Hi
This morning I went to access http://www.kat.ph/releases/ and Avast reported :
Infection Details
URL: http://www.kat.ph/releases/
Process: file://C:\Program Files\Mozilla Firefox.…
Infection: HTML:Iframe-inf
Warn your friends to avoid this website
It is only URLs on the KAT site that Avast reacts to.
I have since checked this URL with Virus Total which gives the site a clean bill of health.
Is it possible that this is a false positive or do I have an infection in my computer ?
Thunder Bird.
Sounds like the Web Shield blocked something…so no, you don’t have an infection, it would be blocked, it just mentions your firefox process because that is what you where browsing with at the time.
Virus Total url scanner doesn’t give an “scan” like the Web Shield, it just runs the url by some reputation analyzers, so you can’t use it to approximate if its a FP or not like you could using VT’s file scanner for a local detection.
Can some other forum members try to access http://www.kat.ph/releases/ ?
Does Avast give you the same warning report as I received ?
Thunder Bird.
OK looks like no one is prepared to test it.
I have carried out a boot time scan and Avast found nothing.
Went to Firefox and fired up http://www.kat.ph/releases/
Avast still reports that Script Shield has blocked a threat.
Infection Details
Process: file://C:\Program Files\Mozilla Firefox.…
Infection: HTML:Iframe-inf
So it would appear that I still have a problem.
Thunder Bird.
Hello,
this site contained malicious script but it is fixed now.
Regards,
Jan
Whilst this now appears to have been resolved (cleaned up in the site as Sirmer mentioned), when posting links to suspect sites don’t make them active (as in the example in the quoted text):
e.g. - ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
Hi everybody,
I’m one of the Kickasstorrents team members and I’ve just registered here hoping you’ll help me to solve this issue with malware detected on our site kat.ph.
Since today our members start to reporting about some kind of malware on the site, everyone of them was using Avast. I was just checked malware section for kat.ph in Google Webmaster Tools - everything is Ok there. Seems like it’s Avast only detection.
Can somebody please explain me where is malware living on our site (if there is any)? I believe our site is clear cause nobody detects us except Avast. In case it’s really clear - what is the right way to remove that scary alert for our visitors?
Thanks in advance,
Chris
Unfortunately for me this problem has not disappeared.
Avast keeps putting http://wXw.kat.ph/releases/ in the Avast Virus Chest
Or any other page on that site.
Then when I scan the file after it is put in the virus chest I get an OK ?
If I ask for properties I get
Original file name http://wXw.kat.ph/releases/
Size of file 2398
Category Infected File
Virus description HTML:Iframe-inf
Can be restored ? No (Yet a scan in the chest of that file comes up OK ?)
I have carried out a full CClean prior to the above
I have run Malwarebytes which gave me a complete clean bill of health (No infected files)
I have compared notes with another Avast user and his Avast does not report anything untoward on the Kickass site.
Obviously there is something hiding in my computer somewhere that is keeping this thing alive.
I do have one file in my virus chest which I believe may hold the key to this problem.
P.S. DavidR I followed your advice and ‘modified’ my post and changed the URL from www to wXw as you suggested to break the link and avoid accidental exposure but obviously this does not work.
By the way DavidR I am not fully conversant with the term “Übertechnical” what does it actually mean ?
I did a Google on “Übertechnical” and came up with http://www.fuelfixer.co.uk/wrong-fuelpetrol-in-diesel-faqs/technical/
Thunder Bird.
Well Übertechnical is just a forum ranking/term chosen my the forum Administrators. Basically it equates to very, very, very, frequent poster.
Your modification of the link doesn’t work because you have http in the URL, if you have that in it then you have to apply it to the http, hXXp (as in my example in the quoted text). If you are posting a URL with just the www part (no http element) then you apply it to that, wXw. So you have to break the first element of the URL or the link will be active, although would fail as here wouldn’t be a wXw in the real URL.
I still don’t get an alert on hXXp://wxw.kat.ph/releases/ link, so I don’t know if this is an issue with something in firefox as your original process is concatenated, Process: file://C:\Program Files\Mozilla Firefox.… (the .… bit at the end). Though I suspect it would be firefox.exe, but it would be nice to confirm.
If it were some malware on your system rather than the site then I would expect it to be happening on all/many locations and not just restricted to this one URL.
Start with clearing your browser cache in firefox (the Clear Recent History option).
DavidRThough I suspect it would be firefox.exe, but it would be nice to confirm.
You are correct it is indeed firefox.exe
If it were some malware on your system rather than the site then I would expect it to be happening on all/many locations and not just restricted to this one URL.
No it is only happening on the one site.
