AVAST TECHNICAL SUPPORT RESOLVED ISSUE
AVAST WEB SHIELD FALSE POSITIVE AT URL http://ocampoelectronics.8m.com
SUSPICIOUS JAVASCRIPT WAS JUST HARMLESS URL TRACKING CODE
Friday, February 18, 2011 1:58 AM
Hello,
It should be fixed.
Please let me know if the problem persist.
Miroslav Jenšík
AVAST Software a.s.
Notice for UK, Canada, US and Australian users:
You can also get free phone support from our partner iYogi phone number (USA) 877-314-5079, UK customers call 808-101-9216
Ticket Details
Ticket ID: PVG-519167
Department: Virus
Priority: High
Status: On Hold
Freeservers.com confirms VBS:Malware-gen web shield alert is a false positive, this code is not malware:
The code that Avast software has detected as malware is not malware, it is tracking code that has been added by freeservers to track its sites.
Please be assured that this will not cause any harm.
If you have any further questions, feel free to reply to this message and either I or another support agent will assist you.
Thanks,
Julianne Neve
Freeservers Escalation Team
Symantec Enterprise Edition reports no threat found at URL hxtp://ocampoelectronics.8m.com/. Freeservers uses javascript to embed its advertising links to free-hosted sites, that’s why succuri detects threat outside HTML. AVAST web shield is detecting a threat in javascript but it is a false positive. There is no threat. AVAST needs to update its definitions to resolve this false positive. A similar problem using AVAST web shield occurred at URL yahoo.com. See http://www.techrepublic.com/forum/discussions/102-267134
There is no such thing as a known good URL as things change so rapidly and hacking sites is the most frequent means of infection.
However, I get no alert on this page with firefox 3.6.13 and 110212-1 virus definitions and the site appears to be incomplete (like a place holder page), it just appears to have a freeserver log on, an enquiry page and selling AVG. So I have to wonder if this isn’t link promotion.
Please never assume yourself that the site is not infected and its a false positive by avast just because you know the site or you have been using it for a long time. Please wait at least until you have got an update from avast.
Please make sure that you enable the webshield again. It’s gonna hurt your computer if the website is really infected.
Currently it is affiliate site for Amazon products.
It means the site owner gets a little payment each time someone purchases a product through that site. Better directly by at Amazon i.m.o.
The parent domain is a web hosting site with both free and premium categories, if it is a free hosting then Ads will be on the site, due to the suspicious behaviour of the unescape and decode functions and possibilities of redirecting to a malicious advertisement currently adding detection will monitor this and update according to their actions.
detection added for - ocampoelectronics.8m.com.htm : Processed - JS/Agent.JP
I’ve been reading a lot of blogs. It look like VBS:Malware-gen is reported by many Avast users giving a false positive. I have informed the web hosting service provider which is owned by United Online to examine this issue to determine if there is any infection. I am fairly certain that there is no malicious Visual Basic Script and Avast Web Shield is reporting a false positive because I tested the URL on my Windows 7 PC. (1) I ran a full AVAST system scan after viewing the website and Avast reported no infection found, and (2) I ran a full Malwarebytes system scan which reported no malicious code found. United Online does embed advertising on some of its members’ hosted web pages but this does not appear to be related to the VBS:Malware-gen false positive.
You can’t use that as any sort of confirmation as the VBS:Malware-gen is a generic signature designed to catch new versions of a particular type of malware. So what was being alerted on could be entirely different in each case.
There are if you browse the viruses and worms forum, many such cases of users reporting false positives, but by the end of the topic most are found to be good detections.
MBAM won’t find anything as it isn’t even looking for that sort of thing any way, plus you are scanning your computer and the avast alert effectively blocks anything getting on the the system.
Whilst generic signatures are a fine balance between not catching new variants or detecting something that is good, but avast in the past has been very accurate. So each case really has to be investigated on its own merits.
In this case there certainly is something strange going on with this number of obfuscated scripts outside of the closing HTML tag a standards no, no.
So whilst this is ongoing:
Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
You can use the new - Contact avast http://www.avast.com/contact-form.php?loadStyles form to report what you consider a false positive on a web site for further analysis.
So why better to buy direct? There’s nothing wrong with hosting Amazon’s products–that’s why Amazon.com has setup the Amazon Affiliate Network. The customer pays the exact same price at the Affiliate website, and there’s never any extra fees, and the customer makes his purchase directly through Amazon.com’s https portal, so you just don’t want to see this guy make a little money for selling Amazon stuff? That’s not a good reason. Just picking on him because he’s an Amazon Affiliate member.
Learn to read.
Did I say there is something wrong with hosting products from a company? No.
Did I say I don’t want that person to make a little money? No.
Did I pick on that person? No.
I only said it is a affiliate site and in my opinion it is better to buy directly from a store than through this affiliate. That is all I said.
The reason for this is simple. Multiple tests/checks say the site is at least suspicious. Why using a suspicious site instead of using a trusted one?
I read quite well, thank you. Your cautionary statement is well taken but even the biggest newbie knows better than to circumvent Avast web shield and expose their system to a potential malware infection (unless they are using a test system or running VM). It is highly unlikely that anyone who is relying on Avast web shield protection who then encounters an alert blocking a potentially infected site is going to (1) disregard it, (2) turn off web shield, or (3) add an exclusion, without first checking that the potential threat is confirmed benign. Even the most popular websites are susceptible to infection because they rely on third party providers for advertising which makes them susceptible to unsafe script. In any event, Avast technical support has confirmed nothing detected. Symantec and McAfee also report nothing detected.
Tuesday, February 15, 2011 7:20 AM
Hello,
avast! does not detect this site now. Please update your program + database and check it again to confirm.
If the problem persists, please send us the screen shot with avast! message.
Miroslav Jenšík
AVAST Software a.s.
Notice for UK, Canada, US and Australian users:
You can also get free phone support from our partner iYogi phone number (USA) 877-314-5079, UK customers call 808-101-9216
Ticket Details
Ticket ID: PVG-519167
Department: Virus
Priority: High
Status: On Hold
Well based on the information in the alert, this is what is going on:
One of your firefox extensions is trying to connect to download.primawega.com and avast believs that URL to be malicious, e.g. it is on its malicious sites list.
Actions:
Check your firefox extensions, are they all ones that you have installed and why would they be trying to make a connection to that site. Any recently installed add-ons or ones that you aren’t familiar with, disable them one at a time and see if you can find which add-in is responsible.
Find that i8_vW_8_b.dll file in the path given and upload it for analysis:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page.
Alternative scan:
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware (SAS). On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Here’s the problem. It may be a false positive so we need not worry about being infected, but what if you are the author of the site as I am. I have 2 websites at Tripod.com. I used to have them both over at Freeservers but moved to Tripod a few years ago for this very reason, the trojan warning from Avast! at Freeservers. But today I got that warning at Tripod too. I’ve had these websites up at Tripod for years with no problem. I even got a green check from McAfee Site Advisor. But today, I not only got the vbs:malware-gen alert at my Tripod webpages but am being blocked from going to the websites at all which also means that anyone with Avast is also being blocked from going to my 2 websites.