Prev: pricegrabber.com problem?
Next: Malwarebytes' Anti-Malware 1.45 released
From: Andy Walker on 27 Mar 2010 01:08
siljaline wrote:

>Andy Walker wrote:
>> siljaline wrote:
>>
>>>Buffalo wrote:
>>>> Thanks once again for the heads up.
>>>
>>>You are welcome.
>>>
>>>> PS: did that 'virus' from Pricegrabber ever amount to anything?
>>>
>>>See the last thread from Dave Lipman and the Virus Total findings.
>>>
>>>I did not flag the item off the Pricegrabber site. As I had mentioned in that thread,
>>>it is quite likely that it got rotated out right away as soon as they got contact WebMaster
>>>complaints of flags from the site.
>>>
>>>Silj
>>
>> Except that Dave said that he did a wget on the index.html file, which
>> means that it was not an ad, but the index page that registered the
>> infection. I'm not convinced that it is infected, though. I've seen
>> similar detections on innocuous pages that were false positives, but
>> hopefully McAfee and Avira have looked at it more closely to determine
>> the truth. They have been very quick to fix these types of false
>> positives in the past.
>
>Right, and I posted back to Dave that:
><quote>
>Noted, the agnitum .ru .fr. .co.uk index pages were triggering AV heuristics a while ago.
></quote>
>I've seen this before and I'm sure it's not the last time we'll see this on a legit site or sites
>on differing country designators. As I mentioned to Buffalo in that thread, try as I may I
>could not reproduce the flag.
>
>Cheers,
>
>Silj

Fair enough, have a great weekend!
From: David H. Lipman on 27 Mar 2010 09:45
From: "Andy Walker" <awalker(a)nspank.invalid>



| Except that Dave said that he did a wget on the index.html file, which
| means that it was not an ad, but the index page that registered the
| infection. I'm not convinced that it is infected, though. I've seen
| similar detections on innocuous pages that were false positives, but
| hopefully McAfee and Avira have looked at it more closely to determine
| the truth. They have been very quick to fix these types of false
| positives in the past.

As of yet, no responses. However, I couldn't see any malicious code nor could a couple of
systems used for examing scripts such as Wepawet.

The HTML is being flagged and it strongly appears to be a FP.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: Buffalo on 27 Mar 2010 10:53


David H. Lipman wrote:
> From: "Andy Walker" <awalker(a)nspank.invalid>
>
>
>
>> Except that Dave said that he did a wget on the index.html file,
>> which means that it was not an ad, but the index page that
>> registered the infection. I'm not convinced that it is infected,
>> though. I've seen similar detections on innocuous pages that were
>> false positives, but hopefully McAfee and Avira have looked at it
>> more closely to determine the truth. They have been very quick to
>> fix these types of false positives in the past.
>
> As of yet, no responses. However, I couldn't see any malicious code
> nor could a couple of systems used for examing scripts such as
> Wepawet.
>
> The HTML is being flagged and it strongly appears to be a FP.

Thank you for checking it out. I noticed that when I let it go for a bit
(disabled Avira for a short time thinking it was a false postive) it did
install some files in my temp folder that would not delete because they were
in use. I had to physically disconnect from the Internet to finally delete
them.
Buffalo


From: Buffalo on 27 Mar 2010 10:59


siljaline wrote:
> Andy Walker wrote:
>> siljaline wrote:
>>
>>> Buffalo wrote:
>>>> Thanks once again for the heads up.
>>>
>>> You are welcome.
>>>
>>>> PS: did that 'virus' from Pricegrabber ever amount to anything?
>>>
>>> See the last thread from Dave Lipman and the Virus Total findings.
>>>
>>> I did not flag the item off the Pricegrabber site. As I had
>>> mentioned in that thread,
>>> it is quite likely that it got rotated out right away as soon as
>>> they got contact WebMaster complaints of flags from the site.
>>>
>>> Silj
>>
>> Except that Dave said that he did a wget on the index.html file,
>> which means that it was not an ad, but the index page that
>> registered the infection. I'm not convinced that it is infected,
>> though. I've seen similar detections on innocuous pages that were
>> false positives, but hopefully McAfee and Avira have looked at it
>> more closely to determine the truth. They have been very quick to
>> fix these types of false positives in the past.
>
> Right, and I posted back to Dave that:
> <quote>
> Noted, the agnitum .ru .fr. .co.uk index pages were triggering AV
> heuristics a while ago.
> </quote>
> I've seen this before and I'm sure it's not the last time we'll see
> this on a legit site or sites
> on differing country designators. As I mentioned to Buffalo in that
> thread, try as I may I
> could not reproduce the flag.
>
> Cheers,
>
> Silj

I just tried that pricegrabber site again and clicked on the TV box on the
lower right and got it again.
Buffalo
PS: I did send that file to Avira


From: Buffalo on 27 Mar 2010 11:00


Buffalo wrote:
[snip]
>
> I just tried that pricegrabber site again and clicked on the TV box
> on the lower right and got it again.
> Buffalo
> PS: I did send that file to Avira

I meant on the lower LEFT. :(


First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: pricegrabber.com problem?
Next: Malwarebytes' Anti-Malware 1.45 released