Good day.
More recently, there was a problem, avast blocking site http://esthus.in cursing at favicon.ico
What caused this?
How can I fix this situation?
Sorry for my bad English.
Only detected by avast! no detection on other web scanners…
VirusTotal - HTML scan
http://www.virustotal.com/file-scan/report.html?id=97c55f9f649cde9377d52c30c0057ba5d3fb247adb41bdc118185b05e63237b0-1315648545
Also clean on Sucuri and URLVoid.
Thank you for your answers.
Who can fix this?
Many clients use Avast. They have to unplug it so visit the site: (
Domain Alias: esthus.su http://www.virustotal.com/file-scan/report.html?id=8a49c9ff1eeff00ecb002fa727d71e183e1f50219757cc57130f7b84946671e5-1315652264
Clean
Domain esthus.in Avast detected, why?
Who can fix this?If it is False Positive... avast!
you can report it here http://www.avast.com/en-no/contact-form.php?loadStyles&subject=SALES
see dropp down menu > Report False Virus Alert On Website
Hi BloodySoul,
Here it is given clean: Checking with DrWeb’s URL checker:
-http://esthus.in/js/jquery.min.js
File size: 78.33 KB
File MD5: 272d1908ee08e2dca212fc3bb634182c
-http://esthus.in/js/jquery.min.js - Ok
esthus.in/js/jquery.min.js benign (checked with unpacker)
Checking: -http://esthus.in/
Engine version: 5.0.2.3300
Total virus-finding records: 2572207
File size: 23.05 KB
File MD5: c58452b2cbc6fde4f0e346777af9f3de
-http://esthus.in/ - archive HTML
-http://esthus.in//Script.0 - Ok
-http://esthus.in//Script.1 - Ok
-http://esthus.in//Script.2 - Ok
-http://esthus.in//Script.3 - Ok
-http://esthus.in/ - Ok
Given clean here: http://www.urlvoid.com/scan/esthus.in
Safe: http://siteinspector.comodo.com/public/reports/328673
No alerts detected: http://urlquery.net/report.php?id=2763
This outbound link had issues: http://www.google.com/safebrowsing/diagnostic?site=vkontakte.ru
with 5 scripting exploit, 1 exploit
Another outbound link, see: http://www.urlvoid.com/scan/liveinternet.ru
(suspicious)
The block could however have been because of malware from here (now dead:
-http://update.esthus.su/Esthus-Updater.exe, see: http://xml.ssdsandbox.net/view/12cdc9e2df89887d14c82e57e9270579 )
AS Name: ESERVER eServer.ru - hosting operator
IPs allocated: 5376
Blacklisted URLs: 4
I see no further immediate issues here,
polonus
Well the Network Shield blocks the site (image1) due to the frequency of alerts from the Web Shield (as you mention on the favicon.ico file). This file is one of the most frequently hacked as it is displayed/loaded for all pages, so check the contents of this file, it may have script inside it.
If the networks shield is taken out of the equation, then the Web Shield alerts (image2) as there appears to be a compressed {gzip} obfuscated script file loaded with the index/home page, see image extract of the contents of this file (image3).
What should I do?
It’s all because of back links to http://vkontakte.ru and http://liveinternet.ru ?
It’s a well-known services 
Help, how now?
What is important is the source of the favicon. So open your AV log file and see where the .ico is sourced. If the icon comes from a website and you can trust that site, you can assume it is safe. If it comes from a source unknown to you, consider it to be malicious. There is also a possibility it could be a FP.
Check the IP here, it is new: http://hosts-file.net/?s=liveinternet.ru
This is flagged there as EMD, so called high risk site,
On the other hand vkontakte.ru is given an all green,
see: http://hosts-file.net/default.asp?s=vkontakte.ru
and http://www.urlvoid.com/scan/vkontakte.ru
polonus
If the icon comes from a website and you can trust that site, you can assume it is safe.favicon.ico is taken from my site, http://esthus.in/favicon.ico
There is also a possibility it could be a FP.Please explain what is FP?
Sorry for my bad English.
Hi BloodySoul,
This malware possibly has been flagged: -http://www.liveinternet.ru/favicon.ico
That should not be there now because the unknown malware is now dead.
http://www.virustotal.com/file-scan/report.html?id=13bea65aa11d1a0b141f15922caf9f5dcae9c458f195c9f655845c5052d6a9e4-1315662138
see: http://urlquery.net/queued.php?id=2764 No alerts detected - image-x-icon
Maybe trying to get it outbound gets it flagged by avast, then it is a false positive.
FP means false positive detection ложных срабатываний обнаружения
So you should report that to avast, and see if they agree,
приветствовать,
polonus
I’ve already written a letter.
Ie I expect that my site will be removed from the database and it will work?
Thx polonus.
Hi BloodySoul,
Until then users can leave avast installed can still visit your site here: via http://www.idoproxy.com ,and this without any ill effects,
polonus
When will my site be removed from the blacklist?
Thanks in advance.
Hi BloodySoul,
When it is found to be clean, and avast has been informed, this is normally rather quickly with a new update,
pol