SAS Forum infected/underattack ?????

I tried to go to SAS forum after Avast! detected in my IE 8 Favorite SAS forum link as INI:shortcut-inf[trj]

WOW what a surprise 1 Web Shield detection and 13 Network Shield detections. Too many to attach screenshoot of alerts so here is the Avast! report:

Web Shield:
02/11/2012 20:47:56 -http://forums.superantispyware.com/|>{gzip} [L] HTML:Script-inf (0)

Network Shield:
02/11/2012 20:47:56 -http://forums.superantispyware.com/ [L] URL:Mal (0)
02/11/2012 20:47:56 -http://forums.superantispyware.com/public/style_images/master/advanced_search.png [L] URL:Mal (0)
02/11/2012 20:47:56 -http://forums.superantispyware.com/images/forum-top.png [L] URL:Mal (0)
02/11/2012 20:47:56 -http://forums.superantispyware.com/public/style_images/master/icon_quicknav.png [L] URL:Mal (0)
02/11/2012 20:47:57 -http://forums.superantispyware.com/public/style_images/master/branding_bg.png [L] URL:Mal (0)
02/11/2012 20:47:57 -http://forums.superantispyware.com/public/style_images/master/profile/default_large.png [L] URL:Mal (0)
02/11/2012 20:47:57 -http://forums.superantispyware.com/public/style_images/master/f_icon.png [L] URL:Mal (0)
02/11/2012 20:47:57 -http://forums.superantispyware.com/public/style_images/master/maintitle.png [L] URL:Mal (0)
02/11/2012 20:47:57 -http://forums.superantispyware.com/uploads/profile/photo-thumb-20915.jpg [L] URL:Mal (0)
02/11/2012 20:47:57 -http://forums.superantispyware.com/uploads/av-10620.png [L] URL:Mal (0)
02/11/2012 20:47:57 -http://forums.superantispyware.com/public/style_images/master/cat_minimize.png [L] URL:Mal (0)
02/11/2012 20:47:57 -http://forums.superantispyware.com/public/style_images/master/top.png [L] URL:Mal (0)
02/11/2012 20:47:57 -http://forums.superantispyware.com/public/style_images/master/feed.png [L] URL:Mal (0)

Afterward my start page did not want to start up. I had Internet but when IE 8 and FF 16.0.2 were applied I got “Page not found”. I ran MBAM and did not find anything so I tried again and this time my browsers started with my start page.

I did run all the programs requested. Besides AdwCleaner which found some old IE 7 app to edit DHTML, the rest I believe are clean. However I will appreciate if any of you gent would take a look at them just in case.

I think Avast! just save my skin. Thank avast! ;D

Here are my 2 OTL logs.

You are not alone!! even I am having URL MAL on SAS forum ;D

Me too, my scan moved c:users/favourites/superantispyware.com.indexpage.url to the virus chest. Name of file infected said was INI shortcut-inf[trj]. What’s going on? Also my scan hangs at 58% for ages and then all of a sudden whizzes up to 99%, it hasn’t done that before?

it sounds like the forum of sas might have been hijacked.

http://forum.avast.com/index.php?topic=47096.0

Pretty useless link that, no mention of the SAS forum being hijacked - and it’s a 2009 topic!!

Here, in avast! Free/Pro/Suite: http://forum.avast.com/index.php?topic=108477.0

I would suggest a search of the Wilders forums as that is where these things normally get discussed when it isn’t possible to discus them on the SAS forum if your AV is blocking it.

However, this is a bit strange in that it is only an issue at the forums. sub-domain as it is possible to visit hXXp://www.superantispyware.com/ without an alert.

The multiple alerts isn’t so much of an issue as essentially it is only the one alert on the forum.superantispyware.com sub-domain, so each connection to an image in that sub-domain would also trigger an alert.

My main interest is the very first alert you listed.

Web Shield: 02/11/2012 20:47:56 -http://forums.superantispyware.com/|>{gzip} [L] HTML:Script-inf (0)

As that page appears to be loading a compressed script file - the |>{gzip} bit at the end as the HTML:Script-inf is a script injection alert.

The problem is once you get sufficient avast users getting a web shield alert on a site, that (through the avast! community) will eventually lead to the inclusion in the network shields malicious sites list. So this particular alert needs investigation as I suspect once that is resolved the network shield alerts would also be resolved.

I agree with you DavidR that detection is the main concern.

Since Piriform forum was also detected as infected in an earlier topic yesterday I am taken no risks. I am pretty sure my logs are clean but I am waiting for Essexboy to take a look at my OTL logs.

Thank you.

Looks clean young sir… Any problems ?

Thanks Essexboy.

No, no problems right now. Thanks again, and thanks for the young sir ;D too.

Run OTL and hit the cleanup button to remove the tools you have used ;D

Yes sir. I was waiting for your “all good specialist clean up his tools after everything is done” speech. ;D

Do you want the whole 9 yards ;D ;D ;D

;D ;D ;D

hey i just posted that to show that sites that many people go to is usually targeted my malware so it seems like what have happen here with the sas forum.

No veredit yet on SAS Forum ?

Virus Total: Clean
https://www.virustotal.com/url/4238010aaab306544f8898b07ec9bca1791618ab1df44680bd648fd000cb8179/analysis/1351975608/

Securi SiteCheck: Nothing
http://sitecheck.sucuri.net/results/forums.superantispyware.com

URL Void: Clean. Even by Avast!
http://vscan.urlvoid.com/analysis/acbc0ee311e406d589b6b22f90365898/aW5kZXg=/

URL RiskAnalizer: 18/100
http://zulu.zscaler.com/submission/show/d7e6e41806ebafae8266187ec55828b6-1351976099

urlQuery: Find some JavaScript
http://urlquery.net/report.php?id=82630

While there’s no new AVAST database — it’s still at 121104-0, which blocked the SAS forum when I tested it this morning —
I’m showing that I received a streaming update at 2:17 PM (USA - Eastern Standard Time)… and now, I CAN access the SAS forums.

But in an ironic twist, Webroot SecureAnywhere is now blocking the SAS forum: http://www.wilderssecurity.com/showthread.php?t=335315

No blocking for me on any of the tabs or main forum site. 8)

Yeap… I already restored my SAS link to my “Favorites” and entered SAS forum. NO alerts. ;D