Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Hugger1 on February 18, 2009, 01:18:54 AM
-
For about the last week whenever I visit one particular site the first time I get one or two popups saying that Trojan horses have been found. It suggests I move them to the chest. But when I go to the chest the files aren't there. What's happening? Are these false positives? What should I do?
-
Based on the lack of information, I haven't the slightest idea.
What is the URL ?
Modify the link so it isn't active by changing the http to hXXp.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
What is your OS and browser ?
-
The only URL that the problem appears at is http://www.aprilwine.ca/smf/index.php
I don't understand "Modify the link so it isn't active by changing the http to hXXp."
Here is the log viewer for the last few days:
28/01/2009 6:52:27 PM SYSTEM 1756 Sign of "JS:FakeAV-F [trj]" has been found in "http://scan1.bestantispywareonlinescan.com/promo/1/freescan.php?nu=880685" file.
07/02/2009 10:38:09 AM SYSTEM 1720 Sign of "JS:FakeAV-D [trj]" has been found in "http://antimalwareliveproscanner.com/promo/6/en/freescan.php?id=880685" file.
10/02/2009 9:13:25 PM SYSTEM 1780 Sign of "JS:FakeAV-D [trj]" has been found in "http://premiumantiviruscheck.com/promo/6/en/freescan.php?id=77068506" file.
13/02/2009 6:39:05 PM SYSTEM 1760 Sign of "JS:FakeAV-G [trj]" has been found in "http://antimalwaresuperscanner.com/promo/1/img/flist.js" file.
13/02/2009 6:39:09 PM SYSTEM 1760 Sign of "JS:FakeAV-G [trj]" has been found in "C:\Documents and Settings\IBM-NetVista\Local Settings\Temporary Internet Files\Content.IE5\WJ9ZEYZG\flist[1].js" file.
16/02/2009 1:26:36 PM SYSTEM 1740 Sign of "JS:FakeAV-G [trj]" has been found in "http://onlineantivirusproscan.com/promo/1/img/flist.js" file.
16/02/2009 1:26:43 PM SYSTEM 1740 Sign of "JS:FakeAV-G [trj]" has been found in "C:\Documents and Settings\IBM-NetVista\Local Settings\Temporary Internet Files\Content.IE5\3Z7MMFK6\flist[1].js" file.
17/02/2009 6:37:16 PM SYSTEM 1724 Sign of "JS:FakeAV-G [trj]" has been found in "http://onlineantimalwarescan.com/promo/1/img/flist.js" file.
17/02/2009 6:37:20 PM SYSTEM 1724 Sign of "JS:FakeAV-G [trj]" has been found in "C:\Documents and Settings\IBM-NetVista\Local Settings\Temporary Internet Files\Content.IE5\1YQ8XLUH\flist[1].js" file.
OS is Windows XP Pro SP3, browser is IE7.0.5730.13
I've run my anti virus, AdAware, Advanced System Care, Crap Cleaner, Super AntiSpware and Spyware Blaster and nothing is found.
-
Seems that the files weren't save in your computer and, if any, was a temporary one, deleted.
Maybe run a full scanning now and be sure you're clean.
-
@ Hugger1
The why is is avoids accidental exposure by the curious or careless, that link when clicked will send you to the suspect site, changing the http at the start of the url to hXXp turns it into a simple text string and isn't clickable. For those that can investigate it with a degree of safety they can see what the url is meant to be and copy and paste, etc.
Only the majority of the detections were blocked before they got on your system but the .js (javascript) files ended up in your browser temporary internet files. It is possible that these were also removed by avast, but to be sure you should clear the temporary internet files from the settings in IE7.
I have checked the hXXp://www.aprilwine.ca/smf/index.php link (aprilwine's message board/forum) and get no alert by avast and having checked the page source code I don't see anything obvious that might trigger an alert. It is entirely possible that they became aware of the problem and cleaned up the site.
-
I did a full scan last night and it came back clean.
Seems that the files weren't save in your computer and, if any, was a temporary one, deleted.
Maybe run a full scanning now and be sure you're clean.
-
Ok, I understand now about why. But what link should I change and when?
I clear the temporary internet files from the settings in IE7 every time I shut down the PC.
I sent the site administrator an e-mail last night about this. I noticed the sitre was down this morning. I guess we'll see what si what when I try to go on the site this evening. Will post back if I have any further situations.
@ Hugger1
The why is is avoids accidental exposure by the curious or careless, that link when clicked will send you to the suspect site, changing the http at the start of the url to hXXp turns it into a simple text string and isn't clickable. For those that can investigate it with a degree of safety they can see what the url is meant to be and copy and paste, etc.
Only the majority of the detections were blocked before they got on your system but the .js (javascript) files ended up in your browser temporary internet files. It is possible that these were also removed by avast, but to be sure you should clear the temporary internet files from the settings in IE7.
I have checked the hXXp://www.aprilwine.ca/smf/index.php link (aprilwine's message board/forum) and get no alert by avast and having checked the page source code I don't see anything obvious that might trigger an alert. It is entirely possible that they became aware of the problem and cleaned up the site.
-
The when is any time you post a URL which might contain malware.
The what, any Links to suspect sites, which is effectively all those in your second post.
e.g.
"hXXp://scan1.bestantispywareonlinescan.com/promo/1/freescan.php?nu=880685"
"hXXp://antimalwaresuperscanner.com/promo/1/img/flist.js"