus

Brand new install, straight ftp of new install files to website:

Brand new unzipped straight from Magento’s site:
hxxp://www.raceonusa.com/magento1411/index.php/install/

(I haven’t even installed or touched files, I just unzipped the raw magento installation just downloaded it today)

Results in avast “virus”, so either it’s a false positive or Magento Commerce has a virus in their latest zip file.
http://www.virustotal.com/file-scan/report.html?id=c5d439c72e4965d51d90c20458e82314b9e5155e08bf3cce56b691e2efda8657-1282255096

I even scanned it from my windows virtual box just now and avast says my website files are virus free.

This has got to be a false positive, it’s my domain that’s setting off the alarm bells, nothing to do with malicious code.

My system is free of viruses and running Ubuntu linux on the desktop and centos on the server. My host Simple Helix confirms that there is no virus. This is something in Avast’s database flagged my domain most likely. Any Java on my domain sets it off, how can I certify my website off of this hyper sensitive level?

How do I get them to lift this ban?

I think this whole nightmare is because Avast incorrectly assumed my google iframe chat box was an “iframe” virus, even though the code is verbatim copied from Google’s recommended default for the chat box.