Warnings from antivirus

[RichardV]

On numerous threads I am getting Script-inf warnings from Avast. Not only in the threads below , just scattered randomly thru the forum.
Here is one of them
URLhxxp://www.e-cigarette-forum.com/forum/ask-vets-answers/621178-getting-petina-my-copper-mod.html|{gzip} InfectionHTML:Script-inf

another
URLhxxp://www.e-cigarette-forum.com/forum/ask-vets-answers/621225-anyone-here-using-smokjoy-gi2-able-keep-locked.html|{gzip} InfectionHTML:Script-inf

 

[retired1]

Do you recall which ads were showing on the page at the time? I just went through the source code for both pages and everything appears fine on both.

 

[RichardV]

No ads showing. I only see avatar pics & a CASAA sig. I wonder if something on these particular threads might be causing a false positive warning from Avast.

I am now getting a blocked infection warning on this thread. No avatar or sig showing.
http://www.e-cigarette-forum.com/fo...-here-using-smokjoy-gi2-able-keep-locked.html

Infection blocked
URL
hxxp://radioskin.com/?f_PgUx=Y0n2HZfnI4__evM9l_ce_2Lesz5rawbLaq&ygF_N=_2_6G76qU4V6Ugfm0wY5Lfaxbr3N3t&3OW=R5T

Infection
URL:Mal

 

[Norrin]

I have had it from trying to load the smilies and that has no ads, I can't load them now as I think they have been blocked and I'm too lazy to fix it.

 

[Shirtbloke]

I was having problems accessing pages yesterday which Retired1 helped me out with.
I've since come to the conclusion that it's a browser hijacker that's causing the problems for me.
I'm currently running an Avast virus scan (87% complete at the moment but painfully slow) and it's found two infections so far.
I'll report back exactly what they are when the scan finishes.

 

[retired1]

No ads showing. I only see avatar pics & a CASAA sig. I wonder if something on these particular threads might be causing a false positive warning from Avast.

I am now getting a blocked infection warning on this thread. No avatar or sig showing.
http://www.e-cigarette-forum.com/fo...-here-using-smokjoy-gi2-able-keep-locked.html

Infection blocked
URL
hxxp://radioskin.com/?f_PgUx=Y0n2HZfnI4__evM9l_ce_2Lesz5rawbLaq&ygF_N=_2_6G76qU4V6Ugfm0wY5Lfaxbr3N3t&3OW=R5T

Infection
URL:Mal

Not seeing that url anywhere on ECF.

Going to reboot into Winderz and do some checking from that side of the notebook.

 

[retired1]

I've run all three pages through my machine, no hits. Did the same with an online scanner and again, came up clean.

May want to do a deep scan on your machine to see if there's anything lurking in the background.

 

[RichardV]

In the process of doing that now.

 

[Shirtbloke]

Right, the scans finished and it sounds like we've likely got the same problem.

Avast has found two files in the Local Settings/Temporary Internet files folder.
They're flagged up as Threat:HTML:Script-inf and their severity is High.

They're interestingly named.

colin-firth-wants-kings-speech-sequel-106269[1].txt
kristen-stewart-miss-out-snow-white-sequel-103492[1].txt

I've no idea where I got these from, I usually keep away from the dodgy parts of the internet, but the filenames sound like they could have come down an ad network.


So I'm to press the delete key and hope that's the end of it.

 

[Shirtbloke]

No ads showing. I only see avatar pics & a CASAA sig. I wonder if something on these particular threads might be causing a false positive warning from Avast.

I am now getting a blocked infection warning on this thread. No avatar or sig showing.
http://www.e-cigarette-forum.com/fo...-here-using-smokjoy-gi2-able-keep-locked.html

Infection blocked
URL
hxxp://radioskin.com/?f_PgUx=Y0n2HZfnI4__evM9l_ce_2Lesz5rawbLaq&ygF_N=_2_6G76qU4V6Ugfm0wY5Lfaxbr3N3t&3OW=R5T

Infection
URL:Mal

I was getting warnings from Avast to a radioskin url too.

 

[Shirtbloke]

Just found this thread on the Avast forums.......
https://forum.avast.com/index.php?topic=99873.0
Seems it's a server side thing.

"Vulnerability there vBulletin version outdated: Upgrade required. maybe this caused HTML:Script-inf on that site,"

 

[retired1]

If that's going to be their "official response" to a false positive, I'd be searching for a new security package for my machine.

 

[Shirtbloke]

Yes it's a little bit terse isn't it?

Is it likely to be a hijack on a server side thing?

 

[retired1]

Not on our end.

 

[RichardV]

After complete scans using Avast (nothing found) & Malware Bytes ( a "PUP" found), and cookie/temporary internet file deletion I still have the same results when going to some threads here.

 

[retired1]

We've pinged the server team to double check.

 

[rolygate]

I have Avast and it doesn't report any problem.

No other members are reporting this. On the very rare occasions when we had malware on the server in the past, a flood of members reported it and the reports kept coming until the issue was fixed.

So I think this will probably turn out to be a local issue. Maybe a rootkit. Perhaps the Malwarebytes rootkit removal tool may be useful here, worth a try anyway.

 

[Shirtbloke]

I'm running malwarebytes at the moment.

I've also tried adwcleaner and hitmanpro. They found nothing.

 

[retired1]

If Malwarebytes doesn't catch anything, I've found ComboFix rarely misses what others fail to catch.

 

[Shirtbloke]

MWB found nothing. I even updated Avast and ran that again. Nothing.

I'll give Combofix a try. Thanks.