After a recent update, whenever I navigate to to a multitude of websites I keep getting a ‘VBS:Malware-gen’ alert. I tested on my own host and it flag files that scaned individually do not return any warning, but viewed through a browser give an alert? I even get the alert when I tested accessing a non-existant directory and an empty directory???
This never occurred until very recently.
Does anyone have afix for this or at the very least have an explanation?
Thank you,
Would you be kind enough to list one or more of the websites that you are browsing to?
Some sites just have some weird scripts running, or have odd frames coded in them. It’s also possible the the website has been hacked.
It’s hard to tell though without the actual website.
I bet that avast detection is correct… a lot of sites are being hacked with encrypted and malicious scripts…
Yes, sql injections and other types of hacking have been popping up all over the place.
Make sure that your web server is up to date (if it’s yours) and php, mysql, sql, etc. are all up to date as well.
I noticed in one specific case that it generates the error if the html calls for images that aren’t on the server. Why would that be flagged as a virus?!
one url is http://www.cardaconsultants.com/avocatsconseil/index.html
and why would it flag a virus when I enter a url of a directory that does not exist?
That website has something in the html:
It’s redirecting to regintheclub.info or something like that.
I noticed that you need a username and a password to get access to the site, so I can’t really tell if there is an image missing, but I really don’t think that’s the problem. The above code is the problem.
Looks like it was hacked to me.
where did you extract that code from? How?
upon visiting that site, of course Avast immediately told me there was a source of Adware / Malware. I closed it (not clicking “abort connection”) twice. The third time that I did it, and hit cancel when it asked me for a username and password, it obviously didn’t let me into the page, and gave me a page could not be displayed error, yet the URL was still in the address bar. So, I right-clicked the page, and clicked, “view source.” That gave me the actual web page’s code. In that code, had that script.
Even when I cancel I never get such code?
How can I resolve this matter? Is this up to my host or is this my problem? Any guidance is tremendously appreciated!!!
Thank you in advance,
QB
To me, it looks like it’s putting that code in a bunch of different places. In fact, the error page that I get to is a generic 404 error, I believe.
Is your host running a windows box?
You should have them check their IIS server’s error pages, specifically 404 errors. It looks like the malicious code is on that error page.
It shouldn’t be on your computer (unless your computer IS the server that hosts the site).
You are the absolute best!
I deleted my error pages and all is good. Now I need to create new one, minor problem.
I can’t thank you enough!!!
QB
Glad that I could help ;D
Make sure that computer gets updated, and keep complex passwords on all your accounts. Something or someone got ya, and I wouldn’t want to give them another chance!
Very sneaky hiding the malware on a 404 page.
Having the same problem with the below website:
IT at their location insists the problem is with my antivirus software
Any way to find out if this is for real or a false alarm?
Ask them to check out the weird script after .
Thanks for the info, FW Frank…will pass it along to their IT department
Well their IT guys don’t appear to be up to much as there is a huge block of obfuscated script outside the closing HTML tag.
See image I have broken the single line down so it doesn’t take up as much room, but I guess this wasn’t seen or they haven’t a clue what they are looking for or they didn’t bother looking.
The wc3 standards would say code outside the closing HTML tag doesn’t comply with standards, so doesn’t show a confirmation to standards, but the obfuscation of the script even if legit is strange you would have to ask what are they trying to hide.
Darn it DavidR. beat me to it again. quit doin that!
Edit - nevermind, I came by way later than you did. didn’t see the second page… woops ;D
Well FWF beat me to it whilst I was getting the image 