HTML:Iframe-inf on site I visit. Is it false positive?

I belong to a reputable site and get much training on that site. About a week ago I started getting this message: Malware blocked a harmful webpage or file!
Object http://vipsetupservice.com/membersarea/plugins/content/cdaccesstext/css/cdaccesstext.css
Infection: HTML:Iframe-inf[

Action:Connection Aborted

This happened in all 3 of my browsers despite doing a hard refresh (Ctrl + F-5)on entering the site.

The techs at the site can not find any problem. ???Could this be a false positive? :-\

I really need to use the site and they don’t need a hassle. If you go to the site without going to the members area, there is no warning. Please help!
jj

It looks like that file cdaaccesstext.css and possibly others on the site have been hacked. This appears to be a good detection.

Also see http://www.virustotal.com/file-scan/report.html?id=0df802d2c0ddac762645b510324d77261335a89ec463cecb617c99d63ebe71bb-1299795702

Note the iframe inserted into the bottom of the file after the closing HTML tag, a standards no, no and highly suspect. The domain named in the iframe is considered an attack site.

See images, click to expand.

Sucuri scanner say infected…see screenshot

Can anyone confirm that the domain in the iframe tag is dead? It doesn’t seem to resolve.

Probably you are right for the link you gave: htxp://jsunpack.jeek.org/dec/go?report=25f91afc304045dac1d23ed274f9d40d1dd826cf

<h1>Page does not exist</h1> 

But this malware is still there, and found in: htxp://vipsetupservice.com/legal/earnings.htm

Hidden Iframes. Details: http://sucuri.net/malware/entry/MW:IFRAME:HD202
for similar malware re: http://forum.avast.com/index.php?topic=72920.0

and

Known javascript malware. Details: http://sucuri.net/malware/malware-entry-mwjs488
Read on this malware here: http://malware.im/versatile-cc-attacks/ so-called “co.cc domain malware injection”

Also see: http://www.google.com/safebrowsing/diagnostic?site=vipsetupservice.com

So page definitely infected,

polonus

That really doesn’t matter as a) the site has still been hacked and b) there is nothing to say that it won’t resolve later.

I tried to check it as you can see and firefox safe browsing intercepted it anyway as an attack site, so no way to check further and there is no way I would check things tile this out using IE.

I never said the URL the topic started mentioned wasn’t infected. I was just interested in analyzing the URL inside the iframe tags, but I got an error accessing it, which is why I asked if anyone else were able to resolve it. Obviously, it’s down. Whether or not it will be up again, that’s unknown.

By the way, there’s no Firefox Safe Browsing, there’s only Google Safe Browsing. :wink:

It is incorporated in firefox under the block attack sites, whether that is the correct term I haven’t the slight idea or concern what it is called only what it does.

NORMAN analysis

vipsetupservice.com.htm : Processed - HTML/Agent.JB