Malware Detected at Notebook Review forums?

Viruses and worms
1

Hi. Whenever I try to access the forums at notebookreview.com, Avast blocks my access and reports that there is a HTML:Script-inf infection. Can anyone else replicate this, and answer if it’s a false positive or not?
Thanks.

2

Detetion seems alright!
some sort of script tag leading to suspicious website jscriptss.com/gate.php?a=364 is detected

not sure on the redirected site…

jscriptss.com/gate.php?a=364 benign
[nothing detected] jscriptss.com/gate.php?a=364
status: (referer=http:/twitter.com/trends/)saved 311 bytes ff8c79fb0eb1230786a8a607b988f4cba4729f70
info: [decodingLevel=0] found JavaScript
error: undefined function location[_0x3bb1[4]]
error: undefined variable _0x3bb1
file: ff8c79fb0eb1230786a8a607b988f4cba4729f70: 311 bytes

U can report a FP here www.avast.com/contacts

3

Reported to virus analysts to check.

4

It was confirmed to be a good detection by one of the virus labs team (in another topic), Milos I believe.

5

ive sent a report to support.

heres my thread most probably posted in wrong sub forum DOH! http://forum.avast.com/index.php?topic=99863.0

DavidR
when you say it was confirmed to be a good detection do you mean harmful or not. 3 independant scans done by the forum moderators all came back clean.
can i post the links?

edit:

problem solved. just posted on nbr. if you go to the main page of nbr and scrool all the way to the bottom and change dropdown box to default v-bulletin it stops the popup.

6

Hmm. Still doesn’t answer what/why avast is detecting at the site…

7

true but at least it stops the annoying popups until support get back to me.

8

The detection is correct there is a script tag on the site leading to jscriptss.com/gate.php?a=364 which is malicious…so its correctly blocked…contact webmaster and ask him to remove script tag from his site

9

The url involved is fairly random, the file name is identical between the requests, occuring back to back.
Example /gate.php
This leaves analysts with virtually very little to base a signature on.
Common factor for all flagged sites is that all have outdated versions of the vBulletin software, e.g. 4.0.2,
templates could have been infected,

polonus