JS:Illredir-B[Trj]

[kk6t]

Avast 5.0 is telling me that hxxp:runsurfcity.com is infected with this trojan horse. Using the recommendation of another thread here I checked unmaskedparasites.com and it shows the site as clean.  Google's Safe Browsing diagnostics also shows no problems.

Any ideas?

Terry

[DavidR]

It looks like a number of the javascript files (see example images)  have been hacked as they are pointing at a suspect site limitgap.ru, which doesn't have a good rep, see http://www.runsurfcity.com/v/vspfiles/templates/RunSurfCity/Menu_Popout_Data.js. So it looks like the .js files on the site may well have been hacked.

There is an obfuscated var script that creates a script tag for that redirection.

[kk6t]

I'm confused    If I view those two Javascript files, "limitgap.ru" doesn't show up in them?

[DavidR]

They won't show the location in clear text as the last line of the files starting with the var is obfuscated, the only way I can show it in those images I posted is by having it de-obfuscated using an on-line tool.

[polonus]

Hi kk6t,
    

Hi DavidR, it is a good custom to make links non-clickable like hxtp or wXw...
Good detection because it is not generally detected as unmasked parasites and Norton Safe Web give the site clean,
and also here at http://www.urlvoid.com/

I get a failure here: htxp://jsunpack.jeek.org/dec/go?report=d5e185768c75a4daed5b439fa7848b6d838b93a2
Here we can see what happened: Check took 13.25 seconds
But this is what I get there, see attached picture..

(Level: 0) Url checked:
htxp://www.runsurfcity.com/
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.runsurfcity.com//a/j/milonic/milonic_src.js
Zeroiframes detected on this site: 0
No ad codes identified  See picture added

(Level: 1) Url checked: (script source)
hxtp://www.runsurfcity.com//v/vspfiles/templates/runsurfcity/menu_popout_styles.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.runsurfcity.com//v/vspfiles/templates/runsurfcity/menu_popout_data.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.runsurfcity.com//a/j/javascripts.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.runsurfcity.com//v/unified.js.asp
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (script source)
htxp://www.runsurfcity.com//v///:
Blank page / could not connect
No ad codes identified
Directory Listing Denied^/h1This Virtual Directory does not allow contents to be listed.

(Level: 1) Url checked: (script source)
htxp://www.runsurfcity.com//v/vspfiles/assets/flash/flashgallery/ac_runactivecontent.js
Zeroiframes detected on this site: 0
No ad codes identified - limitgap*ru is detected and blocked: http://malc0de.com/images/8080_domains.txt

polonus

[kk6t]

Thanks guys!     You've really shown me some useful tools.  I've emailed the site to let them know about the problem.

Thanks again for all your help!

Terry

[DavidR]

No problem, glad I could help.

A belated welcome to the forums.

[pierre fredette]

[My program is de-activated and i want to know how to reactivate it.  It says i am not protected...  thank you

[DavidR]

Please start a New Topic of your own as this seems unrelated to the original subject and will just confuse the topic and we will try to help. 
- Go to this link, http://forum.avast.com/index.php, scroll down to the avast! Free/Pro/Suite forum and click it, click the New Topic button at the top of the list and post there.