Why does SacAreaHomes.com get URL:Mal?

I am a web developer. My client’s site SacAreaHomes.com get’s blocked by Avast Network Shield as URL:Mal. I can’t figure out why.

It’s not on any unsafe or black lists. I virus/malware scanned it with online scanners, and downloaded all the site files and scanned them with Avast and Malwarebytes. No viruses. I can’t figure out why it’s getting blocked. Big problem.

You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles

Didn’t find anything on http://sitecheck.sucuri.net/results/www.sacareahomes.com/ or http://www.urlvoid.com/scan/sacareahomes.com/, though this shows there are other domains on this IP address, possibly it is a block by IP address and not the domain.

Also clean on this http://urlquery.net/report.php?id=254961, but that too shows multiple domains on that IP/server one of which has had prior infections.

But this looks a somewhat strange javascript file name /sites/default/files/js/js_a6d24340d6739dd389170a72a8f0cc63.js I trust it is legit ?

  • There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

  • If you are reporting an FP, then you get another input field open, click Browse button and navigate to the file or enter the web URL for the site you wish to submit for review, etc. A link to this topic also wouldn’t hurt.

If you go to http://urlquery.net and scan SacAreaHomes.com you will find

xxxx://tech2bs2011.itsmyiq.com/redirecting.htm

http://urlquery.net/report.php?id=254981

If you run a scan on Sucuri of that website it shows the website i…e xxxx://tech2bs2011.itsmyiq.com/ has been blacklisted

web site: tech2bs2011.itsmyiq.com/ status: Site blacklisted, malware not identified web trust: Site blacklisted.

http://sitecheck.sucuri.net/results/tech2bs2011.itsmyiq.com/

Well done, Nesivos, good analysis. The IDS alert there is INDICATOR-OBFUSCATION Javascript obfuscation - eval
Avast Web Shield detects this as JS:iframe-TJ[Trj]
Other site with instances of this same javascript malware are still up and active here:
malware status OVERDUE and active at :
htxp://www.notteroy.kulturhus.no/index.php/program (cleansed?)
htxp://customer.ibratro.com/redirecting.htm → http://sitecheck.sucuri.net/results/customer.ibratro.com/redirecting.htm blacklisted and infected
htxp://dawsonrussellphotography.com/ → http://sitecheck.sucuri.net/results/dawsonrussellphotography.com (more instances of various malcode)
hxtp://www.bydesignseminars.com/ → http://sitecheck.sucuri.net/results/www.bydesignseminars.com/ JS-malware instances
htxp://www.formacionengestion.com/ form of blackhole: http://sitecheck.sucuri.net/results/www.formacionengestion.com/

polonus

Thanks guys. I did the steps recommended. Still waiting to see if the problem gets resolved.

I looked through and scanned with Avast the js file /sites/default/files/js/js_a6d24340d6739dd389170a72a8f0cc63.js
I reported the virus false-positive to avast. http://www.avast.com/contact-form.php?loadStyles
And I requested dreamhost move the hosting to a different ip address. In case another site on the shared ip caused the virus warning.