"Malicious URL Blocked" randomly pops up when I click on reputable links

I ran an avast! scan and a malwarebytes scan; both came back clean.
Here is the message:
http://i.imgur.com/dLSmi.png

When I click on a google search link that I regularly visit (yahoo/youtube/etc.), this message will randomly pop up. But after clicking the same link again, it opens with no problem. If there is anything else I can provide someone who might be able to direct me, I will get it as soon as possible.

Sometimes even good sites wind up with bad script on them.

Are you using NoScript? If not you might want to consider installing it and see what happens

http://www.hoopsworld.com/Story.asp?story_id=19895

Ive read that noscript will just mask the problem and not make it go away :confused:

Anyway, is there a way to find out if that IP is fishy? I guess it’d have to be, right?

Why don’t you just go read the reviews and find out what it does and if people who use it like it.

Its the third most popular Firefox addon and gets over 400,000 downloads a week with a total to date of over 85 million downloads. I find it hard to believe that there are any Firefox users that don’t use NoScript, seriously :slight_smile:

https://addons.mozilla.org/en-US/firefox/addon/noscript/

It blocks the bad stuff which is also what Avast does. Neither of them eat it for lunch :slight_smile:

Well I downloaded it and am using it. Thanks for the tip. But man this is a bit annoying to use. :stuck_out_tongue:

Anyway, are you saying that if the error quits popping up, it’s ok to just leave my system as-is and eventually one of the virus definitions will catch it? I would HATE to wipe my drive clean, but I would hate it even more if I lost all my personal info.

@ Jringo7,

Can you please change your initial link from http to hXXP so no one can accidentally click on it in case it is malicious?

In the meantime, you can submit the url to an online scanner:

The time it takes for the online scanners depends on web traffic to the site, so be patient.

Please post your results back here if it is clean or not (cut and paste).

NoScript (for FF) or NotScripts (for Chrome) is a very useful tool at eliminating scripting, which is often used for malware, and you can easily configure it. Many of us use it.

Thank you for the advice. Anubis had a long queue, but SOSWebScan says: Your site URL hXXp://64.111.211.155/c.php?re=1&r=eNo9UcuOozAA-yAkJg9CyKEH6EBb has been successfully scanned.And No Malware or badwares found.

I also tried it with a “l” after the “yAk” in the address, because I can’t tell from the imgur screenshot. Oh, and that is a screenshot of my error message, not a link to the possible malware.

Yeah, it (NoScript) gets easier and is flexible, you can manage how much security you want it to handle.

But I certainly remember the feeling, like you are trying to run with your shoelaces tied together. :wink:

I usually tell people to give it a week or so of good browsing time, and if it hasn’t grown on you by then, just call it a day and move on. Despite its being a gold-standard for browser security, its just not for everybody.

If you hover your mouse over your link, someone can click on it. Please edit your post.

If you do not want to wait for Anubis, which is very comprehensive, then upload to Virus Total (VT). But you need to use several scanners, not just one.

Thank you Gargame.

And Safesurf, the initial link was to an imgur.com upload that I made of the avast message popup. It is a screenshot that I uploaded personally, to imgur.com. It is totally safe (unless I am totally confused and I don’t know what you’re referring to).

Also- Anubis said there would be a ~7 hour wait. But on Ipillion.com, there are several complaints about the IP that is at the beginning of the URL in the avast message. Here is the link to the ipillion website, with user-shared complaints for the IP that was in my Avast message - http://www.ipillion.com/ip/64.111.211.155

I was only a little worried until I read those complaints and they sound just like mine. :frowning:

URL Void:
Report 2010-07-27 03:46:25 (GMT 1)
Website ipillion.com
Domain Hash 1bf8c96b697679620ead8430ddc8b5ba
IP Address 209.62.45.43 [SCAN]
IP Hostname ev1s-209-62-45-43.theplanet.com
IP Country US (United States)
AS Number 21844
AS Name THEPLANET-AS - ThePlanet.com Internet Service…
Detections 0 / 17 (0 %)
Status CLEAN

Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender CLEAN
Scanning site with: Finjan CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts UNRATED
Scanning site with: Malware Patrol CLEAN
Scanning site with: MalwareDomainList CLEAN
Scanning site with: MyWOT CLEAN
Scanning site with: Norton SafeWeb CLEAN
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN

When using Anubis, you need to put in the code requested at the end of the page and the average wait time is 7 minutes. Here is the one I did:

With Anubis, you need to put in the code requested on the bottom of the page to get expedited so it doesn’t take so long. I did this in minutes:

IP - hXXp://www.ipillion.com/ip/64.111.211.155:

You can try that and VT as another resource as I gave you ones above.

ummm… I’d wager that you know more about this stuff than I do, but didn’t you just scan the ipillion website? I posted the IP from the avast warning into ipillion to see what the reviews showed. Here’s where I think we aren’t understanding each other: The only link that I think is malicious is the one from (inside) my screenshot that I posted in my first message, where it says “object: …”. Imgur.com and ipillion.com are just two websites that I used and posted the links to my image/results. But thank you very much for scanning that site–it’s not something I would have thought to do, although my WOT said it was clean.

At this point in the night, I’m so tired that I’m not sure if I’m confused or I’m just not being clear. Either way, I’m going to get a few hours of sleep. Thank you for what you’ve helped with thus far and if you have any more advice, I would appreciate it tremendously.

I do not click on unknown and possibly suspicious images…especially since you have not changed it yet from http to hXXP.

You need to give us a url or scan it yourself with the links I gave you. I’m sorry, but we cannot get malware or afford the forum to get infected.

This is Renos or Alureon ‘call home’ URL. It’s not malicious per se, but it’s a sign there’s something rotten on the computer. Regarding urlvoid and similar - yes, it’s normal that many of these ignore such c&c urls.

So is there anything I can do to locate any potential malware and delete it? Is there any more info I can get in order to help you help me? I’ve run several scans and found nothing lately.

Yep, if you have a possible rootkit, then read this guide by the local cleaning expert to get the ball rolling, he can most likely get it cleaned up for you.>>http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

I got a notice this morning on both of my desktops that a Malicious Website was blocked

It appears that it was a Firefox Addon “CutyFox URL Shortner”. It generated the same message on both of my computers when I attempted to paste a shortened URL. So I removed that Addon and replaced it with the “TinyURL Generator” Addon.

Everything seems to working fine now. :slight_smile: :slight_smile:

Nesivos, glad to hear it. I wish I could figure out how to get rid of mine.

Gargame,
I ran OTS by OldTimer, and the scan completed but the log on notepad didn’t pop up. :confused:
I will run it again and update if I actually get a log this time.
And I ran the Malwarebytes scan again and got this:
Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6642

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/25/2011 12:31:13 PM
mbam-log-2011-05-25 (12-31-13).txt

Scan type: Quick scan
Objects scanned: 160190
Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Should I try to post in essexboy’s thread to direct him here?

Edit: OTS actually did create a txt file in the directory, but it’s several, several pages. If I should post this, please let me know.

No, don’t post in that thread. …technically, this is in the wrong section also, but its a little late to worry about that, if it needs to be moved, it will be. :wink: Next time, though, see “additional options” when you are making a post and post the logs as attachments. I’ll take care of informing Essexboy for you.

The OTS log will be in the same place as you saved the OTS main file

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png