[Resolved] URL: Malware

2 simultaneous incidents just happened regarding “URL:MAL”.

I clicked on the following search link and Avast showed alert: URL:MAL
Reptilian/ Reptoid Information Resource | The information you need
I interviewed a few of the former employees on these … modern airport built on an alleged underground, reptilian base. … reproductive organs, tongues, etc. used for – i.e. the …
wXw dot freewebs.com/reptoids/undergroundbases.htm
…BUT…Avast showed the URL to be: “the movie downloads dot com” as the URL instead of showing the URL listed as from freewebs dot com!
:o ???

Next, I went to Unmask Parasites in order to see what it said about “the movie downloads dot com” URL…BUT…as I entered Unmask Parasites from MY SEARCH PAGE OF “Start page dot com”, Unmask Parasites instantly showed me that my start page “start page dot com” has:
23 suspicious inline scripts found. ??? :o

Next, I typed in the URL for “the movie downloads dot com” to see malware…BUT…Unmask Parasites shows that URL to be “clean”!

So I had only intended to alert you about the original search page link that Avast sounded off on (wXw dot freewebs.com/reptoids/undergroundbases.htm) but which Avast also said was coming from a different URL (the movie downloads dot com)! AND now, ALSO, even though Unmask Parasites says the URL for “the movie downloads dot com” is clean…it is telling me that my start page I use (most of the time instead of Google), called “start page dot com” has 23 suspicious inline scripts found!

I tried to make this sound intelligible, but I realize I may not have stated this too clearly! ::slight_smile:
Can someone please advise me as to whether I should stop using “start page dot com” for awhile?
…and…is there malware in the URL of either those 2 URLs that Avast had trouble with, but which Unmask Parasites did not have trouble with?

EDIT: I forgot to say that while on the Unmask Parasites website, I tested out BOTH of those URLs that Avast questioned, and both were stated to be clean.

Both were stated to be clean?Don’t worry,i think is a false alarm.
:slight_smile:

hxxp://www.freewebs.com/reptoids/undergroundbases.htm
…this is the search link I clicked

hxxp://www.themoviedownloads.com
…this is the URL Avast showed as the URL

hxxp://www.startpage.com (my chosen search page I mostly use instead of Google)

Thank you. I saw that Unmask Parasites showed those two first URLs as “clean”, but I thought perhaps something might have been wrong since Avast sounded off…I glad nothing was wrong after all!

BUT…what about my start page that I use called “hxxp://www.startpage.com”?
Unmask parasites says I have 23 suspicious inline scripts on it.

Hi,you can scan the link by this website:http://www.urlvoid.com/.
Please do not visit the following website:hxxp://www.themoviedownloads.com/(DANGEROUS)
;D

It tries to load some .gif file from themoviedownloads.com

also! If unmaskparasites has said that themoviedownloads.com is “clean” it doesn’t mean it is. It means that it hasn’t “suspicious” code or something. but it could host malware for example. If avast blocks it, there is(or there was) some reason to do so.

Ok, so hxxp://www.themoviedownloads.com URL might still have something wrong with it.

I am curious though as to how or why Avast showed the above URL instead of the one I clicked on called: hxxp://www.freewebs.com/reptoids/undergroundbases.htm
I guess somehow the link I clicked on got redirected perhaps to the movie downloads link? ??? ???

If you go back to that google search, then just hower your mouse pointer on the headline
What url is then showing at the bottom of your browser ?

Maybe this is more than you want to know, but…

From my start page, called hXXp://www.startpage.com, I used the following search words:
Drakenberg, Dragon Mountain, i.e. a former Reptilian base…

The 3rd search link from the bottom of that search page shows:
Reptilian/ Reptoid Information Resource | The information you need
I interviewed a few of the former employees on these … modern airport built on an alleged underground, reptilian base. … reproductive organs, tongues, etc. used for – i.e. the …
hXXp://www.freewebs.com/reptoids/undergroundbases.htm

AND…when I hover over the link, it indeed shows the link to be:
hXXp://www.freewebs.com/reptoids/undergroundbases.htm

Therefore, that has left me questioning how hXXp://www.themoviedownloads.com URL was showing in Avast’s alert.

