Virus in Yahoo mail? False positive?

Viruses and worms
1

Hi,

Im getting a virus alert when login to Yahoo Mail. The malware name is HTML:Iframe-inf, and Im using Avast Personal fully updated. There is no infection on my side, as the program blocks the connection; and as far I can tell, there is neither an infected mail there (havent seen this alert, ever, and I use that account every single day) nor a new mail on the inbox which may be infected.

I hope it is a false positive, because I need to access that account. If you need more info just tell me.

2

I am also getting virus alerts when I log in to Yahoo Mail - they weren’t there last night, but are there now.
EDIT - It’s on Yahoo answers too. It seems to be from one of the adverts which is on the screen.

3

I am experiencing the same problem.

This is happenning when I try to access a Yahoo email account I have had for years and use practically every day.

4

Same thing here on www.yahoo.no ( HTML:Iframe-inf )

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Saturday, December 26, 2009 3:34:59 AM

27.12.2009 13:23:23 hxxp://no.yahoo.com/|>{gzip} [L] HTML:Iframe-inf (0)
27.12.2009 13:23:33 hxxp://no.yahoo.com/|>{gzip} [L] HTML:Iframe-inf (0)
27.12.2009 13:24:50 hxxp://no.yahoo.com/|>{gzip} [L] HTML:Iframe-inf (0)
27.12.2009 13:25:56 hxxp://no.yahoo.com/|>{gzip} [L] HTML:Iframe-inf (0)
27.12.2009 13:27:02 hxxp://no.yahoo.com/|>{gzip} [L] HTML:Iframe-inf (0)
27.12.2009 13:28:17 hxxp://no.yahoo.com/|>{gzip} [L] HTML:Iframe-inf (0)
27.12.2009 13:37:10 hxxp://no.yahoo.com/|>{gzip} [L] HTML:Iframe-inf (0)

5

Hello all, welcome to the forum :slight_smile:

I have taken a look at some of the pages, and I can’t seem to find any references to malware (but that could just be my inability…)

What I would suggest to do:
When an alert appears, in the bottom right of the alert, please click on ‘Report as a False Positive’ as this is the best way to alert ALWIL.

I have also emailed them this info…

-Scott-

EDIT:

Strange…no alert first time I visited…then an alert second time…

6
What I would suggest to do: When an alert appears, in the bottom right of the alert, please click on 'Report as a False Positive' as this is the best way to alert ALWIL.
no such thing in Avast 5 Scott ? but if you have emailed then i guess it will be gone soone EDIT: jepp the function is there but does`t show on every detection
Strange...no alert first time I visited...then an alert second time...
Same her, does not happen every time, when i am logged in there is a different detection ( URL:Mal )
7

I don’t know about avast! 5, but I have also reported it like described above, so hopefully we will find out.

-Scott-

8

No i am having Warning in Avast forum also, click on the pic in Mike Buxton post

http://forum.avast.com/index.php?topic=52586.msg446148#msg446148

9

No alert with avast! 4.8, what is the actual alert on? Remember hXXp :wink:

Wait…it is the ad banner at the top…

27.12.2009  12:48:06  Network Shield: blocked access to malicious site ad .yieldmanager .com/imp?Z=728x90,468x60&s=692800&t=2 [ C:\Users\Scott\Portableapps\FirefoxPortable\App\firefox\firefox.exe ( 4088 ) ]
10

This isnt exclusive of Yahoo, found it on gamefaqs too ( wXw.gamefaqs.com , might have some ads). I wonder if someone with the Yahoo problem could check: go to the search bar, write anything, “asd” for example, and click on the “Go” button, if you dont get it, click back and “Go” again … voilá, Avast alert, HTML:Iframe-inf.

I didnt get it with the Mike Buxton image thought.

At least im not the only one >:(

EDIT: Got the Mike Buxton’s post alert, AdBlockPlus was preventing me from seeing the offending banner.

11

Getting the error here too…

12

Started this morning when I started to us my computer, at 1am last night was not doing this. I do notice that at 6:29am this morning the virus database was updated, there was a update also on 12:26 however at 6:29 pm and I used my computer last night and it was not doing this. I am thinking the 6:29 virus database update this morning is the culprit. Anybody else with thinking?

