website blocked when logging in.

Hi happy new year everybody.

approx 1 month ago I joined a small racing club and logging in has been fine.

but since the 1st of January avast blocks the site as soon as i click on log in,picture attached.

not sure if its a FP or not ??? http://imageshack.us/photo/my-images/268/wwwavastcom20121118639.png/

I have no alerts when I try to go there. But, I am not logging in just looking at the front page.

Are you still getting alerts ?

yes every time.

click on log in with the username and password unchanged and it happens every time.

???

is your avast updated ?

VirusTotal
http://www.virustotal.com/file-scan/report.html?id=9b1dfffc3cb81cffbfa39a324b6b7b51ae04ae3f3e7b4c15d63b98e2f2a33c70-1325542298

Jotti
http://www.virustotal.com/file-scan/report.html?id=9b1dfffc3cb81cffbfa39a324b6b7b51ae04ae3f3e7b4c15d63b98e2f2a33c70-1325542298

urlQuery say - suspicious
http://urlquery.net/report.php?id=14286

Thanks for the quick reply.

yes both engine and virus definitions up to date.

Browsing the forum all is ok,no warning.

But clicking login with any username or pasword the warning in the picture happens and the site is blocked.

Could you try clicking on the login to see what happens ?

:slight_smile:

Could you try clicking on the login to see what happens ?
hmmmm....it seems there is a redirect...it is sending me here

-http://paseroper.in/?fp=rHwLIQr3CNfvINWjhIvXZo5MtVw5M6r%2BHOzvzsf14SismmmCUwqj7xO8zoDQf5YTLcrsKqlNRsqarR0A8d1ROg%3D%3D&prvtof=IB7kKmYNBnAxHeY3w0wU11P9812xF2FKuuMH0YIlNrQEMr4DWbNjxNBtCuAZlq%2BCuSLWxsRetx7jlcR0%2FdxvkA%3D%3D&poru=ls1R7HQPeWOMsMFiDJPx9JuXG%2FtEkUBIEqdbOa5K2jVOT5iSNaKd2TOw1X0t0Hz5t%2FHO2Jupej7fZI%2BRO%2FvUvQ%3D%3D&cifr=1&default=

and that URL is infected say Sucuri…see attached screenshot

sucuri malware info: http://sucuri.net/malware/malware-entry-mwiframehd202

So conclusion… avast web shield was correct again :wink:

Because of the domdex dot com redirect via a 0-0-0-iFrame it can lead to a ZBOT/Zeus infection, see: -http://jsunpack.jeek.org/?report=f27d0696b35eb7a6d9d349deac67fbce391b85cb
Only visit jsunpack if enough security savvy, with ample scripot protection and inside a VM,

polonus

Thanks for your help,most grateful.

Used Avast for many years and its been superb :slight_smile:

I have contacted the website owner with the problem and awaiting a response.

thanks again.

:slight_smile:

Because of the domdex dot com redirect....
yepp and this is listed in the wepawet report

http://wepawet.iseclab.org/view.php?hash=2520eac33fbc656100a7afdf8f242cd3&t=1325548227&type=js

Thanks Pondus for again putting me on the right track to delve a little further.
Well the imminent danger could be somewhat less because a lot of the bot malware from domdex dot com is now dead or closed, but has never been flagged by any av according to mx viruswatch VT scan links .

Anyway the vulnerability is still there and could lead to re-infection, this also because the IP state of domdex dor com is up meaning there might be new versions of ZBOT/Zeus been launched/on their way from there. See: http://urlquery.net/queued.php?id=14301
see the 2nd JS write there to http://www.webutation.net/go/review/t5.trackalyzer.com (very bad WOT web rep)

Good we have taken a close look at the script there. You could also inform the website owner there of this link,

polonus

Just contacted the web site with a direct link to this page,some good information here.

Thanks again to everybody.

Avast rocks ;D