Have you done a malware check with Malwarebytes ?

also clean your temp files

Temp File Cleaner by OldTimer ( will clean ALL and ONLY tempfiles )
(Note: If you are running on Vista, right-click on the file and choose Run As Administrator)
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

The link you clicked tries to load .gif file from themoviedownloads.com.

I ran Malwarebytes and everything was fine.
When I opened Firefox again and checked Unmask Parasites against my startpage.com, NOW it showed my startpage was fine, also!
However, I went ahead and downloaded the TFC and used it, too.

Next, I decided to try that startpage search page link, again, so I typed in the words:
Drakenberg, Dragon Mountain, i.e. a former Reptilian base…
and the 3rd link from the bottom of the page was the link in question:
"Reptilian/ Reptoid Information Resource | The information you need
I interviewed a few of the former employees on these … modern airport built on an alleged underground, reptilian base. … reproductive organs, tongues, etc. used for – i.e. the …
hXXp://www.freewebs.com/reptoids/undergroundbases.htm"

…Again, when I clicked on that search link, Avast sounded off…AND AGAIN showed the URL in question to be a different URL that has the “URL:malware”:
hXXp://www.themoviedownloads.com/image/banner_1n.gif

What I don’t understand is why Avast is showing malware for the URL of movie downloads - a totally different URL than I even have available to me - when I’m actually clicking on a link for the free webs.com site?

OOPS! I just discovered that the hXXp://www.freewebs.com/reptoids/undergroundbases.htm web page contains information about the “movie downloads” website…it states:
Sponsors…Movie Downloads…Click Here to Visit Movie Downloads.

So I went a step farther by copying those few lines and pasting them into my email (where I have some notes about this avast problem), and AS SOON AS I PASTED THOSE LINES INTO MY EMAIL, the Avast alerted me, again! Perhaps the Avast would have gone off no matter what I copied from that web page? But at least I discovered why Avast kept referring to “movie downloads” as the culprit even though I was trying to access a different website…it’s because “movie downloads” is IN that website! Maybe I should be saying “duh!”? ::slight_smile: ;D

Well I don’t know what is with that “false alarm”: http://www.mywot.com/en/scorecard/themoviedownloads.com
Web of Trust doesn’t like it ::slight_smile:

About startpage, I don’t know that search engine, I trust in Microsoft, and I help them by submitting dangerous results to improve Bing, it’s marked as clean by Web Of Trust and some users agree too, only one said something about McAfee gave him an alert. (On StartPage)

Freewebs? Another nice site: http://www.mywot.com/en/scorecard/freewebs.com
Light green but it has more red comments than green ;D

And the first 2 lines are partly answers for this question:
"Avast sounded off…AND AGAIN showed the URL in question to be a different URL that has the “URL:malware”:
hXXp://www.themoviedownloads.com/image/banner_1n.gif

What I don’t understand is why Avast is showing malware for the URL of movie download"
I think you get URL:MAL because avast! has this site on it’s blocklist - so it blocks the connection, and that’s why avast shows the URL, and not the infected item(s) ;D

About this:
“So I went a step farther by copying those few lines and pasting them into my email (where I have some notes about this avast problem), and AS SOON AS I PASTED THOSE LINES INTO MY EMAIL, the Avast alerted me, again!”

  • Well, the most used tracking method is a transparent gif image with 1x1 pixel size, and when you copied the text, you could copy an image too, avast! (as I know) won’t give you warning if you copy and paste some text. (That image could be located anywhere inside the text)
    And as I said, because this site is listed on avast!'s URL Blocklist, when you pasted the text, avast! detected that there was something in that text you copied, warned you and blocked the connection.

