Help with VBS:Malware-gen

From today whenever i open my site http://dailytipsndtricks.blogspot.com Avast is showing my site as a infected one but i scanned my site online with many malware testers but the result was “No Malware or infections were found on your site” But avast is showing MALWARE BLOCKED message at the bottom of my browser whenever i open my site and it’s pages. What should i do? :frowning:

Can you post a screenshot of the avast warning

what online test have you run?

Two compressed script files are being loaded when visiting your site

hXXp://dailytipsndtricks.blogspot.co.uk/|>{gzip} [L] VBS:Malware-gen (0)
hXXp://dailytipsndtricks.blogspot.co.uk/YOUR-FAVICON-URL|>{gzip} [L] VBS:Malware-gen (0)

Whilst on virus total there is essentially only avast detecting this, that isn’t an indication that it is wrong as we have seen this before and avast has had a high degree of accuracy on these detections in the past.

https://www.virustotal.com/file/b8565cd4f8afc15192dfa01def2a6e60a72f61882b9cb68db2bac57791b6799c/analysis/1347725090/
https://www.virustotal.com/file/891c4531a8898bc62ae06a499338b66b421aa8b68061a86546efe0abb5cf3b56/analysis/1347725172/

Hi friend! Is there any way to stop those compressed files from running an opening my site!

Hi friend! Is there any way to stop those compressed files from running an opening my site!

Well I don’t know if they are intended to run when your site loads and if they are meant to load/legit, is the detection good. But to me anything like this is suspect at the very least, do you have a section/folder in your blog related to ‘YOUR-FAVICON-URL’ as that doesn’t seem like something you would be blogging about and the actual favicon.ico file is frequently hacked and used for malicious purposes as every page that loads would be trying to load the favicon.ico and malicious scripts could be loaded or run from it.

I don’t know how much control over your website on blogspot.co.uk, but I would ask them about this.

I am having the exact same problem on my website, www.ramblingbeachcat.com. I have run it through multiple scans and they have all come up clean, yet I am getting the same avast warning that you are.

Here is a screen shot of the two warnings

http://i.imgur.com/63o2J.jpg

http://i.imgur.com/0n71q.jpg

Have the same problem on a Blogger hosted site. Same warning re YOUR-FAVICON-URL|{gzip} comes up, and also a warning comes up when I am in the Blogger dashboard attempting to access the HTML. I find it strange that it would trigger being in Blogger. Is there anyway to fix whatever is wrong? Please help. The warning gives no indication of how to fix anything it only asks me to upgrade my product.

I have also ran my site though virustotal and Google’s webmaster tools and no malware is detected. It is just Avast at this point.

Can anyone help?

Thank you very much

Here is a screenshot of the Avast warning while in the Blogger dashboard. The other warning regarding the YOUR-FAVICON-URL|{gzip} looks the same as Rambling Beach Cat’s.

http://3.bp.blogspot.com/-xh7K9dmjhxY/UFTgN2jyw-I/AAAAAAAAA9I/QdIWR1a8yHk/s1600/malwareinblogger.jpg

Just tried in my template and it happened there for me, too. Not sure if I should be comforted or scared by that :o

Isn’t that strange??

Hi RamblingBeachCat, tptp & arun100,

First, we need to change your favicon icon to a valid png/ico file.
We will use the following vector: http://www.iconarchive.com/download/i45457/creativenerds/clean-noise-social/blogger.ico
The following is licensed under the Creative Common Attribution 3.0, commercial usage allowed, by Creative Nerds.

[ol]- Log in to your Blogger account

  • Goto Design > Edit HTML
  • Be sure to check the “Expand widget templates” box[/ol]

Search (CTRL + F) for YOUR-FAVICON-URL

If found:
Select all of the contents between <link {whatever} /> where {whatever} is anything
NOTE: This should be on one line

If not found:
Search for b:skin
Goto the line above it (b:skin)

Paste the following:

<link href="http://www.iconarchive.com/download/i45457/creativenerds/clean-noise-social/blogger.ico" rel="icon" type="image/x-icon"/>

Then, clear your cache by following the instructions here.

Next, 5 minutes later, attempt to visit your site.
If you are still greeted with alert(s), please provide screenshots of the alerts.
IMPORTANT: Not waiting could result in changes to your site not taking effect.

Finally, Report results in your next post.

~!Donovan

Thank you for the response.

Only with these instructions is that my favicon is actually uploaded on a widget on my blog layout. When I search for it in my actual blog template with widgets expanded, it doesn’t show up.

Have replaced the code as directed, assuming that we can replace the blogger.ico with our custom ico? Waiting for cache to clear so if I need to use the blogger.ico please let me know.

Thanks, and thanks for your prompt help, too.

Yes, if you have your own .ico file you can replace href=“http://www.iconarchive.com/download/i45457/creativenerds/clean-noise-social/blogger.ico” with your icon’s location.

Malware warning still coming up, only now it doesn’t say anything about ‘YOUR-FAVICON-URL’, it just says |{gzip}. And I am still getting the same malware warning when I go into Blogger dashboard.

Same thing here

http://i.imgur.com/4Aigu.jpg

Here is the warning I get from going to my blog’s template design page.

http://i.imgur.com/5HPaZ.jpg

Ok…

After many experiments with the html file, I narrowed it down to some javascript code that was causing the alert.

Reference:
https://www.virustotal.com/file/120ed07fbfd649b4e494c944b3d0ff65ffdb5c3485b0a76e0fed1a7c9a273f26/analysis/1347743182/
https://www.virustotal.com/file/c882aaaf9d11f8a1fed2cc8b72291bb2c25e4456fb1498fc0c28b3d0fcff17d0/analysis/1347743508/
https://www.virustotal.com/file/85992882c2fc4bf81839d8f0f28f9171097f7509bd1ca55b89c75886473ae9f7/analysis/1347743714/
https://www.virustotal.com/file/27e2e0386057f482dd7cf05b76eb6581d9fa899652b034a17fae53b28f85c136/analysis/1347743891/
https://www.virustotal.com/file/3e8380f0633bd8be9123371b887996fc2e4fe7edc12d39bdb3890bdf5dba2e21/analysis/1347744044/
https://www.virustotal.com/file/f2bf06713ded4449f6f0e753baae0f209ea80d4bfcea7c1b870af9e3b2353e2b/analysis/1347744200/
https://www.virustotal.com/file/dec23910f0a096b5ed59b639fd86bdd55402db971b84b91e5e48283a4f70d81d/analysis/1347744345/
https://www.virustotal.com/file/ec585836826b058a38450d764765cb24e0a8f3eb8a0b74f0af89c99e1980bd11/analysis/1347744363/
https://www.virustotal.com/file/ec8ef08c714ac83778989702b81e69d608d91f1c84c6063cc50d6ad8c2805bd3/analysis/1347744565/

Which means that this code was causing the alert: http://pastebin.com/XNBAxLgU
Note that the code requires jquery before it is treated as malicious

Which A: Looks legit and B: detected as VBS and C: nobody else detects. So I assume it’s a false positive.

Sorry for the inconvenience,
~!Donovan