You said my commercial website is infected???

I’ve spent alot of time and money trying to create a safe place my customers can spend money on the internet. I am PCI compliant!
I open a link to my commercial business website and I get a popup saying that Avast! has saved me from a Malware called:http://a20.hotstatsanalytics.info/i/zz

http://www.avast.com/en-us/lp-security-information-fp?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_70_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-us%2Fvirus-alert-default2&p_vir=“URL:Mal”&p_prc=“C:\Program%20Files\Internet%20Explorer\iexplore.exe”&p_obj=“http://a20.hotstatsanalytics.info/i/zz”&p_var=.%2Ffa%2Fen-us%2Fvirus-alert-default2&p_pro=0&p_vep=7&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=295&p_lng=en&p_lid=en-us&p_elm=7&p_vbd=1426

I searched my code in it’s entirety. this file is NOT on my homepage. The Avast! warning has not appeared again but If you are telling my customers that they are not safe on my site, I will go broke real fast.

Tell me why Avast! reported my site as unsafe: hxtp://www.charm-lite.com

Mark Young; CEO Charm-Lite Inc.

I have just been there - it looks like a redirect is being attempted

Some of the web gurus will be along in a bit

Meanwhile I will check out what I can

avast! is stopping the link to that page - meaning your browser tried to connect to that URL.
So, even if the particular URL is not in the main page code, something must be resolving or redirecting to that - otherwise your browser wouldn’t contact that site.

I don’t get an alert on the sites home page.

You have cross site scripting on the home page to hotstatsanalytics.info though and it is something in that avast is alerting on not your site, see image of sites accessed by your home page. Though for the life of me I can’t see it, though there are a number of obfuscated script tags on the page.

I use RequestPolicy add-on for firefox and that blocks cross site scripting unless I explicitly allow it and I hadn’t allowed hotstatsanalytics.info and that is no doubt why I didn’t get an alert.

However, I have selectively granted permission to each of the sites and finally trying to allow hotstatsanalytics.info temporarily to generates the alert, but for whatever reason RequestPolicy isn’t recognising/allowing the permission.

So currently on firefox with requestpolicy I can’t replicate the alert.

Hi DavidR,

I believe you are right and I too cannot get any avast alert from opening up in Google Chrome, nor by scanning with the usual url scanners.
Urlquery gives a suspicious here: http://urlquery.net/report.php?id=36807
I think some suspicion on this code here: /apps-static//js/gapi/unsupported/rt=j/ver=XCdaQq5xaQ0.US.
You opened up the site in Fx, but I think if there is malcode redirection as I should follow igor’s analysis, I think it is IE specific.
Maybe the alerts could also be IE specific. And this is funny because the site comes as Comodo secured,

polonus

Are you saying I should be able to click on a link contained on the home page and Advast! will pop up again? Not for me it doesn’t.

I use: IE 8 Version 8.0.6001.18702IC
I link offsite websites with icons represented by:
Manta Membership
BBB Membership
D&B Link
Hillcroft for order fulfillments; They are handicapped but they want to work!
Security Metrics CC Safe with PCI compliance
and in the bottom right, my COMODO EV Certificate
I use a dedicated, leased server through OLM using Cpanel and I’ve had it bullet proofed. I also run Zen Cart 1.3.9.h

I need to browse with what everyone else uses.
It happened again! I waited a few hours, tried to log into my home page and boom! “hxxp://a20.hotstatsanalytics.info/i/zz” Avast! is targeting my website as harmful!

Thank-you for all your help, It has been fast and effective. If you have any suggestions or a diagnostic I need to run, please let me know.

Mark

Trend Micro has this site tagged as Malicious site.

When I go to: http://global.sitesafety.trendmicro.com/result.php It says: hxtp://www.charm-lite.com “The latest tests indicate that this website contains no malicious software and shows no signs of fraud.”

Understand that I use Avast! and I want all my clients to have the confidence they need to continue to use and possibly purchase licenses for their servers and all IP’s related. When you can not explain why a commercial site is a malware vendor, it can both devastate the clients as well as their confidence in Avast!

I’m not on the internet to surf, I promote and sell a product that needs to follow necessary business practices to demonstrate integrity. If I’m attacked in any way the integrity I strive for is destroyed and so is my business. Please become a solution to your constituents like it is in your best interest.

Mark Young

I simply passed along what a VirusTotal scan revealed.

I don’t speak for Avast. I use the product same as you. :slight_smile:

Actually I appreciate you helping me keep the thread alive.
I tested https://www.virustotal.com/ also and it scanned with 19 scans and came up with Detection ratio: 0/19 with 19 reporting a clean site at: wxw.charm-lite.com.

You tested: hxxp://a20.hotstatsanalytics.info/i/zz It comes up with Trend Micro as a no pass. Problem is I don’t have hxxp://a20.hotstatsanalytics.info/i/zz anywhere on my site.

I understand, you are another consumer like myself willing to help out. I only assume that Avast! reads their own reports of problems with Avast! falsely accusing websites of Malware. If I fail here then I will remove Avast! from every client computer and make a public report of my own.

Mark Young

https://www.virustotal.com/url/166127e579c7a8a82774e999081478cdc27ada1660baabd59bb1588269b92ab3/analysis/

Zulu analyser
http://zulu.zscaler.com/submission/show/4e04edf3a8c10073370233177e0937aa-1333397389

http://www.surbl.org/surbl-analysis

Sorry, but it seems you don’t understand.
avast! is not accusing your site of anything - your browser tries to connect to the infected site when you open your site, and that connection to the infected site is what’s being blocked by avast!.

So, either your site is infected, or some of the linked sites sometimes redirect to the infected site (doesn’t have to be every time, could be only sometimes, also based on geoip or any other conditions), or your dns server is routing you somewhere it shouldn’t - or maybe your machine itself is compromised. In any case, something is navigating your browser to the bad site.