13

Im getting it trying to access my yahoo groups, but one of them isnt infected.

I can access Yahoo search engine no problem. But it affects my yahoo mail account from being accessed too.

I noticed with Yahoo some of my mail arrives displayed incorrectly. it come sas a long list of pathways the mail has traveled, in which somewhere the message is burred!.

14

Hello,
By no means an expert here, I am also getting a virus message on my Yahoo Home page. Mine is different though. It is js:scriptip-inf[trj]. I am running my avast now and I ran it earlier and it came up with no virus. Any suggestions anyone?

Thanks,
John

15

Here is what shows in my network log

27.12.2009 08:15:41 Network Shield: blocked access to malicious site ad.yieldmanager.com/pixel?id=600633&t=2 [ C:\Program Files\Internet Explorer\iexplore.exe ( 2704 ) ]
27.12.2009 08:16:53 Network Shield: blocked access to malicious site ad.yieldmanager.com/pixel?id=600633&t=2 [ C:\Program Files\Internet Explorer\iexplore.exe ( 2792 ) ]
27.12.2009 08:17:06 Network Shield: blocked access to malicious site ad.yieldmanager.com/pixel?id=166558&t=2 [ C:\Program Files\Internet Explorer\iexplore.exe ( 2792 ) ]
27.12.2009 08:23:24 Network Shield: blocked access to malicious site ad.yieldmanager.com/pixel?id=600633&t=2 [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 4848 ) ]
27.12.2009 08:41:03 Network Shield: blocked access to malicious site ad.yieldmanager.com/pixel?id=600633&t=2 [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 4780 ) ]
27.12.2009 08:41:17 Network Shield: blocked access to malicious site ad.yieldmanager.com/pixel?id=500443&t=2 [ C:\Program Files\Internet Explorer\IEXPLORE.EXE ( 4780 ) ]

here is the warning log info -------- PLEASE NOTE THE TT IN HTTP AND X IN WWW DONE SO AS NOT CLICABLE

12/27/2009 8:40:53 AM SYSTEM 1492 Sign of “JS:ScriptIP-inf [Trj]” has been found in “hxxtp://m.wXw.yahoo.com/{gzip}” file.
12/27/2009 8:38:55 AM SYSTEM 1492 Sign of “JS:ScriptIP-inf [Trj]” has been found in “hxxp://m.wXw.yahoo.com/{gzip}” file.
12/27/2009 8:27:19 AM SYSTEM 1492 Sign of “JS:ScriptIP-inf [Trj]” has been found in “hxxp://m.wXw.yahoo.com/{gzip}” file.
12/27/2009 8:23:43 AM SYSTEM 1492 Sign of “JS:ScriptIP-inf [Trj]” has been found in “hxxp://m.www.yahoo.com/{gzip}” file.
12/27/2009 8:15:27 AM SYSTEM 1492 Sign of “JS:ScriptIP-inf [Trj]” has been found in “hxxp://m.wXw.yahoo.com/?r947=1261919727{gzip}” file.
12/27/2009 8:15:27 AM SYSTEM 1492 Sign of “JS:ScriptIP-inf [Trj]” has been found in “hxxp://m.wXw.yahoo.com/{gzip}” file.

16

Me too.

I am getting it when on Youtube.com

It showed as below;

http://m.wxw.yahoo.com/\{gzip}

JS:ScriptIP-inf [Trj]

It kept appearing many times, no matter I abort the connection. What should I do? Report it as false positive? I have 4.8 Avast. Thank you.

17

I agree that it is the last update. Began happening on two computers in my home immediately after update.

18

I think this is the result of a recent addition of ad.yieldmanager to the network shield block list, as it is considered malicious, and yahoo somehow scripts it into it’s pages, which would cause the alert…
http://www.mywot.com/en/scorecard/ad.yieldmanager.com

This is however, my guess on the subject…

19

I’m getting the same message that Goldscooby is on yahoo…JS:ScriptIP-inf [Trj] …what’s up with this? I have Avast 4.8 and everything was fine last night…it started this morning…Thanks!

20

I don’t see an alert but then I block ad.yieldmanager.com with my HOSTS file:
http://hosts-file.net/?s=ad.yieldmanager.com&x=24&y=10