Greetings -
Got the malware blocked message while trying to access the site hxxp://moviemaker.com. Tried to contact the webmaster, buy unfortunately I can’t get to the website at all! Ideas? Suggestions?
This page seems to be
7 suspicious inline scripts found.
22 hidden external links found.
http://www.UnmaskParasites.com/security-report/?page=moviemaker.com
VirusTotal - html scan
http://www.virustotal.com/file-scan/report.html?id=bad7e680a9a9705bb7804bb3d61816605ad40fb890feb203908acac72e4b6907-1294515776
NoVirusThanks - 2/16
http://vscan.novirusthanks.org/analysis/b6bc15353171b438a4c66569215ae131/aW5kZXg=/
Hi gimmeshelter, welcome to the forum 
avast! seems to be alerting on an iframe on the site which appears to be there about 7 times.
This iframe appears at the end of a very long one line script.
Scott
i think that it’s FP. Becauses Virustotal shows only 3 objects founded by Avast engine.
The site in the iframe:
http://www.google.com/safebrowsing/diagnostic?site=fragisdown.com/in.cgi%3F13
Whether it is a false positive or not I don’t know…
I have no doubt that this site has been hacked, as the site that the iframe tries to connect to as Scott mentions has been the subject of previous malware and browser exploits. Firefox safe browsing alerts on this site if you try to connect, image1 as does avast image2.
So the target site of the iframe still contains malware.
Thanks David
One thing, snagit? ???
For some reason avast doesn’t like it when snagging the image of the firefox alert, why I don’t know, it didn’t used to do that with earlier avast versions.
Snagit 9.1, 1Click, Active Window ;D an absolute doddle.
I haven’t been tempted with the upgrade to version 10, I think $24.95 (I think is too much for an update). There is still so much that I don’t use in 9.1 I could probably stuck with snagit 6 which I think I started off with.
The VBA32 engine on VirusTotal is still running 2011.01.06 update, but on NoVirusThanks it have 08/01/2011, so there will be one extra detection when updated
On Virscan it show suspicious detection with the old signatur
http://virscan.org/report/ef7245e9b6867d71ae43f8f0783d98b7.html
So using the capture active window feature causes an alert? 
I have to try that with evernote…
Thinking back I don’t think it will have been the active window (I just used that to capture the avast alert), the alert came after doing a region scan of the firefox alert.
I don’t know what is going on with the web shield alerts since 5.1, but I no longer see any unp99999.tmp file in the avast5 folder that I would usually use for analysis.
I don’t use that method myself, but the avast5 folder never shows the tmp files, even if an alert is open now…wonder what changed? (though I suppose this is for another thread…)
Yes, perhaps that would be best.
favicon.ico ???
This is the most infected image ever!
This is not FP. That image is dangerous!
NORMAN analysis, say infected and will add detection
moviemaker.com.htm : Processed - HTML/IFrame.HJ
Pondus, the link is active, would you deactivate it? 
obs… 8)
It isn’t the image that is dangerous it is the hacked or replaced favicon.ico.
This is the little image that almost every site has that gets loaded into the browser address bar (image on the left of the address) when the page loads. It is because of this action that it is a target of hackers, etc. to try and load malware.
So it isn’t the image that is dangerous but the actions of the hackers, etc.