https://gyazo.com/a4c2293dea94c87273d013cc150be00e

Many users getting this error

Seems infected, see here https://sitecheck.sucuri.net/results/pattaya-addicts.com

Unmaskparasites http://www.UnmaskParasites.com/security-report/?page=pattaya-addicts.com

fritz,

break the link so people can not click on it.
We do not want people to visit (potential) malicious websites.

I am not able to visit it - it seems to be only for registered users…

What I need here is the exact file that is triggering the detections. We will take advantage that all files that are tested are temporarily stored in c:\Windows\Temp_avast_, until Avast decides what to do with them. We need to set up Avast to “Ask” when it encounters something, so we have time to extract the detected file from the location above.

Follow these steps to retrieve the file:

1. Set Avast to “ask”. Avast → Settings → Active protection → Webshield - Customize → Actions → Virus → Ask (please witness my excellent image-editing skills in the pic below)

http://i.imgur.com/ftrQObd.png

2. Go to the page that triggers the warning and let Avast pop up. Do not close the popup!
3. Go to c:\Windows\Temp_avast_. Select the file that is the most recent. This is the file that is triggering the warning, and that we actually need. When you scan this file with Avast, the same detection name should appear.
4. Attach the file to your post here.

I see some attack code here: -http://www.domxssscanner.com/scan?url=https%3A%2F%2Fgyazo.com%2Fa4c2293dea94c87273d013cc150be00e (drop the - to go there, but use caution!)
→ http://toolbar.netcraft.com/site_report?url=https://assets.gyazo.com (where it is landing).
probably spamming…
What is

<!--  (111l ,1111 111 11 11 11+ 11 1 111111111 111111- 11 11 11 111 11 >11 ;11 11 11111111 11?1| 11 |1 11 <1~ 11 /11 11i 11 11 11 11~ |1 11 111 ;11 11 11 11 11 11 11 -11111111/ 11 11 11 111111111 11111111-  --> 

For the url at hand: https://sitecheck.sucuri.net/results/pattaya-addicts.com
This should be blocked: -http://adsdelivered.net/www/delivery/ajs.php?zoneid=2&cb=31363623821&charset=UTF-8&loc=http%3A//pattaya-addicts.com/

polonus

Uhm… The gyazo.com is an image hosting website with a printscreen of the Avast popup

The problem seems to be with something on the Pattaya webboard.

My wrong, I scanned that one. But see: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fajaxsearch.partners.agoda.com
javascript check: Suspicious

polonus

Nope, we do not block exchangerateusd.com.

Well let us wait for more info on that then from members there that can log-on and could forward that particular info.
At least I see the site has “assumed” outdated server software: HTTP Server: nginx 1.3.1 (Outdated)
Because this could also mean that the old server version stayed there and the server software came fully patched despite of that. There are servers that work that way.

pol