I was logged onto the T-Mobile website about to pay my bill and a popup came up saying “Warning: This site could have harmed your computer” With the Avast logo and a place to download Avast, which I already have running on my computer. I was immediately suspicious but it wouldn’t let me close the box. I had to leave the website. I don’t think this was from Avast was it?

I ran Malware Bytes and it found a ton of stuff that I deleted, but when I went back to the T-Mobile site it did the same thing. So I have two questions. Is this actually an Avast warning, and how do I get rid of this. I looked online and it seemed like maybe I have a “rogue Virus.”

Any help would be appreciated.

Thanks!

Can you please attach Malwarebytes? Also give a BROKEN link to the “T-Mobile” Site you were trying to use.

I see the same error message when accessing our web site at https://wXw.nabezky.sk/. I checked the blacklist on http://mxtoolbox.com and the site is not listed there. Avast does not offer any clues as to what could be the problem.

By the way, we have another web site running on the same server - kuchyna.zajezka.sk - that Avast is not blocking. Not sure how to troubleshoot this issue - can anybody help?

Also, poster @Michael is asking “Can you please attach Malwarebytes” but I am not sure what does it mean. Malwarebytes seems to be some kind of virus protection app and attaching an app to a comment on this forum does not make sense to me.

For help start your own topic, helping mutiple users in same topic is chaos … and topic is almost a year old

Also, poster @Michael is asking "Can you please attach Malwarebytes" but I am not sure what does it mean. Malwarebytes seems to be some kind of virus protection app and attaching an app to a comment on this forum does not make sense to me.

hxxps://wxw.nabezky.sk/ IP history https://www.virustotal.com/en/ip-address/37.205.11.79/information/
Multiple domains on same IP and some are blacklisted, so seems like a IP block

avast sure give you a clue about how/what and if you want more information…
Just run several scans.

http://zulu.zscaler.com/submission/show/721c3fff266176e298b6c2c1f068e53d-1420302353
http://sitecheck.sucuri.net/results/www.nabezky.sk
https://www.ssllabs.com/ssltest/analyze.html?d=nabezky.sk

Thank you both for replying. There is one thing that puzzles me - that I have two web sites running on the same VPS and the same web server (Apache) and one is (nabezky.sk) and one is not (kuchyna.zajezka.sk) being blocked by Avast. So I doubt the Apache version has anything to do with the fact that Avast is blocking only one of those sites. It seems that the problem could be in the (DNS) zone file, but the sites you mention in your replies do not indicate problems there (or I do not understand the reports).

@Pondus, I tried to recreate the steps you might have taken when investigating my report. I went to the virustotal site and entered the reported URL. The report came clean:
https://www.virustotal.com/en/url/0d90532a955cbb3b8ca0173eca0dd61bdb465955510a4791259e63bb0b1da4bc/analysis/1420967480/
You - however - provided URL for a report page originating in some “IP history”. I do not know what does that mean, because on the virustotal report page I do not see a link to IP history.

Regardless, I read the IP report and think that the only potential red flag for the IP number is the record in the “Latest detected files that communicate with this IP address” section. It mentions an event that occurred on 2014-07-21 02:15:01 (almost 6 months ago) where during testing of some file our server was contacted by the tested file. I have 2 questions:

1. given that the test was performed 6 months ago, is it possible to re-run the IP test or get more info about what domain/URL was the tested file targeting during that testing event on 2014-07-21 02:15:01? I would like to remove it as I am the sys admin of that server.
2. How did you run the IP test? Because when I run a test using the IP instead of the nabezky.sk URL, I get a clean report:
   https://www.virustotal.com/en/url/7ae7f759e4bfb0edf0c80f9ff2a26ebd2a63b3081e1637961b09173d860c003b/analysis/1420968424/

Thank you for your help.

VT doesn’t say it is clean, it says it is not find in the blacklists they check.
VT does not scan sites.

If you want to run scanners/get information,
I have many links to online tools on my website ( http://www.ache.nl )

7 days later and you still not have updated Apache.

Hi Eddy,

All minor issues, the main reason for avast blocking was missed, it is the afraid dot org nameserver issue!
This was the lastest malware that was launched from that IP: https://www.virustotal.com/nl/file/b9dfd85e6a79ce541895a2b36b974a36c0f7ed49a4557310ee9739f31b0beedb/analysis/
This seems the bad apple in the basket: https://www.virustotal.com/nl/url/5ca5c747cacefa6426c3a7a96aa44d364ca2ffa058c412258570c301ab5237c6/analysis/1420989675/
See: http://urlquery.net/queued.php?id=161584303
There were also Spamhaus blacklisted domains on IP.
The outdated server runs at the hoster, all with outdated and vulnerable Apache/2.2.22.
There are actually 46 bad apples in the hosting basket: http://sitevet.com/db/asn/AS24971
Found this online :o → https://github.com/sk-vpohybe/stopa-monitor/blob/master/src/stopa_monitor_config.rb.example

These are all minor issues. Again Eddy we should not have missed this detection: http://www.dnsinspect.com/nabezky.sk/1420990355

Avast blocked the site because it was hosted via afraid dot org and all such sites are blocked as by default.
Steer away from afraid dot org and avast may unblock site as soons as with a next update!

polonus (volunteer website security analyst and website error-hunter)

@Pondus, I tried to recreate the steps you might have taken when investigating my report. I went to the virustotal site and entered the reported URL. The report came clean: https://www.virustotal.com/en/url/0d90532a955cbb3b8ca0173eca0dd61bdb465955510a4791259e63bb0b1da4bc/analysis/1420967480/ You - however - provided URL for a report page originating in some "IP history". I do not know what does that mean,[b] because on the virustotal report page I do not see a link to IP history[/b].

click your VT report link > click the additional information tab > there you will see IP address … now copy it

go back to www.virustotal.com > click search option > paste in the IP and click search button …result IP history

anyway, reason for blacklisting is using afraid.org, evrything from afraid is blocked. why is explained many times if you search forum

Hi polonus. Thank you for the tip about afraid.org. In the past couple of days I migrated my domains hosted there to different providers. The problem still does not seem to be completely resolved though, at least when accessing the nabezky.sk site from IE. Firefox allows me to get to the https://www.nabezky.sk/ if typed as shown, but if I type “nabezky.sk”, the Avast warning pop-up is shown. The server then redirects to https://www.nabezky.sk/ (there is a directive for this in the .htaccess file on the server) and I can browse the site without problems.

Also, in Firefox the Avast icon is gray and claims that nabezky.sk is “unknown site”. Should I wait longer for Avast to recognize the DNS server changes or is there something else I should do?

Hi javorie,

Mail avast team at virus@avast.com with a link to this thread and tell them that you steered away from afraid dot org,

polonus