I was trying to go to a site today that I’ve been to several times before and was blocked by avast saying that this threat existed: Downloader-LP. Is this a true threat? I’d like to let the site owner know (we are both members of a virtual assistant forum), but wanted to make sure before I scared her to death!! (I realize all VP programs may sometimes pick things up as threats when they aren’t.)
In case it makes a difference…the first time I went to her site I hadn’t upgraded to the latest version of avast. I updated, then tried again, and the same thing happen.
So, as far as I’m concerned, I should be okay because avast blocked it, right? The site started to load but stopped, and the warning came up that said avast blocked loading of the site.
Avast 5 doesn’t complain about that site for me. Was it a false positive that’s been fixed already or has the web site been fixed?
Avast 5.0.545
100512-0
Edit: I didn’t have the Web Shield enabled. Enabling it blocks the site for me too.
I’m still getting the “Trojan Horse Blocked” warning for that site and it’s blocked completely. I do have the latest version of avast. Any ideas? I would try it on my husband’s computer (think he uses Norton), but if it is a problem and Norton doesn’t block it for him…
That is odd that one place shows there’s a problem with that site and avast continues to block it, yet Dr. Webb shows it’s okay and one other place I found to check it says it’s okay. ???
I don’t remember if the previous times I’ve been to her site without a problem were before I updated to avast 5 or after.
Pondus, please excuse my lack of knowledge, but I am not sure if I’m reading the information correctly at the links you provided. Is it saying that it checked the site against all those AV programs and only three of them came back with there being a problem?
when avast detect this from the website it creates a temp file, i crab that file and upload it to VirusTotal to see if it is more than avast that detect the infection avast found
So since it is only avast detecting this, it may be a False Positive… But avast is very good at detecting infected websites and usually correct…
so…maybe somone at avast team will comment…or DavidR, he is good at finding out what is wrong at these websites
I tried the site, got the alert, but I didn’t find the unp file. Looked in:
C:\Users\xxxxx\AppData\Local\Temp
C:\ProgramData\TEMP
C:\Windows\Temp_avast5_
C:\ProgramData\Alwil Software\Avast5 (and subfolders)
>>> found nothing ??? The only times I found unp files like this in a temp folder was after a crash of avast >>> where did you get the temp file from? may be it gets deleted very quickly ???
edit: the behavior of that site is different in IE and in Chrome. In IE I get an immediate aborted connection and one alert. In Chrome (with js off) the site gets displayed but I get 3 alerts of misc stuff blocked.
no I guess it’s due to internal protection mechanisms although I can’t elaborate, I don’t know really…I tried in Firefox and there the behavior is again not the same, the page is displayed, with three alerts like in Chrome, but in the end the connection to the site is completely aborted.
Pam, your virtual assistant forum associate’s site is still hacked. Did you let the site owner know yet? Leaving it hacked like that could give virtual assistant sites a bad name.
“I truly appreciate your concern. Let’s just say that I have had a few technological challenges in recent weeks. lol This was a problem I noticed a few weeks ago. I had 2 people look at it and they both said that very could not find a virus on my site. I’m still bothered that you and other potential guests are still getting an error message. I had not contacted AVG, do you think they can resolve the issue? Any advice is appreciated.”
I’m getting ready to PM her again through the VA forum.
How does someone hack a website anyway, is it through the host? Couldn’t she just go in and delete the offending code or is it not that easy.
Pam
Edit: Call me uneducated in this area–because I am!–but how did you get the offending code from her site? Was it not blocking you at that point?
It is the script that is causing the alert on the pages… (the first thing that Alan has in the code box) The links to taybac…are not causing the alert but should still be removed.
The Home page contains this script and the links, but also the favicon (normally the little logo in the address bar) and also bullet.gif in the theme section of the site.
The owner needs to remove the scripts, links and replace the favicon, and bullet.gif with their originals.
How does someone hack a website anyway, is it through the host? Couldn't she just go in and delete the offending code or is it not that easy.
Usually through a vulnerability in the software used (e.g outdated wordpress...)
Deleting is not often just enough, you have to remove the possibilty of it happening again…if it is just deleted, it can happen again. The vulnerabilities need to be closed.
@ Alan,
Can you remove the code and make it an image. I am surprised that it has caused an alert for me yet, but it is actually exactly what is causing the alert and could end up triggering the web shield…
Thanks, Pam. Apparently the two people who looked at it and say they “could not find a virus on my site” are technologically challenged. All they (or she) had to do was look at the source code for the home page, unless she intends to have all those hidden links to taybac there. In any event, I wouldn’t advise anyone to use that site anymore, even if it’s eventually fixed. The site has either poor principles or poor security and incompetent maintainers. IMHO.
spg SCOTT seems to have given a good explanation of what needs to be done to correct the problem.
Edit: Call me uneducated in this area--because I am!--but how did you get the offending code from her site? Was it not blocking you at that point?
I accessed the site from a sandboxed browser after stopping the Web Shield. I was able to immediately see the problem by looking at the source code for the site. View > Page Source in Firefox or View > Source in Internet Explorer.
I also scanned the sandbox with Avast. It found the offending files and moved them into the virus chest.
@Scott
Thank you for giving Pam such a good explanation of the problem and what to do about it. I see it still hasn’t been fixed. Perhaps the site is like that on purpose. Looks like most other AVs don’t catch the problematic code.
Since it doesn’t trigger the Web Shield, I’d rather leave it there as plain text so Pam or the site’s maintainers can copy it if necessary.
Although I know about a page’s source code, I couldn’t figure out how to do it with avast blocking the site.
She responded again and said someone else created the site. She seemed genuinely thankful for the info I provided and said she was going to look at it over the weekend. To be honest, she seems to be a caring person, so I’m assuming it’s just lack of knowledge regarding how much damage it could do to someone visiting the site rather than her not caring.
I don’t personally know her, just someone I “know” on the VA forum. When I had the problem when visiting her site, I wanted to try to help her out, but I was also concerned about others who might visit her site. Hopefully she’ll start taking this a little more seriously and fix it.
Thank you for your reply, Pam, and your efforts to help someone clean up her web site. It can be discouraging at times, so I especially appreciate you helping her straighten things out. Good luck!
To be honest, I am slightly surprised that it doesn’t cause an alert…if I copy it and try to save it myself, it causes an alert…normally this would cause an alert…