Hello,

I am owner of site http://usmerfa.pl (sorry if You will take it as advertising but its not - read all post) and as i can see Avast! is blocking my website i have scanned all storage of my VPS by few other anti-viruses like just to be sure even those for which I had to pay for full license and result was one website is clear as tear, the only anti-virus i know that is blocking my website is Avast! at the moment. So I would like to know if its only dropped on blacklist or there are really some dangerous files and if there are i would like which one exactly (avast don’t show me nothing specially:P).

I would be greatfull for help.

Cheers Patryk.

sucuri http://sitecheck.sucuri.net/results/usmerfa.pl

The website is detected by 1 blacklist engine the Mywot

http://my.jetscreenshot.com/18363/20130407-1s8z-61kb.jpg

http://my.jetscreenshot.com/18363/20130407-mvuv-54kb.jpg

https://www.virustotal.com/pt/url/48ca06f655d9bc064b9d9f0a6e1c9a36b39710c83de1b7512424b96046ce7010/analysis/1365296926/

http://quttera.com/detailed_report/usmerfa.pl

http://wepawet.iseclab.org/view.php?hash=a4cd0385cf462221239d218c0abc748d&t=1365295263&type=js

http://zulu.zscaler.com/submission/show/019cd4aa1e6ca97f8717d83ae0a72acf-1365296918

http://www.mywot.com/en/scorecard/usmerfa.pl

http://www.urlvoid.com/scan/usmerfa.pl/

http://urlquery.net/report.php?id=1864318

if you think this is wrong, you can report it here.http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply…

This makes me really sick as even when my VPS was empty i had those sille blocks… so i beliv they are simply false like.

even when my [b]VPS was empty[/b] i had those sille blocks

Yea… my face was just like that when i saw it i hoped thats only some misunderstandings and it will pass after few hours / days but as we can see its still as it was…

Yea.. my face was just like that when i saw i

Bitdefender TrafficLight also blocks the site: https://trafficlight.bitdefender.com/info?url=http://www.usmerfa.pl/
Stop this website is not safe. Because of PHP-error flagged?
But could be this code is being detected because packed and obfuscated: htxp://banid.pl/banid-widget.js
info: [decodingLevel=0] found JavaScript
suspicious Security warning in the URL: info: [script] banid.pl/banid-widget.js

But more likely an error here:
htxp://www.psychostats.usmerfa.pl/index.php
Discussed here: http://labs.sucuri.net/db/malware/php-error-fatal-error

Probably site detection is a false positive, but this scanner is more certain about what is being flagged:
http://evuln.com/tools/malware-scanner/www.usmerfa.pl/

polonus

And it is not only avast that detects this site:

AvastJS:Iframe-AMQ [Trj]

ComodoTrojWare.JS.Iframe.FK

KasperskyHEUR:Trojan.Script.GenericVIPREExploit.HTML.Iframe.dm (v)

AVGHTML/Framer

GDataJS:Iframe-AMQ

ESET-NOD32JS/Iframe.HH

polonus

Are You kidding me? Im curious how Your Kaspersky could find anything if mine didn’t :). Anyway as i can see now this whole malware is afected in signin code yesterday i have upgraded my IPB version so i signin code is originally from IPB and now is the question You wanna tell me that IPS is developing malware :D? Are You serious :D? Nahh… If Avast ain’t gona take off the blockade i will report it to IPS and i’m not sure how will it finish

However if its rly true with this malware i would like to ask someone to give me some guide how to clean it from website.

This is being flagged as malicious: htxp://www.usmerfa.pl/public/min/index.php?ipbv=b8510b7e13675a5a1150be164f6ef30c&charset=UTF-8&f=public/js/ipb.js,cache/lang_cache/2/ipb.lang.js,public/js/ips.hovercard.js,public/js/ips.quickpm.js,public/js/ips.signin.js
This was reported before here: http://xwis.net/forums/index.php/topic/176435-blackhole-exploit-kit-xwisnet/
Not flagged here: http://wepawet.iseclab.org/view.php?hash=d1a661e5bb70c11cff397efea08571c7&t=1365365811&type=js
See: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.usmerfa.pl%2Fpublic%2Fmin%2Findex.php%3Fipbv%3Db8510b7e13675a5a1150be164f6ef30c%26charset%3DUTF-8%26f%3Dpublic%2Fjs%2Fipb.js%2Ccache%2Flang_cache%2F2%2Fipb.lang.js%2Cpublic%2Fjs%2Fips.hovercard.js%2Cpublic%2Fjs%2Fips.quickpm.js%2Cpublic%2Fjs%2Fips.signin.js&ref_sel=Google&ua_sel=ff (I get a failure: ) and a HTTP/1.1 404 Not Found
because this was performed onto the site…and is blocked by avast! Web Shield as /…/…/ips.signin.js - URL:Mal
is a Cross-Site-Request forgery also known as a “one-click-attack” input validation attack which will deliver → includes/printable.asp?
This attack is also being performed in Bank Website Phishing!

polonus

More about these kind of attacks here: http://www.insecure.in/input_validation.asp (link source = Insecure Lab, India)
Also read this: http://security.stackexchange.com/questions/24044/what-is-a-shrink-wrap-code-attack (link reply author = Iszi)

polonus

Is not blocked in current VPS. The update fixes the issue 130408-2 the site is functioning normally

Thanks Milos

What upgrade u mean? 3.4.3 , 3.4.4, or patch realesed after 3.4.3 realese ? (actually i have 3.4.3+patch)

if you are refering to the post above from Jefferson Santiag…then he is talking about avast VPS update

so its not helpfull for me i gues.

Our website is blocked too; it’s www.genopharma.com

You should create ur own thread and contact administrator as it was suggested to my own case earlier. Anyway Thread Can be closed as my problem was solved. Cheers.

See results here: http://evuln.com/tools/malware-scanner/www.genopharma.com/

polonus