just found this on three different sites

Sign of "HTML:Agent-L [Expl]" has been found in "http:\\popunder.adsrevenue.net/popup.php?

two of the sites worldwide-cash & cashclicks I couldn't find it in the source code of either the sites or the sites within their ptp frames but Avast picked it up


on the 3rd site, pecomail's promo page, I did find adsrevenue.net in the source code

I got hit with this one many times just now while doing my surfing, I had several tabs open on firefox so it was hard to tell which page it was coming from, luckily Avast did catch it. But it got so bad with the warnings that I finally had to stop surfing.

just had a member report they ran across it on PayingCash.net's ptp. I checked and it is showing in the source code of payingcash's ptp page

easy-ptr.com ptp page has it as well

Yes, I was surfing on beachpartysurf just now and received the virus alert, worldwide-cash was the page on the screen at the time.

This was reported to PO's back in April this year, the majority have not added it back but why the others have decided to add it back is a bit annoying for avast users.
If avast users right click the little blue ball down the corner - avast log viewer - warning and scroll down it lists the last viruses stopped. It should show usernames in there by the page that was stopped.
I have the usernames in mine for
valeptr
berrevoets
priestes
sylvega

The rest show as axilluk in mine.

I do not believe that this is a false positive and here is a thread showing what this thing does to people's PC's
http://forum.bitdefender.com/lofiversion/index.php/t890.html

It is also listed as bad sites here along with axill
http://www.bluetack.co.uk/forums/lofiversi.../t2493-400.html

I have only surfed one site at a time for most of today so I could be sure what site the virus alert was triggered by. The site I got the alert from the most often was payingcash and also a couple of times from valeptr.

I have just went through and checked again this morning and clicked 20 worldwide-cash urls and was alerted twice to this. I believe this may be coming from an axill banner rotating but with avast aborting the connection it is hard to tell. The only other option I have is to turn off my anti virus and look that way.
It is still on valeptr and the PO is looking into it, it is still on precious poms and polarbear clicks but maybe the PO has not received the abuse report I sent yesterday.
I found these on paid to read site as I dont have any of these on my traffic exchange
It is on clickand win and showing referral id as gno64 even though he does not own the site anymore
It is on payingcash, pecomail and easyptr.

I've found this on a couple of world-widecash and on every payingcash ptp page I clicked yesterday. I have notified the WM of the sites I was clicking on at the time. We will see what they do. I just joined payingcash, but if it turns out that he keeps sending out pages with virus then I may have to rethink if I really want to be a member.

It is not alerting on polarbearclicks or preciouspoms today

Is there some reason you didn\'t bother to contact me in regards to an issue or send in an abuse report? Also I do not use that username anywhere anymore so not sure where you got that username as it is only here it is used. Unless there is a page in the rotator creating the problem there is no popups or other on the page so not sure where the problem is coming from since no one else has said a word about a problem but one member about a site in the rotator doing autoseaches which was taken care of.

Priestes is back.

I am the member who reported it to Priestes about the site doing autosearches. I use the full version of Kaspersky Internet Security(paid version) and have not run across this on any of the above mentioned sites. I always do a scan after clicking sites to see and they have all come up clean as a whistle.

I can't send in an abuse report because avast aborts the connection. What was it you said over WIW or in one of your admin messages cannot remember which - it is not your job to babysit these PO's and send abuse reports to them to clean up the crap.
All the sites that I have on my traffic exchange I have sent abuse reports to, that is my priority, the ones that I either do not allow or have removed my site from their approved list are not my priority. I report them when I have time if I can get the page not to be aborted by avast. I am interested in keeping my traffic exchange clean for my members.
If you read this post here astrangemix also says that it was on pecomail promo page in the source code
http://getpaidforum.com/forums/index.php?s...t&p=4979789
if you are accusing me of lying then maybe you should ask her for more information or as to the reason why she did not report it to you.

Here is a screenshot of my avast warning log
http://img.photobucket.com/albums/v512/fix...ruswarnings.jpg

2008-07-15 18:43:32 SYSTEM 1400 Sign of "HTML:Agent-L [Expl]" has been found in "hxxp://popunder.adsrevenue.nxt/popup.php?1216140210313&id=chris34&pop=enter&t=5&subid=63364&blk=1&fc=-1\unp125790098" file.
2008-07-15 20:00:16 SYSTEM 1400 Sign of "HTML:Agent-L [Expl]" has been found in "hxxp://popunder.adsrevenue.nxt/popup.php?1216144815416&id=chris34&pop=enter&t=5&subid=63364&blk=1&fc=-1\unp76015896" file.
2008-07-16 10:13:49 SYSTEM 1428 Sign of "HTML:Agent-L [Expl]" has been found in "hxxp://popunder.adsrevenue.nxt/popup.php?1216196027992&id=chris34&pop=enter&t=5&subid=63364&blk=1&fc=-1\unp177087268" file.
2008-07-16 11:35:45 SYSTEM 1428 Sign of "HTML:Agent-L [Expl]" has been found in "hxxp://popunder.adsrevenue.nxt/popup.php?1216200944175&id=chris34&pop=enter&t=5&subid=63364&blk=1&fc=-1\unp47253398" file.
2008-07-16 12:49:40 SYSTEM 1428 Sign of "HTML:Agent-L [Expl]" has been found in "hxxp://popunder.adsrevenue.nxt/popup.php?1216205378962&id=chris34&pop=enter&t=5&subid=63364&blk=1&fc=-1\unp118062760" file.
exploit coming from site www.paypopup.com

Edited to make links un-clickable

the code was definitely there.

<script language="JavaScript1.1">
if (typeof(paypopupScriptStart) == 'undefined') {var paypopupScriptStart = false;}
if (!paypopupScriptStart) {
document.write('<scr'+'ipt src="http:\\popunder.adsrevenue.net/popup.php?'+(new Date()).getTime()+'&id=priestes&pop=enter&t=5&subid=31880&blk=1&fc=0"></scr'+'ipt>');
paypopupScriptStart = true;
}
</script>

and my avast log also showed the id;

7/15/2008 20:08:25 SYSTEM 1212 Sign of "HTML:Agent-L [Expl]" has been found in "http:\\popunder.adsrevenue.net/popup.php?1216170504439&id=priestes&pop=enter&t=5&subid=31880&blk=1&fc=0\unp259475509" file.

ETA: I think, at least with this instance of HTML:Agent-L, it is a false positive. I clicked about 40 ptp ads, focusing mainly on worldwide & payingcash since it was always there, with my anti-virus turned off and I caught nothing.

I don´t click on worldwide & payingcash these days, because avast always has caught bad things from the 2 sites.

I suggest: Stay a way from them until they are clean again.