Avast detects infection, false positive?

Wammer

Avast had detected a virus threat in Opera. I have received this warning message even after rebooting

Infection Details

URL: http://www.imageszoom.info/landing2. php
Process: C:%5CProgram Files%5COpera%5COpera.exe
Infection: HTML:Iframe-inf

I have run the url through a url checker. All the checking sites said it was OK apart from 3 which said it was a threat.

As I have a lot of tabs open in Opera, can someone tell me how to identify which tab is at fault? All the tabs are the ones I've had open for months, nothing new.

waddler_8

No, it's not a false positive. If you can't say which site is to blame, close all tabs.

waddler_8

One of the redirections took me through a known RBN IP - 94.102.50.73 - ECATEL-AS AS29073. Ecatel currently top the Top 10 Bad Hosts list, 2013 - Q1

Interestingly (or not), at the end of the redirections, I saw this:



http://www.java.com/en/download/faq/expire_date.xml

Wammer

Thanks for that. I'm not 100% sure what it means, but guess that it's not good from what I did see.

I have the latest Java installed v7U25, but have it disabled in all browsers apart from Firefox.

I use all the tabs I have open in Opera so it's difficult to close them all.

I'm probably way off the mark, but I have been looking at info on Amsterdam and see that that site is hosted in the Netherlands. Is that just a coincidence?

waddler_8

Yes, it's just coincidence.

One of the sites you have open in your tabs is serving up exploit code, which one exactly would be hard to tell.

It mitigates any threat if your OS & programs are up to date.

Wammer

Yes I keep everything up to date, eg monthly Windows Updates plus any extras, Adobe Flash, Avast. However I am using Opera v12.16 rather than the latest v15 as the new version is hideous. BTW v12.16 is the predecessor to v15 even though it doesn't sound like it.

Is it possible that one of the sites I have been using on Opera for months has become infected recently?

waddler_8

Yes, possible. It could also be external content - banner ad for example.

Wammer

Yes that's what I was thinking, that it could be a banner ad, but so many sites have them that it's impossible to pinpoint.

Wammer

I've identified the site / tab that is at fault. It was the one I was on when I first got the warning pop up.

The site has actually posted that they have been advised of a dodgy ad and that "any attempts to block it have failed". That was 2 days ago.

Thanks for your help.

forgotmyname

The problem is a site will sell a space on its page and someone buys that space and then sells it to several others.

The main site may have no idea who or what is being advertised. Dodgy people rent a slot and then try to run malicious code in the advert.

Clever and annoying at the same time.

waddler_8

Wammer wrote: »

I've identified the site / tab that is at fault.

Can you PM me the url?