This follows on from a previous post under someone else’s topic (http://forum.avast.com/index.php?topic=52756.0) - I thought it is probably better in it’s own topic now.

Report
When accessing webpage hXXp://www.care2.com/send/catseasonal1.html (tt changed to XX) on two occasions I have had the HTML:lframe-inf warning. In both case, the originating URL stated by Avast was hXXp://d1.openx.org/afr.php?zoneid=90058&cb=56475843 i[/i]

On the second occasion Avast also indicated an Opera cache file was infected (I have moved this to the chest as advised and will delete later).

Yesterday I followed advice from Avast and informed Yahoo they were hosting an infection, only for this to be subsequently identified as a false positive! Rather than potentially misinforming Care2 about hosting an infected advertiser, please could someone confirm whether the above is a real infection, and what the best solution is in terms of advising Care2 if it is (would Avast make the contact)?

Thanks.

Avast 5 and IE8

No warning on the first URL but i get one on the second

28.12.2009 18:15:00 hxxp://d1.openx.org/afr.php?zoneid=90058&cb=56475843 [L] HTML:Iframe-inf (0)

hpHost info
http://hosts-file.net/default.asp?s=http%3A%2F%2Fd1.openx.org%2Fafr.php%3Fzoneid%3D90058%26cb%3D56475843

WOT
http://www.mywot.com/en/scorecard/www.care2.com

Following on from Pondus’ post…

Same with 4.8…

The second one, in light of the fact that there is little code in the page anyway, the highlighted iframe in the pic is what is causing the alert…

OK so I’ve attempted to get understand a little more about hosts and internet addressing protocol since it seems I need to! Apologies in advance if I use any technical terms wrongly.

If I understand correctly:-

1. The listing of a host address at HPhosts indicates that pages hosted at that address contain malicious content

2. As care2.com, wXw.care2.com and domains of openx.org have recently been listed they should be considered untrustworthy and connection is likely to result in attempted infection

however…
If I have read and understood correctly, recently (yesterday) yieldmanager was listed in HPhosts and consequently included in Avast’s own list, but then after users contacted this forum Avast decided the host was not malicious and de-marked it as a bad host (by update to the virus database).

so ultimately…
Should end users like myself should consider a threat from openx.org as genuine?
and…
If a website is listed at HPhosts, do they contact owners of the bad hosts, will someone from this forum do this, or is it most appropriate for the end user (e.g. me!) to contact the owner?

Thanks for your help with newbies!

This is alerted by unmasked parasites for openx.com This page seems to be
1 hidden external link found.

 ^IFrame^ hidden link - hXtp://d.demo-enterprise.openx.com/afr.php?zoneid=1&cb=.....INSERT_RANDOM_NUMBER_HERE..... ^^changed by me... Pol

Malicious software includes 4 exploit(s), 3 scripting exploit(s), 1 trojan(s).

This site was hosted on 4 network(s) including AS14618 (AMAZON), AS36408 (PANTHER), AS3257 (TISCALI).

It seems that openx.org has been functioned as a re-direct for infecting 49 site(s), e.g. f******hard.net/, computerthing.co.cc/, downloadmusicas.net84.net/

Cleansing considerations for webmasters in case of hidden iFrame injections: http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/

polonus

Dont know whether I am right here or not:

Have a false alarm since Saturday on a XP System:

File causing the false alarm: hasplms.exe

How long does it take until one receives a reaction on the usual
false positive message?

Is there any way to switch off this false alarm (badly need that function)
without switching off Avast ?

+++

What makes you think it is a false positive ?
What is its location ?

Have you confirmed it ?
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Whilst this file name is associated with this, HASP License Manager (hasplms), http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=hasplms.exe, there are also cases of it being associated with a worm.

If it is indeed a false positive only detected by avast, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

@ Garrog

. The listing of a host address at HPhosts indicates that pages hosted at that address contain malicious content

As care2.com, wXw.care2.com and domains of openx.org have recently been listed they should be considered untrustworthy and connection is likely to result in attempted infection

@YoKenny

Thanks for confirming the above. I am however still seeking advice to my question of who will feedback to the owners of the sites directly/indirectly hosting malicious content.

Individually I understand I should not visit the above sites at this moment, however I would suggest it is reasonable to assume that public sites such as Care2 would not willfully host a virus and would like to be given the opportunity to stop the malicious host infecting their users through their site, and review their security.

It would therefore seem sensible for someone to let the site owners know so they can do something about it - so to repeat my question, who normally takes on this responsibility - is it HPhosts, is the fact somehow elevated through this forum to a person who would contact owners or is it usually left to the end user to notify the site owners ad hoc?? Is it not in everyone’s interest ensure the information is fed back to where the problem originates?

Thanks.

If it is reported, it is usually done by the person who reports it here…if at all.

I am not sure about hp-hosts, as that is down to the owner of it and his system…

Thanks spg SCOTT.

Surprised by that answer, I am, however if that is how it is I will go and report to Care2 now…

@ Garrog

This blog is interesting by hpHosts author who is in your neck of the woods:
http://hphosts.blogspot.com

I stopped in here today for the same reason, Garrog. I’ve used Care2 for years to send e-greetings, and consider it a trusted site, but I’m also having Avast pop up the warning against HTML:Iframe-inf and aborting the connection. It happened when trying to view two different e-cards.

My Avast log also points to openx.org as the source.

I have notified Care2 and included a copy of the pertinent lines of my log, in the hopes that it will help them to eradicate the problem.

@GayzeN
Did you get any response to your message to Care2 as I have got no human response? (I have had an auto-acknowledgement and some cryptic messages from their mail server, however).