malicious website not trapped by Avast

Hi,

my wife was searching for ‘rag doll pattern’ with google. The first image that shows up in the small images section took her to a page that was apparently hijacked and infected. Luckily she said something along the lines of ‘huh, what’s this’ so I was able to kill Firefox before anything bad happened (it tried to download an executable to her PC).

The URL is http://brownscountrykitchen.com/ /so-felt-doll-pattern/ (I added the spaces between .com and /so-felt to prevent anyone from clicking it and getting into trouble).

The page is harmless with noscript (which I use but my wife does not) and clearly shows a Russian connection.

I’m not sure how to tell Avast to add this site to their black list or how to tell Google to remove this one from their search results. Oddly, when you search just for images ‘rag doll pattern’ the malicious page does not show up.

My wife’s computer runs Avast and it did not prevent the attack. It would probably have detected that the downloaded application was malware but it would have been better if it had detected the bad content. Not sure if that’s possible.

Thanks,

Sander

The page appears normal to me. There is no apparent link to anything originating from Russia. The only NoScript info is to the page itself.

What symptoms did your wife’s computer exhibit at the point she thought something was wrong?

Hi,

did you reconstruct the URL to include the /so-felt-doll-pattern/ part?

It popped up a message box saying ‘are you sure you want to leave this page’ and when the dialog was dismissed it attempted to download a suspicious looking .exe. The background was a screenshot meant to look like windows settings related to security.

This is the url I went to, with the "tt"s changed to X’s. ( A usual convention to sanitize a link.)

hxxp://brownscountrykitchen.com/so-felt-doll-pattern/

Hmm, looks like the page was restored. How did that happen so quickly? Quite a coincidence I’d say. It is fine now, near as I can tell. Still leaving the javascript disabled though.

When I loaded the page right before posting it was empty except for a small box top left. Ctrl-U showed that there was javascript to lock the user on the page and a form that posted to a .ru.

Thanks for responding.

Beats me. Maybe an alert webmaster.
Maybe the google result was a spoof.