I hope I was understandable ;D

I’m sorry,Shalimar.I checked the website again in the morning,i found all of them are clean.I think you can turn-off the Avast! real-time when you visit hxxp://www.themoviedownloads.com,But you must install AVG LinkScaner to keep you visit website safety.I hope can help you,Thanks!

Never turn off your real-time shields. That is like telling someone to drive a car without knowing there are no brakes! Avast shields are there to protect you.

I just performed several on-line scans and for those of you who did visit the site, I have bad news :cry: – see Anubis (the 2nd and 3rd give detailed results).

http://anubis.iseclab.org/?action=result&task_id=177687135e85aa4149dff8c725a78e996 (Summary of analysis)

http://anubis.iseclab.org/?action=result&task_id=177687135e85aa4149dff8c725a78e996&format=pdf

http://anubis.iseclab.org/?action=result&task_id=177687135e85aa4149dff8c725a78e996&format=xml

http://www.virustotal.com/url-scan/report.html?id=198d22f04ae721e416dd5286dc9b7d2b-1283132837 - clean

http://www.unmaskparasites.com/security-report/ - clean

http://www.novirusthanks.org/services/scan-websites-for-iframes/ - clean for iFrames

Checking several sites was worth it.

To all of you who went on this site:

  1. Update your Avast definitions and run a Full Scan. If you have a 32-bit machine run a Boot-time scan as well.

  2. Check for malware with MBAM Malwarebytes’ Anti-Malware (MBAM).
    · Download free http://www.malwarebytes.org/ for an on-demand scanner.
    · Double Click mbam-setup.exe to install the application.
    · After install, click update so you have latest database before scanning.
    · Under Settings:
    o General: Automatically Save File After Scan Completes is checked off
    o Scanner Settings: Check all boxes
    o Updater: Download and install update if available is checked off
    · Once the program has loaded, select “Perform FULL Scan”, then click Scan.
    · The scan may take some time to finish, so please be patient.
    · When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
    · Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
    · The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    · Copy & Paste the entire report in your next reply. - to the OP or anyone infected

  3. Download CCleaner Slim version (scroll down to see the Slim version - 4th down) without the toolbar http://www.piriform.com/ccleaner/builds to clean up your machine.

  4. Download Download TFC by OldTimer to your desktop.

http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
· Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
· It will close all programs when running, so make sure you have saved all your work before you begin.
· Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
· Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Please do not visit the site mentioned in this thread or enter the site into any email. Thank you.

Visiting that site without real-time shields? 3/16 detections on URLVoid (hpHost, Web of Trust and TrencMicro Web Reputation)
http://www.urlvoid.com/scan/themoviedownloads.com

I was scanning under the original web site the OP posted (no need to repeat it here). The OP then got the movie site listed in the Avast scan. If you look at the results of Anubis, this site can cause many changes.

To play it on the safe side, I would have one of our malware experts review this later and add comment to this. In the meantime, I would not turn off Avast shields and follow instructions I have posted earlier. Thank you. :slight_smile:

@Sartigan

About this: "So I went a step farther by copying those few lines and pasting them into my email (where I have some notes about this avast problem), and AS SOON AS I PASTED THOSE LINES INTO MY EMAIL, the Avast alerted me, again!"
  • Well, the most used tracking method is a transparent gif image with 1x1 pixel size, and when you copied the text, you could copy an image too, avast! (as I know) won’t give you warning if you copy and paste some text. (That image could be located anywhere inside the text)
    And as I said, because this site is listed on avast!'s URL Blocklist, when you pasted the text, avast! detected that there was something in that text you copied, warned you and blocked the connection.

I hope I was understandable


Thank you for your explanation.
As I previously said, I didn’t know if Avast would have sounded off its alarm with almost anything I would have copied from within that “freewebs” website, but because I had found words related to the other website called “movie downloads” within its web page (of which Avast had been sounding off its alarm), I wanted to report back to the forum what I had found…and so I chose to go ahead and copy/paste that text into an email draft only because it was quicker for me to do that instead of taking the time to write down the information. Foolish of me? “YES”!
As stated previously, the text I had copied/pasted from within the “freewebs” web page was:
“Sponsors…Movie Downloads…Click Here to Visit Movie Downloads”
And, of course, I was surprised to hear Avast sound off after pasting those words into my email because I then had been thinking it basically had been a false alarm.