Start with clearing your browser cache in firefox (the Clear Recent History option).
That was one of the first things that I tried.
Update After I selected three files from my virus chest to submit to the virus lab I noticed Avast had stopped responding.
I had to shut my computer down and reboot to get Avast up and running again.
First time I have ever had Avast stop from responding.
Thanks for your help DavidR.
Thunder Bird.
You’re welcome.
Weird that it is only happing on that one site, good in a way as it is unlikely to be on your system.
Guess again DavidR.
It was on my system (as I suspected)and I have found the way to get rid of it.
It is now gone and my problem is solved.
There was an infection in my computer causing Avast to report false positives.
Which was something I had suspected at the beginning of this thread…
Thunder Bird.
Ok just Ive just tried visiting Kat, and Im getting avast malware annoying pop up thingees everytime I open a page.
Im using IE9. Im in New Zealand if that makes any difference!
any help to turn this annoying bleep bleep off would be really helpful
regards
Me.
Go the Mighty All Blacks ( otta be a rugby fan to understand that)
Ahhh…Finally we are getting somewhere…
I now have got an alert on this site. (after trying for a while, FireFox wouldn’t play, but IE does)
I am not sure exactly which file this is from, but it appears to be javascript that detects the browser and sets a cookie. (not completely sure)
At the end of this file, is an iframe. That is what is causing the alert.
Now that file has to be identified. I didn’t get a normal alert, on this file, so I am not sure. It was an odd detection and location. (unp999.tmp in an avast folder - by FSS - though a little OT here)
After a bit of work and quite a few hours I have narrowed this problem down to one URL.
hxxp://www.kat.ph/the-mentalist-s04e02-hdtv-xvid-tla-t5876455.html#comments_tab
Got it right this time David R
If some of the forum experts would like to investigate this particular URL and report back with their findings it may help solve this problem.
Thunder Bird.
Well I’m able to visit that link with firefox and no alerts.
http://sitecheck.sucuri.net/scanner/ also finds nothing at that page, wXw.kat.ph/the-mentalist-s04e02-hdtv-xvid-tla-t5876455.html. Nor does the VirusTotal Results Page.
So I really am at a loss as to what is going on.
When I initially tested that URL after applying my fix Avast did warn me of the HTML:Iframe-inf infection in that particular URL.
Since then I have been back and retested the URL again and Avast now reports nothing.
But a scan of a copy of the same URL in the Virus Chest still shows HTML:Iframe-inf infection.
Go figure that one.
I expect that there maybe some work going on behind the scenes that we are not privy to.
I know that I forwarded the suspect URLs to the virus lab at Avast and also to Kickass so maybe one of the two have come up with a fix and hence the URL is no longer being detected as a threat.
The question remains was Avast detecting false positives after detecting the initial infection ?
I believe Avast was somehow corrupted by one file that contained this HTML:Iframe-inf beasty and then Avast continued to keep reporting false positives for every page or action on only on the Kickass site.
It is interesting that Malwarebytes is now detecting the same problem on the Kickass site.
Thunder Bird.
The question can’t be answered as there is no information to answer it.
Avast can’t corrupt the file as it isn’t working with the live file, but a copy of it in its c:\windows\temp_avast_ folder. The files after having been scanned in this folder are cleared, so even if there was a corrupt file it isn’t on the site and again why only this site.
This is why I still stick with my original supposition that this isn’t on your system as you think it is and you supposedly fixed it (but didn’t say what you fixed ?).
Hi DavidR,
Well the link is flagged as suspicious 2/6 here: http://urlquery.net/report.php?id=4705
But while I am away from my system at the moment I cannot investigate further,
certainly there is something, as it could be an outward link like: http://www.urlvoid.com/scan/ad.adperium.com (suspicious)
Scanning the narrowed down link gave: [javascript variable] URL=ads dot ad4game dot com/wXw/delivery/al.php?zoneid=18915&cb=
info: [script] -kastatic.com/js/all-49c553.js
info: [img] -i2.kastatic.com/tv/18967.jpg
info: [img] -www.kat.ph/torrentwidget/e8650d18f2d76b93c7a9bf5b1f92d59c7d9a290e.png
info: [img] -i2.kastatic.com/userpics/828c21ef170951f1c345d989436ba6cf.gif
info: [img] -kastatic.com/images/torrentDownloaded.gif
info: [img] -i2.kastatic.com/userpics/fef51f7e0e856f49028a6423c6b62b22.gif
info: [img] wXw.kat.ph/content/images/commentlogo.jpg
info: [img] -kastatic.com/images/side.png
info: [decodingLevel=0] found JavaScript
error: undefined variable s
polonus