Malicious URL Blocked

I go to a site called yesfans.com. For the last couple of days I’ve been getting malware notices on every page in every thread.
I told the site admin, and he’s doing nothing. Two other people there are getting the same notices. I’m not sure what’s happening.

I found some links online to check sites for malware using different antivirus programs and the site is clean according to all of them except avast.

These are the alerts I’ve been getting.

Any help would be appreciated.

Where the i should be in googlesyndication there is a l.

See: https://www.virustotal.com/url/c28d4311b6f58b5e1f6b5c96e3d36490f453bcfe13fb28fe8d3df66abbc18e5b/analysis/1329059938/

Avast is alerting at the coding on line 1290.

Wow I didn’t notice that!

I’m sorry, silly question I know, but what do I do about it.

I told the site admin, and he's doing nothing.

Maybe you can refer him to this post, as the admin wouldn’t want to lose followers that use avast.

Thank you so much.

I’ll do that.

No Problem. :wink:

The site owner hasn’t responded yet, but I just have a question.

How does he fix this? Do the people responsible in developing the site change this?

Well, the main method to fix this would be either
A) Replace “L” with “I” or
B) Remove the script completely

Yes.

Thanks.

Sorry, I know absolutely nothing about this so I really appreciate your time and patience. :slight_smile:

No problem. I like helping people. :slight_smile:

Now all we have to do is wait for a response from the site admin and see if he’ll fix it. :wink:

This it what the site owner said,

I will see if I can figure out the problem but most of the google ad code is not found on YESFANS.COM the ads are feed to the site. Not sure where to look for this issue. I will have to ask on Vbulletin.com and see if they know or if others have posted about it. For now can't you just tell your program throwing the error to ALLOW, WHITE LIST Yesfans.com to bypass this?? I am getting no emails on this from folks, just you few here.

Then…

I went and looked for the AD TEMPLATES on the site. They all are correct. Non of them have the misspelled word that would take you to another site!?!?!?!? All of the ones here are spelled correctly. The issue is not on this site at this point. I will look for more answers but so far the code that is reported here as bad is spelled right on the site code for the google ads.

Still getting the malware notices at the site and now a few other members are as well. The owner has no idea what to do.

He said the coding on the line in the image I posted that’s misspelled is not that way in his coding on the site.

I’m so confused I don’t even know what question to ask. :-\

Cynderella28.

I am no expert, but you can show him this topic for guidance. It is a typical redirection by pagead2.googlesyndlcation.com/pagead/show_ads.js:

http://community.websense.com/blogs/securitylabs/archive/2012/01/23/search-for-google-chrome-leads-to-compromised-chrome-plugin-forum.aspx

Good luck.

Thank you.
I posted the link in the forum for him to check out.

He said he’s seen that link and based on what it shows here none of his google ads code has that L instead of the I.

The site owner said he turned off the google ads 16 hours ago.

I’m still getting the malware notices.

He says this is why he thinks it is not a site issue or coming from the Google ads.
They have been turned off since last night, and there are no ads being fed to the site.

What about the alert in the second image I posted above that has this…

Infection Details
URL: hXtp://www.yesfans.com/showthread.php?71…
Process: file://C:\Program Files\Internet Explore…
Infection: html:Script-inf

What’s infection in html:Script-inf mean?

Norman lab say infected

yesfans.com.htm : Processed - HTML/Script.R

Hmmm I just ran this and nothing came up this time. But yes something’s wrong because I’m still getting the alerts.

https://www.virustotal.com/url/cb3830ba277425de7a6e11a9ea409249b9524f638c6ce787076987bbe4a9424a/analysis/

avast still detect

forum.php
http://virusscan.jotti.org/en/scanresult/8fccf1ded4c4e62e7fa77ec9d98866e7fa897e5b

www.yesfans.com.htm
http://virusscan.jotti.org/en/scanresult/23d460e13077141b45dc7b1255892386bd0a3e60

If they need help cleaning you can send them here http://sucuri.net/signup

Hi cynderella28,

First, remove the active link in your previous post stating the script infection. You can do this by replacing http:// with hXtp://

A malicious tag was found.
See attachment #1 for more details.

Scripts are still there.

His font must make "L"s look like "I"s. Tell him to search for “pagead2.googlesyndlcation.com” in his site.

Remove all infections that contain a link to “pagead2.googlesyndlcation.com

Edit: You can also compare the ads with the site mentioned here: http://forum.avast.com/index.php?topic=93271.msg742784
See 2nd attachment for more details.