Icefilms dot info

It seems icefilms dot info has a Trojan or some kind of virus loading. Now I can’t visit the site. Before I had Adblocker so it prevented ad viruses . How do I get back visiting the site again?

Thanks

How do I get back visiting the site again?
When website owner have cleaned it ...
It seems icefilms dot info has a Trojan or some kind of virus loading.
How do you know; is it avast alerting? .... what does avast say?

Avast alerts are different :

http://forum.icefilms.info/viewtopic.php?f=161&t=108980

Latest warning :

http://imgur.com/MTUgB82

HTML:Scrip-inf detected by avast

At a quick look it seems to be a false positive
https://blog.avast.com/tag/false-positive/

They do have some problems though:
http://multirbl.valli.org/lookup/104.28.3.119.html
http://zulu.zscaler.com/submission/show/48d6fbc586e44f282e52ffd443e85b48-1449050438

There is code that goes to xpc dot googleusercontent proxy I do not trust: http://toolbar.netcraft.com/site_report?url=http://xpc.googleusercontent.com
For that code consider: http://www.domxssscanner.com/scan?url=https%3A%2F%2Foauth.googleusercontent.com%2Fgadgets%2Fjs%2Fcore%3Arpc%3Ashindig.random%3Ashindig.sha1.js%3Fc%3D2 has some strange iFrame code, it is Shindig, the OpenSocial container: http://shindig.apache.org/
it has front-end SPOF with

polonus

only avast
https://www.virustotal.com/nb/file/48d2b7e9b215aee8d241ce2aad414bb8dbcd83e9b6467dc62be611ee57a5168a/analysis/1449069246/

There is adsbypasser code there, landing at: -http://ads.comeadvertisewithus.com/ads/ads.js flagged by VT…

polonus

I got this from avast.
http://imgur.com/JxKFmP7

So it’s false positive or it’s a real threat?

Thanks

Why don’t you still haven’t ask avast ?
https://blog.avast.com/tag/false-positive/

+1

While the site does not seem 100% “kasher” (fit for use) to me,
asking Avast in this case seems like a good idea.

polonus

Fair enough, I emailed them, so lets see.

This is most likely not an FP. There are many domains that are highly suspicious on the same IP, and we block all of them. Avast complains about icefilms[.]info loading scripts from one of these domains (specifically get[.]scorepresshidden[.]info/1400/get.scorepresshidden.info).

Just in case anyone is interested, this is the active domain list 8):


65[.]111[.]190[.]170
data[.]awakebottlestudy[.]com
data[.]bitlearnreplace[.]info
data[.]branchroughlend[.]info
data[.]causingcopeirritating[.]info
data[.]detailtoothteam[.]com
data[.]drydenhereaftercursive[.]info
data[.]explainidentifycoding[.]info
data[.]filingspendsection[.]com
data[.]fincastavancessetti[.]info
data[.]flagagreebelieve[.]com
data[.]forevermelodicheidegger[.]info
data[.]friesmeasureretain[.]info
data[.]halpeperglagedokkei[.]info
data[.]houseprogramingweight[.]info
data[.]ikzikistheking[.]com
data[.]initialcontroledge[.]info
data[.]jointspellgot[.]com
data[.]likablescaldfelted[.]info
data[.]lockscalecompare[.]com
data[.]nuclersoncanthinger[.]info
data[.]officerrecordscale[.]info
data[.]oileddaintiessunset[.]info
data[.]poundaccordexecute[.]info
data[.]replacingobservedlose[.]info
data[.]requiredcollectfilm[.]info
data[.]requritungerryworkvi[.]info
data[.]retainguaninefluorite[.]info
data[.]runreproducerow[.]com
data[.]scorepresshidden[.]info
data[.]shipthankrecognizing[.]info
data[.]stabletrappeddevote[.]info
data[.]suffusefacultytsunami[.]info
data[.]tracereplacedtransfer[.]info
data[.]witlessostentatiousripple[.]info
data[.]wizenedjogger[.]info
data[.]droppedstayreply[.]info
data[.]immaterialportmanteausurvivor[.]info
data[.]lendincludevary[.]info
data[.]quithappenbetting[.]com
datas[.]attracteffectclub[.]info
data[.]committeemenencyclopedicrepertory[.]info
data[.]unansweredhairierfoggy[.]info

Hi HonzaZ,

Thanks for confirming.

polonus

Hi, so if it’s not an FP, perhaps, icefilms must have fixed the issue?
I can access the site no problem now.
Not sure if I should be concerned.

Whenever you are not redirected like for instance described here: https://warosu.org/g/thread/51019832
See: http://urlquery.net/report.php?id=1449158426776
For that IP see: https://www.virustotal.com/nl/ip-address/104.28.3.119/information/
and https://www.threatcrowd.org/ip.php?ip=104.28.3.119
Certainly would like to adblock this external link: https://www.virustotal.com/nl/domain/cdn.wwwpromoter.com/information/
They like to promote to us they aren’t a scam: https://forums.digitalpoint.com/threads/wwwpromoter-com-is-scam-or-legit.2757383/ but WOT reports show differently: https://www.mywot.com/en/scorecard/wwwpromoter.com?utm_source=addon&utm_content=popup
And what about this: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MSIL-WX/detailed-analysis.aspx
https://www.mywot.com/en/scorecard/asset.pagefair.net?utm_source=addon&utm_content=contextmenu

Apart from the adult content on website, you are exposed to unethical adware at any moment,
therefore caution should be used and adblocker and script blocker visors should stay up and enabled…

polonus