Early this morning, I was on a search page and simply right-clicking links from that page to place in new tabs…then I would later go to the tabs, open them and decide if I wanted to bookmark those sites or not.
At one point, with one of the links I chose to place in a new tab, Avast alert sounded off and said an infected virus had been detected and asked if I wanted to abort it…I did. Then Avast showed a 2-part message with bottom part asking if I wanted to get rid of it (delete it?), and the upper half message was recommending I place it in the Chest; I wanted to delete it, but I followed the upper half message request recommendation of placing it in the Chest instead. Oops, I then had so many tabs in the tab bar that I wasn’t sure which one had been infected, so I placed more of the search page links in the tab bar again, and that same tab alerted Avast again. So now I have 2 infected files in the chest, BUT they are exactly the same.
I didn’t notice if the URL had been switched to show “x’s” or not…I had not even opened up the tab which said I had the infected virus from! So, my question is since I never even clicked on that tab which had the website infected virus in it, are you saying I got infected just by placing the URL link in a tab which I never opened? Evidently, that’s what happened.
Infected File Name: F6D02B20d01 (I now have 2 of the same ones)
Virus Name: HTML:Iframe-inf
Size of File: 53697 URL: wXw.alternativemedicinesblog.org (I took this from the search page because I had never actually opened the tab to see any information about it.)
Of note is that I had a problem sometime ago (on March 29, 2009) with an Iframe, but I had actually visited that site.
I’d love to just delete this…but I won’t until I hear from you, so could someone please be so kind as to recommend advice to me, please?
EDITING AS PER INSTRUCTIONS: I have changed the “wWw” in URL to “wXw”.
Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
The site appears to have been hacked and is still infected, there is a 1x1 pixel iframe embedded into a paragraph text, purporting to be webstats, which is a very suspicious way to to it (certainly to me). There are more of the same peppered throughout the home page, one embedded within another HTML tag and this aside frome being highly suspicious, is I believe a standards no, no to place an iframe within another tag.
One purporting to be traffic stats goes to a Chinese domain. So all in all one or all of these may be what avast is alerting on.
I would say given the file name and this location deletion from the chest shouldn’t be an issue. However, there is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
You will also see on that page, that there are two iframe links to two different IPs, both of which appear to have hosted malware. (if you click on the red ‘suspicious’ tag next to the IPs you will google safe browsing diagnostic information. (the 74… IP appears twice)
Both of these iframes are what is causing the avast! alert on the page.
It could be legitimate (although with that amount of ringtone links…) as there are some relevant links there, and could have been hacked.
Aborting the connection should prevent the malware from entering your pc as the webshield has blocked it before it has begun to download.
-Scott-
David, I can’t compete…this time I was checking every now and then if another person had posted…just as I am finished, you post ;D I’ll cut mine down a bit, still relevant somewhat.
The tab with the link you wanted to click wXw.alternativemedicinesblog.org is suspicious, there were found 27 hidden links and references to 2 suspicious domains found, e.g.:
Thanks to all who are assisting me…U R t-e-r-r-i-f-i-c! …and I LOVE Avast!
QUESTION: In times past, I think I’ve simply been allowed to hit the “abort” option and that was the end of it, so after I hit “abort” this time, I had been surprised to be shown more alternatives. I would have rather chosen the “get rid of virus” option instead of the “recommend moving to Chest” option, but if I had chosen the “get rid of virus” instead option, would this have been a foolish thing to have done? Would Avast not have been able to fully get rid of it without it infecting my PC?
I just tried pasting that wxw URL and in the process, I discovered the website called “Unmask Parasites”…I just never realized it existed. QUESTION: By chance, have you seen this website before and would you recommend that site?
OOPS!!! I’m sorry, “spg Scott”…I read your post much too quickly (OBVIOUSLY) because you referred to the site above that I was questioning in your posting where you said: “You can see the links that this site contains here, with an excellent tool to check websites: http://www.UnmaskParasites.com/security-report/?page=www.alternativemedicinesblog.org”…Please forgive me for being in such a rush as to not see what was before my eyes! :o ;D :-[
You should simply get the webshield detection preventing the download of the malicous content. I am not too sure why there was also the other detection in what I think is a temp file?
If you look at my post above, you will see that I not only use it but recommend it. It has very acurately shown the content of the website.
@ Shalimar
It normally does drop the connection for that infected item, there are exceptions like:
Your browser ?
Some don’t just drop the connection but try to conclude the process.
If this was a download rather than simply browsing ?
As again some download managers just continue (in much the same way they would if your connection was lost).
Then you could find that the Standard Shield also alerts (belt and braces ;D) and it is here that you get other options and Move to Chest (and investigate) is by far the best option.
@DavidR…
For what it’s worth, I’ve never run into a download problem with Avast.
In addition, my browser is Firefox…currently 3.5.6 because when I had 3.5.7 for 2 days, the 3.5.7 just hung at closing Firefox and my CPU usage was at 100% after only a minute or so while waiting for FF to stop running; therefore I went back to 3.5.6.
