Hi, I’m trying to access a forum called Ultimate Metal, and I can’t access the main forum hxxp://wxw.ultimatemetal.com/forum or my private messages, but some subforums seem to work properly, such as hxxp://wxw.ultimatemetal.com/forum/progpower-usa-120/. When I try to access the main directory or my PM, I get a malware HTML:Script-inf warning. Can anyone help?
hey and welcome to the forum. according the virustotal is should be clean
but if avast is flagging as malware it could be something in the code avast does not like.
might need some more investment.
Hello,
as similar threads on this forum: script tag, which leads to “phpinclude-bin.com/gate.php” is injected there.
Milos
SO what exactly does that mean? Did someone hack the site and inject malicious code into it?
@ mikaelrask
Using the VT URL scan is pretty useless, most of the scanners on there are poor at detection on web based malware.
You only have to see when people say the web shield is wrong and no other VT scanners detect anything, yet when manually analysed or using other scanners it confirms the web shield detection. The web and network shield generally have a very high accuracy rate.
The forum has an outdated forum software, which could be being exploited.
Avast is alerting on a compressed script file that is the {gzip} bit at the end of the detection URL (see image1 & 2 extract of loaded file).
It has a link to a domain phpinclude-bin.com (probably an injected script tag) image3, which I believe may be what avast considers a malicious site, confirmed see avast alert image4.
So it certainly needs further investigation as to why this file is being loaded and is it legit.
So how does this get rectified? Should I contact Avast for support?
The problem is the website itself, therefore, its more reasonable to contact the webmaster of ultimatemetal.
See attached.
Hi !Donovan,
Application website software at this site is outdated: Application: vBulletin 3.6.8 - http://www.vbulletin.com/ upgrade required
The malcode is at line 5856
For what it decodes to, see attached image,
polonus
As !Donovan mentions it is a problem on the website and nothing that avast support could do to rectify a problem on a website.
Hi DavidR,
The hoster has to remedy that, and the outdated website software has to be upgraded also, else a re-infection is likely,
polonus
Yes, though it depends on whom is responsible for installing the forum software. But the removal of the suspect script tag pointing to phpinclude-bin.com could be manually removed. Though if the old software is being exploited it could be back.
ok thanks for the explanation there DavidR 
I don’t even know how to post to this Forum - I’m 65 and NOT techie! I have been getting this popup only for the last week HTML:Script-inf – and on the bizjournals.com sites – I’ve been reading those journals online for 7 years with no problem. Anyone know what is going on?
Ideally it is best to create your own ‘new topic’ so as not to confuse this one.
- Please create your own new topic, here http://forum.avast.com/index.php?board=4.0 in the viruses and worms forum (click the New topic button at the top of the page see image) and we will try and help you there.
Sites can get hacked and this is the most common cause of this.