Keep getting web-infection blocked notifications

Starting today, I’ve gotten 3 notifications about web-infections being blocked.
What’s going on? I’m not even visiting fishy websites.

Welcome to the forum.
Remember that today’s good site can be tomorrows infected site.
You can always report the website to Avast if you think the detection is incorrect.
If you’d like someone to look into the problem further, you can post the link that’s detected here
but do not make it a clickable link, Change http to hxxp or www to wxx when you post the link.

It happened on 3 websites in one day, and it usually never happens.

If you can also attach a screen of the avast alert window, it will give more of an idea of what the detection is.

If it has happened today and you haven’t rebooted or had a different avast popup, then you can right click the avast tray icon and select ‘Show last popup message’.

http://www.newgrounds.com/dump/draw/b3624cdb1a3ff1953e3b6c57d2772815

It looks like some advertising banner add is going to a site considered malicious (URL:Mal) by avast. This usually means that the site is on some block list. Presumably you were at another site that displays ads.

Is this basebanner.com reflected in the other alerts that you have had ?

This could be a form of ads poisoning is becoming more frequent.

I use the firefox adblockplus add-on, so generally I don’t see these ads and subsequently avast alerts if an ad site is compromised.

Yeah, site had ads.
One was dailymotion, the other was a wikia.

It is difficult to say if this is a random case of ads-poisoning or if there happens to be something in your browser trying to connect to malicious/hacked sites.

This will probably need the skills of one of the malware removal specialists, I will try to get one to take a look at this and they will advise on what the next stage is.

Will do a Malwarebytes scan tomorrow. Will keep you guys updated.

It could be ad poisoning but if you are still having problems I could take a look for you

FWIW, I did some checking and I found something to do with amazon.com
here http://dnscheck.pingdom.com/?domain=basebanner.com&timestamp=1418676578&view=1

Found this about basebanner.com/ in a quick check
https://www.virustotal.com/en/url/b2fbe7a26aa6ad23442961c3e335cfdee2590a5723bc6efe0a729029c0b4dd5d/analysis/1418677194/
http://multirbl.valli.org/lookup/basebanner.com.html
http://zulu.zscaler.com/submission/show/f7d13fd78ab12affc9c43382e24c5baf-1418676556
Redirects found here http://www.ragepank.com/redirect-check/
Blacklisted here http://sitecheck.sucuri.net/results/basebanner.com

Site is unsafe and has privacy issues…as Para-Noid has already clearly established.
Some additional info to get that picture somewhat more complete and where the real issue lies is a “http - https redirect”
basebanner com is trying to redirect to basebanner dot com/blank.html
Flagged by Bitdefender TrafficLight as malicious.
Google Safebrowsing does not flag now: http://www.google.com/safebrowsing/diagnostic?site=basebanner.com
Did not follow redirect to http://158.85.47.164-static.reverse.softlayer.com/blank.html
The plain HTTP request was sent to HTTPS port SSL teracreative dot com -
Had a history of trojans: http://google.cn/safebrowsing/diagnostic?site=teracreative.com/
The specified URL does a non search engine friendly redirect to another page…(24 pages do a 302 (temp) redirect.
Nameserver issues: http://www.dnsinspect.com/basebanner.com/1418694696
The https site has privacy issues: http://www.uploady.com/#!/download/xhL_JQbJSQT/VyjzWt~mABywNd9w
Net_err_cert_common_mame_invalid - only correct autocomplete settings - Form element of type ‘url’, child of ‘_f’

polonus

I know Amazon is known for leaving cookies so they can target ads, but I delete my cookies daily.
Will do a Malwarebytes scan in a bit.

Hi tom.vanhee,

What can be said about the IP and site is that it is known as a PHISH: https://www.virustotal.com/nl/url/b2fbe7a26aa6ad23442961c3e335cfdee2590a5723bc6efe0a729029c0b4dd5d/analysis/
This scan is also rather conclusive: Domain Name: 158.85.47.164-static.reverse.softlayer.com
URL Tested: htxps://158.85.47.164-static.reverse.softlayer.com
Number of items downloaded on page: 1

SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:

ERROR: certificate common name ‘*.teracreative.com’ doesn’t match requested host name ‘158.85.47.164-static.reverse.softlayer.com’.
Certificate valid through: May 22 19:54:42 2017 GMT
Certificate Issuer: GoDaddy.com, Inc.
SSL Protocols Supported: SSLv3 TLSv1 TLSv1.1 TLSv1.2
Server supports SSLv3, may be vulnerable to POODLE attack. It is suggested to disable the SSLv3 protocol.
Server certificate
Total number of items: 1
Number of insecure items: 1
Insecure URL: htxp://158.85.47.164-static.reverse.softlayer.com/blank.html

Damian

Personally I would take essexboy up on his offer (if you are still having problems) to run some analysis tools to see what is what.

MalwareBytes may not be enough for a detailed analysis. After you have attached that log, check out this topic “Logs to assist in cleaning malware” https://forum.avast.com/index.php?topic=53253.0 and run the next tool Farbar Recovery Scan Tool (FRST) and attach the log in this topic. Then wait for essexboy to check out the logs and give further instructions.

Do as DavidR suggests, his recommendation is a sound one.

polonus

Did a Malwarebytes scan and problem seems to be gone.

Are you sure? ???
I strongly urge you to let essexboy have a look.

Follow these instructions https://forum.avast.com/index.php?topic=53253.0
And post the results in this thread.

Used same sites, got nothing.
I really don’t want to download new programs on this old computer.

Don’t worry essexboy cleans up after himself.
But if you happen to have a time delay backdoor trojan and it gets
loose on your machine…well, you know.

Better safe than sorry.