@Devil

I'm sorry,Shalimar.I checked the website again in the morning,i found all of them are clean.I think you can turn-off the Avast! real-time when you visit hxxp://www.themoviedownloads.com,But you must install AVG LinkScaner to keep you visit website safety.I hope can help you,Thanks!
Of note is that I don't download movies, so [u]I have never "visited"[/u] or even attempted to visit the website called hXXp://www.themoviedownloads.com

With that said, I guess it appears the reason Avast was sounding off its alarm when I was trying to access the website called - hXXp://www.freewebs.com/reptoids/undergroundbases.htm - was because that website actually contained information about the “movie downloads” website WITHIN its web page and was containing the image/banner_n1.gif malware.

Also, for what it’s worth, I would like to mention that I personally would prefer never to turn off my Avast when using the internet because I wouldn’t feel safe in doing so.

@SafeSurf

"I just performed several on-line scans and for those of you who did visit the site, I have bad news Cry -- see Anubis (the 2nd and 3rd give detailed results)."

“Please do not visit the site mentioned in this thread…”


(A) For me personally, I only tried going to this website link:
hXXp://www.freewebs.com/reptoids/undergroundbases.htm
…which contains malware on its web page from an image/banner by “the movie downloads” website.
So until that ever gets fixed, I realize that I should not try linking to the “freewebs” website.
(B) I have no intentions of ever going to the “movie downloads” website.
QUESTION:
Are you referring only to hXXp://www.themoviedownloads.com?
OR…are you referring to both websites
; the website I tried linking to and then actually ended up visiting, also (hXXp://www.freewebs.com/reptoids/undergroundbases.htm)?

Since I didn’t know if you were also referring to the website I actually ended up visiting (the freewebs one) “after” I ran the first MBAM & TFC scans (and CCleaner), and in order to be safe, I ran both of them, again, and all is well.

I ran the online scanners for the malware detection with hXXp://www.freewebs.com/reptoids/undergroundbases.htm and got the positive hit with Anubis.

Keep MBAM as an on-demand scanner; just remember to always update prior to using it and you can do a Quick scan in the future. Many of us use it here. The cleaners come in very handy as well.

Was your Avast FULL scan clean? If you have a 32-bit machine, did you do a Boot-time scan and was that clean as well? If you have a 64-bit, let me know and I will give you another diagnostic tool to use.

Is your machine otherwise acting normally now? If not, please describe any problems. Thank you.

Hi SafeSurf!

Thanks for explaining which website you scanned because I was mistakenly under the impression you had scanned the movie downloads site instead.
QUESTION:
If the freewebs website (hXXp://www.freewebs.com/reptoids/undergroundbases.htm) would eliminate the “movie downloads” text they have within their web page, do you think their website would then be free of malware? ::slight_smile:

I do updates with MBAM, SuperAntiSpyware, & Spyware Blaster daily before going on the internet, and I had done updates, again, before running MBAM both times regarding this issue. I use the quick scan regularly, but I chose to do full scans in this case.

I also use CCleaner daily (actually more than once daily). I had never used the TFC before, so I really don’t know if that is something I should be using on an ongoing basis or not. ???

Yes, my Avast full scan was clean, and here are the results of the 2nd scan:
Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org
Database version: 4505
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
8/30/2010 4:38:58 AM
mbam-log-2010-08-30 (04-38-58).txt
Scan type: Full scan (C:|D:|)
Objects scanned: 216460
Time elapsed: 24 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

My machine has been working fine so far. I have a 64-bit OS (which includes a 32-bit internet explorer), so if you wish to give me another tool to use, please advise, and thank you.