HTML:Scam-P [Phish]

[Salenai 0]

Hi, I regularly scan my pc and dont visit dangerous sites, so not sure how I got this,budt avast found HTML:Scam-P [Phish], on file or website or dont know what it is called game4853.firdayfun78.live .

For scanning I use Roguekiller, Avast, malwarebytes, Malwarebytes mbar (anti rootkit) and Eset Online Scanner. I prefer Eset online scanner over normal Eset antivirus because it does superb job at detecting viruses.

But for some reason it does not detect this virus, it keeps showing up only on avast and nowhere else.

And it keeps showing up even after deleting it after scan with Avast. Sometimes it shows up and sometimes it doesnt, but only on avast.

Sooo, I have not really logged in anywhere since previous scan (not this one), except for Steam (only on program and not on browser). Do I need to change my Steam password or not? Or doest this "virus" affect only webbrowser? I use mozilla. Thanks.

This is what avast finds.

 

[Marcos 5,070]

The domain firdayfun78.live is not resolved any more. It used to be resolved to 2 IP addresses both of which were blocked by ESET, ie. clicking a phishing link leading to this domain would have been blocked by web access protection.

[itman 1,659]

You also posted this issue over at bleepingcomputer.com malware help section. If anything materializes from that analysis, post back on the finding.

[Salenai 0]

5 hours ago, Marcos said:

The domain firdayfun78.live is not resolved any more. It used to be resolved to 2 IP addresses both of which were blocked by ESET, ie. clicking a phishing link leading to this domain would have been blocked by web access protection.

Avast is antivirus I use normally but I usr also eset online scanner since I had best results with finding viruses with it.

Do you think I got infected somehow or were my logs clean? Why does avast still sometimes finds this "virus"?

Am I still infected or dealing with false positive?

Yeah, I will let you know

 

edit: What I meant to say at beginning is, Avast despite saying that it blocked threat has not really blocked it apparently since it keeps showing up during scanning. It does not always show however. Not sure what triggers this virus to show up.

 

is there any chance that this was all false positive from avasts side?

Edited October 31, 2019 by Salenai

[Salenai 0]

So, on Bleepingcomputer they helped me, but..

https://www.bleepingcomputer.com/forums/t/707078/avast-found-htmlscam-p-phish/page-2#entry4897881

Virus/file came back for some reason and I keep seeing it again.

What should I do? 

I produced new farbar logs right after virus was found. I am attaching them to this post. I did not put it in chest or delete it (which doesnt work anyway).

Can you look at these logs please? Avast doesnt show me file location or file name, just name of infection.

And Eset Online scanner doesnt even find it, nothing finds it, not roguekiller,malwarebytes,malwarebytes anti rootkit, only Avast.

FRST.txt Addition.txt

Edited November 6, 2019 by Salenai

[Marcos 5,070]

You should turn to Avast's support since you are using that AV. I can only assume that it's the link which is detected in an html file on a disk in browser's cache or somewhere, they should know better. As I wrote, the said AV probably reacts to a dead link; we do not check all links in html files but protect users when such url is actually accessed.

[itman 1,659]

1 hour ago, Marcos said:

As I wrote, the said AV probably reacts to a dead link; we do not check all links in html files but protect users when such url is actually accessed.

This was also the verdict rendered by the support person assigned to this issue at bleepingcomputer.com.

I also agree this is an issue for Avast support personnel and this thread should be closed.

[Salenai 0]

Yes, problem was that I am also unable to report this to avast since there is no file,so they cant analyse this.

Yesterday I atleast tried reporting that website, not sure what will they say back.

And what can they really do, whitelist it,or blacklist or, or not sure.

Still,point is that avast keeps reporting it despite me not visiting that website.

Cache was I suppose cleared when I reinstalled mozilla few days ago, so this should not have appeared at all. And yet it did.

[itman 1,659]

8 hours ago, Salenai said:

Yes, problem was that I am also unable to report this to avast since there is no file,so they cant analyse this.

Yesterday I atleast tried reporting that website, not sure what will they say back.

And what can they really do, whitelist it,or blacklist or, or not sure.

Still,point is that avast keeps reporting it despite me not visiting that website.

Cache was I suppose cleared when I reinstalled mozilla few days ago, so this should not have appeared at all. And yet it did.

My experience with FireFox has been that the only way to ensure its cache is always cleared is to run in permanent private mode. This will ensure the cache is always cleared at browser shutdown. I would also take a close look at whatever extensions you have installed. I suspect whatever Avast is detecting is being repopulated in the cache from one of those extensions.

Just dump Avast and install Eset and your issue will be resolved. As previously noted, Eset will only examine the link in the cache when it is actually accessed.