I also (along with Avast!) am currently using Superantispyware, Malwarebytes’ AntiMalware, Spyware Blaster, and WinPatrol…including NoScript, Adblock Plus, Better Privacy, & Ghostery.
Here is something you won’t like to hear, though: I am not using a “firewall”! I just never have known which firewall to use even though I’ve searched several times, and I know I’m supposed to use one. Of course, it would have to be a “free” one!
P.S. I’m am always amazed at just what a fantastic application Avast! really is…absolutely marvelous!
Generally you won’t run into a download problem with avast, but there is a likelihood that you might bump into an infected file/application that you try to download and avast’s web shield would alert.
The additional comments after the questions were there for examples only.
Strange firefox is normally well behaved when avast aborts the connection, that is what happens, the good thing is if that doesn’t happen you have another level pf protection/fall back in the form of the standard shield.
At the very least you should be using the windows one and ideally one that provides outbound protection (depends on your OS ? if it has outbound protection otherwise a third party firewall).
Many forum users are using these:
PC Tools Firewall seems to have the least user headaches as it doesn’t seem to be constantly asking the user questions about this and that.
Online Armor for the most parts fine but it has caused some users grief after avast program updates and that is something you have to watch out for.
Comodo is now a suite and you have to do a custom install so as not to install the antivirus element (or use the add remove programs to remove the AV element if already installed), of all the firewalls listed this seems to be the noisiest in asking questions, depending on settings and elements used (Defense+), so it could be daunting for those not to familiar with firewalls or their systems.
@DavidR…thanks so much for your advice, and I will definitely be getting a firewall soon (there’s really no excuse for not having one!).
Btw, I have an older computer and am using Windows 2000 Pro; Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.6).
QUESTION: This may really sound awfully “s-i-l-l-y”, but do search engines have any effect on how Avast! behaves? If not, then OK…but if for some weird reason, they “could”…then I wish to say I was using the search engine by Ixquick/Startpage, and the url I always use is “https://www.startpage.com” for private searching. :
QUESTION:This is “off-topic” for my HTML:Iframe-inf —but—it is related to your referencing the “Unmask Parasites” website to see if websites are “suspicious”, and also to my last comment about using “startpage.com” as my main search engine. I hope this will be ok to place this question here! :
I placed the bookmarklet for “Unmask Parasites” website on my bookmarks toolbar and wanted to test it out, but not realizing that clicking on the bookmarklet would automatically review the page I was on (instead of opening in a new tab), I saw the red-colored “Suspicious” word and looked to see what website it was showing…and it was showing my home tab page: "wXw.startpage.com/do/metasearch.pl
Of note is that “www.startpage.com” IS PERFECTLY FINE…BUT when it actually performs the searches, the URL always lengthens to “wXw.startpage.com/do/metasearch.pl”, and this is what was showing as “suspicious”.
This is what “Unmask Parasites” shows:
This page seems to be
Startpage Metasearch wXw.startpage.com/do/metasearch.pl 1 suspicious inline script found.
Google: not currently listed as suspicious*(details)
Suspicious Inline Scripts…Long Suspicious Script: function getelem (i) { if (typeof document.getElementById == “undefined”) { return document.all[i];…
In this case I just presented with my “Startpage” search engine, Google has not found anything suspicious in the last 90 days, but things, of course, can change in the meantime…
and, of note, is that recently my search engine has sometimes been taking an extra long time to connect (perhaps that has something to do with the “suspicious” script?). SO…my questions are:
Where do I go for further advice when “suspicious” shows up on the website I enter?
In this particular case, do I stop using this main search engine of mine?
Should I contact “Startpage.com” about this?
(Again, I’m sorry, but I didn’t know where else to ask this question. :()
EDIT: Addendum…the “startpage” search engine is also called “Ixquick” and you can use either one of those website URLs. I just now checked with “Unmask Parasites” and “Ixquick” is “clean”, so for now, I guess I can switch to using “www.ixquick.com” until further notice.
HTTPS secure encrypted pages aren’t monitored by the web shield as that is the whole purpose of secure encrypted traffic t keep prying eyes out and this includes AVs.
Search engines are no different to standard web browsing (when in http protocol) their just displaying the results of the search on a web page like many other sites.
I got the message “HTML:Iframe-inf” when I tried to sign on to “www.ecumenicalsc.org”. In researching this, I came across a posting from Avast! that says to post it in the forum for help and to see if it is really infected. This is a client’s web site, so I do need to get on, and they are closed for the day…
I appreciate any help…
Thanks,
Becky
This is the extent of my knowledge…
Please don’t “yell” at me if I posted this in the wrong forum, I did try my best to find the appropraite one.
@ FRABECO
Not yelling, honest ;D
Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
First your link redirects from the above URL to, see quote:
IP: 64.38.36.3...
Name: server.besearched.com
So I don’t know if that is intentional.
It is this redirected page that sets the alarm bells off, so if that site is legit, it looks like it has been hacked. There is a 1x1 pixel iFrame tag after the closing HTML tag, a standards no, no and suspicious tries to connect to telenes.biz a whois fails to find information and that is to me suspicious.
NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE
OF THE AVAILABILITY OF A DOMAIN NAME.
- displaying 1 of 1