system
January 2, 2012, 4:24pm
1
Hi happy new year everybody.
approx 1 month ago I joined a small racing club and logging in has been fine.
but since the 1st of January avast blocks the site as soon as i click on log in,picture attached.
not sure if its a FP or not ??? http://imageshack.us/photo/my-images/268/wwwavastcom20121118639.png/
I have no alerts when I try to go there. But, I am not logging in just looking at the front page.
Are you still getting alerts ?
system
January 2, 2012, 10:13pm
3
yes every time.
click on log in with the username and password unchanged and it happens every time.
???
Pondus
January 2, 2012, 10:20pm
4
system
January 2, 2012, 11:11pm
5
Thanks for the quick reply.
yes both engine and virus definitions up to date.
Browsing the forum all is ok,no warning.
But clicking login with any username or pasword the warning in the picture happens and the site is blocked.
Could you try clicking on the login to see what happens ?
Pondus
January 2, 2012, 11:41pm
6
Pondus
January 2, 2012, 11:53pm
7
and that URL is infected say Sucuri…see attached screenshot
sucuri malware info: http://sucuri.net/malware/malware-entry-mwiframehd202
So conclusion… avast web shield was correct again
Because of the domdex dot com redirect via a 0-0-0-iFrame it can lead to a ZBOT/Zeus infection, see: -http://jsunpack.jeek.org/?report=f27d0696b35eb7a6d9d349deac67fbce391b85cb
Only visit jsunpack if enough security savvy, with ample scripot protection and inside a VM,
polonus
system
January 3, 2012, 12:02am
9
Thanks for your help,most grateful.
Used Avast for many years and its been superb
I have contacted the website owner with the problem and awaiting a response.
thanks again.
Pondus
January 3, 2012, 12:04am
10
polonus
January 3, 2012, 12:16am
11
Thanks Pondus for again putting me on the right track to delve a little further.
Well the imminent danger could be somewhat less because a lot of the bot malware from domdex dot com is now dead or closed, but has never been flagged by any av according to mx viruswatch VT scan links .
Anyway the vulnerability is still there and could lead to re-infection, this also because the IP state of domdex dor com is up meaning there might be new versions of ZBOT/Zeus been launched/on their way from there. See: http://urlquery.net/queued.php?id=14301
see the 2nd JS write there to http://www.webutation.net/go/review/t5.trackalyzer.com (very bad WOT web rep)
Good we have taken a close look at the script there. You could also inform the website owner there of this link,
polonus
system
January 3, 2012, 12:21am
12
Just contacted the web site with a direct link to this page,some good information here.
Thanks again to everybody.
Avast rocks ;D