system
1
Hello - I own a site (wxw.southernairboat.com) that Avast has started blocking within the past week and am looking for some help to figure out just what it is that Avast doesn’t like. Avast was initially blocking the entire site, but within the last couple of days appears to be blocking our phpbb3 forum only.
Here’s some details:
- I access the site with several other computers and antivirus programs with no problem. - I have manually searched site files, with my limited knowledge, looking for recent changes- Sucuri.net constantly monitors the site and I have scanned it with every online site scanner I have found with clean results every time.- I have installed Avast on one of my computers and have been reporting the site as a “false positive” regularly for about a week.
Here’s some scan results:
hxxp://sitecheck.sucuri.net/results/southernairboat.com
hxxp://www.urlvoid.com/scan/southernairboat.com/
hxxps://www.virustotal.com/en/url/a83c4a7fa671abb0f22b749a4db4bd69adc254c3e197ef4d673c21c4bd91746d/analysis/1376489254/
Any help would be greatly appreciated.
URLQuery: hxxp://urlquery.net/report.php?id=4553768
Zulu: hxxp://zulu.zscaler.com/submission/show/08d9e7f010dcc65fe4b70326fa4c7e96-1376492959
Quettra: hxxp://www.quttera.com/detailed_report/southernairboat.com
Quettra reports an potentially suspicious File in the site.
I will notify Polonus about this, he is an website analyst.
I am already getting an Alert when i open this topic and your Screenshot is not working…
This is being blocked:hxxp://www.southernairboat.com/phpBB3/download/file.php?id=10884
DavidR
3
To both posters:
Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
Even more so as the links cause avast to alert on its own support forum.
Edited DavidR i forgot that, cause i copied it from the Avast Security Center.
Polonus is notified. 
DavidR
5
There is still something there that is causing avast to alert and I believe it may well be the analysis links, if avast looks further at the links on site it would then hit the suspect URL responsible for what looks like a driveby download.
Every time I open this topic I get the alert.
So all links including analysis ones need to be modified.
Done. No Alert when i open it.
But when i go to answer. Same Alert as before.
DavidR
7
Yes, because you weren’t the only one needing to modify the links.
I get it on opening and not when I post a reply as the block has been made initially, don’t know why it would be like that.
Yes, me too now and your 5 green boxes over your Picture arent working 
And now no alert and they are functioning…
Now again an alert and the Edit Pictures arent working…
weird…
Polonus, open the link above with Quettra and go to the scanned files analysis tab, under potentially suspicious files you can see
what is flagged.
Hi Steven Winderlich,
Seen that in the Quttera scan results and launched it in jsunpack and there I did not see anything alarming:
http://jsunpack.jeek.org/?report=d41df40646718a2d976d31588ecc68c9fbfac7df
Uses an iframe shim to mask system controls for IE 5.5 and higher up.
Whenever malware is involved with this overLIB/mini.js well it could be BKDR_CIDOX.CH involved →
http://about-threats.trendmicro.com/malware.aspx?language=au&name=BKDR_CIDOX.CH
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
polonus
So he has to remove this. 8)
DavidR
16
Yes that is likely to filter through/escalate from a web shield alert to the network shield adding this to the malicious sites list as more and more people get the alerts.
system
18
The file “/calendar/overLIB/overlib_mini.js” does not appear to have been modified since Jan. 2011. I have also compared it to a fresh copy downloaded from the overlib site and found no changes. Also, the main calendar page on our site uses it with no alerts from Avast: hxxp://wxw.southernairboat.com/calendar.php
Would this be possible if “overlib_mini.js” was the file that Avast does not like?
Thanks
DavidR
19
Have a look in my image, Reply #2 above, that is alerting on a file in the phpBB3/download folder file.php, now something is triggering that download.
system
20
That particular file being blocked (…phpBB3/download/file.php?id=10884) was the image file of the Avast alert that I had just posted in my forum. My initial post here used the img tags to display it…my bad on that move.