Can someone help me out. I go to this site: http://www.wetcanvas.com. It’s a place for artist. Yesterday I started getting a warning whenever I go to the site and every time a page is changed or refreshed.
Can someone try to go to this site and see if they are getting any URL warnings? This has never happened with this site until yesterday.
Thanks for the help
See: https://www.virustotal.com/file/072654790b3f466be6d24b31a9defc55ae928d4a7aa6f03016e104939eb3cff0/analysis/1340458810/
And: http://urlquery.net/report.php?id=74227
And: http://urlvoid.com/scan/wetcanvas.com/
And: http://www.mywot.com/en/scorecard/wetcanvas.com/comment-6030533
You can report a possible false positive here: http://www.avast.com/contact-form.php
Thanks man… I really appreciate the help. All the links say that WetCanvas is clean. So I posted a possible false positive.
You’ve been a big help.
No alert with latest version of avast and virus definitions 120623-0, see image (click to expand). This was using firefox 13.0.1.
Ensure you have the latest virus definitions.
Hey David. Thanks for the information, but I wish I wasn’t getting this error every time a page loads or refreshes.
I’m using the same version of Firefox that you are and my virus definition number is one greater than you have.
Mine ends in “-1” instead of “-0”.
I don’t know what to do, but it’s driving me crazy. I’m tempted to just turn the thing off, but that scares me, lol
Whilst my having the very latest release version of firefox shouldn’t have that impact. That said it is always advisable to keep your browser/s up to date as updates could include security fixes, closing a vulnerability and avoiding exploitation.
What we need is more information, given !Donovan and my findings, if you can attach an image of (just) the avast alert window.
What happens if you use a different browser ?
If this is happening in a private area, etc. that we can’t access then we wouldn’t encounter it.
Hi DavidR,
There is AdConductor code on that site, see attached.
Notice the use of SCR’+‘IPT and /SCR’+'IPT.
This is done to prevent the parser from interpreting the tags as executeable code
rather than as a string to be written and may save code headaches down the road,
because of parsing differences (Win, Mac), just being cautious.
For web rep, see: http://www.mywot.com/en/scorecard/ads.addesktop.com
ads.addesktop dot com is listed in OpenDNS’s Block Tool http://forums.opendns.com
This could have been flagged,
polonus
That is one reason why I asked for the screenshot to try and see what the alert is on.
Since I also have AdBlockPlus, that may be blocking the ad site and possibly the alert (though the malware name given to the alert doesn’t support that). I allowed the site (and even addesktop.com) in NoScript (and requestpolicy), but the web shield doesn’t have to have the script run to have it scan the page content. If it runs then the script shield should also scan the script.
I believe that the web shield would see the scr’+'ipt as it should and if so it wouldn’t just be alerting on one users system. Are you getting an alert when you visit the site ?
Hi DavidR,
I just went over the code and gave you what I observed there, and going to the site I do not get an avast alert in Google Chrome.
Well the best I can assume also considering what I saw from the script that the alert was browser specific,
polonus
But the OP was using firefox 13.0.0, essentially the same as mine 13.0.1.
I received this alert when I clicked the Cafe Guerbois link on the above referenced page in Firefox 13.0.1 (script blockers disabled).
Did you have to logon to access that part of the site ?
Thanks David. Right now I’m not getting an error because whenever I try to go some place other than the main page, I get the error “The connection was reset… Try again”. But I do have one of the original errors saved to an image file. Here’s what I have.
I just tried something for the heck of it… I shut down all of Avast shields and I no longer get the error saying: “The connection was reset… try again”. It goes right to the page that I want and of course no errors. Any thoughts?
I’m thinking of uninstalling Avast then re-installing.
After more investigating…
See: http://urlquery.net/report.php?id=74606
GET /gate.php HTTP/1.1
GET /banner.php HTTP/1.1
Host: wXw.ultrapinger-http.com
Referer: wXw.wetcanvas.com/forums/channels.php?s=channel_id=1
Domain is new, and same IP as phpinclude-bin, etc…, thus, suspicious.
http://urlvoid.com/scan/ultrapinger-http.com/
GET /room.php?w=1124156264&sh=ff15f05c1e114baca95c34a681c92aa3 HTTP/1.1
Host: wXw.ultrapinger-http.com
Referer: wXw.ultrapinger-http.com/banner.php
Called by an obfuscated create element iframe. See attachment for deobfuscated results.
The process attempting to visit the blocked site was winlogon.exe. winlogon.exe should not be accessing the net. This is a symptom of infection. Please follow the instructions here: http://forum.avast.com/index.php?topic=53253.0, make a new topic, and attach generated logs.
Thanks Donovan. I appreciate your help and taking the time to look at this. I am going to re-install Avast just in case it makes a difference. Will let you know how it goes.
Hi !Donovan,
ultrapinger-http.com was a newly registered Domain Name on DNSMADEEAS dot COM one of 69 registered domain names on May 23, 2012.
At wxw.ultrapinger-http.com/banner.php there is a big chunk of obfuscated code
(also known as banner.php or room.php) which is backdoor malcode.
See: http://www.urlquery.net/?category=Anti%20Depress*nts so fitting in with the Canadian Phrmcy Scam campaign
Same issue as was being flagged here on our forums recently, see: http://forum.avast.com/index.php?topic=99727.0
polonus
FWIW, no.
I am getting the same warning and it’s very annoying. It is ONLY happening with the website www.wetcanvas.com. I made an exclusion of this site on Avast and at least the site comes up now.
This is what the warning said:
URL: http://www.wetcanvas.com/forums/showthre…
Process: C:\Program Files\Internet Explorer\iexpl…
Infection: HTML:Script-inf
Seems that anyone running Avast is affected with this problem. Please do something? Thanks!