Avast WEBforum
Other => Viruses and worms => Topic started by: nilsA on March 23, 2009, 01:11:36 PM
-
On my personal home page (www.nilsandreas.info) I get a warning for the "JS:Cruzer-B [trj]" from Avast, and then I cannot access my home page. I don't exactly know when this started - one or three months ago, possibly?
I have made no changes to my home page in that period of time, so I don't understand what this is?
From the log I have copied this:
01.06.2008 21:30:29 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
01.06.2008 21:30:32 SYSTEM 1812 An error has occured while attempting to update. Please check the logs.
05.06.2008 13:12:22 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
05.06.2008 13:12:25 SYSTEM 1812 An error has occured while attempting to update. Please check the logs.
03.09.2008 14:43:41 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x00000001, dwRes is 00000001.
13.09.2008 10:16:11 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x00000001, dwRes is 00000001.
29.11.2008 10:57:29 SYSTEM 1848 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
01.12.2008 12:17:29 ˜ 1844 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142.
29.01.2009 00:21:54 SYSTEM 1840 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142.
27.02.2009 18:22:49 SYSTEM 1848 Sign of "JS:Cruzer-B [Trj]" has been found in "http://www.nilsandreas.info/" file.
Anyone able to tell me what to do?
-
Hello,
Your website was hacked! There is injected piece of javascript at the end of html code - after closing </html> tag and many tabs. You will find it by searching string ".charAt(" without qoutes.
Please check possible vulnerable software on your server, change your password (to stronger one) and check your own code for possible bugs.
Here is VT report: http://www.virustotal.com/cs/analisis/4700e0a3444feab9f370aa5a997069dd
-
I had the same alert but JS:Cruzer-C [trj] instead of JS:Cruzer-B [trj] on one of my my pages (yv5huj.org (http://yv5huj.org))
I saw a strange code after closing </html> as you said, so I just replaced the public index.html file for the original one in my backup files and now everything is OK.
Thanks a lot for your support
-
I do not know if it is, but ...
In line with my thoughts, such as anti-virus bitdefender says, is a Trojan.Downloader, avast and it says the file is called http://www.nilsandreas.info/, not index.html, the server may have a virus.
In bitdefender is a Trojan.Downloader!
But in the avast! I saw what was written JS, JS might be a script.
So this site puts a file that is Trojan.Downloader
I am from Portugal and had to use the google translator, so my text can not be very good. :P
-
Hi nilsA,
Make your links in the forum posting non-clickable for the curious of nature, like htxp:// or wXw
Check: No zeroiframes detected!
Check took 0.41 seconds
(Level: 0) Url checked:
htxp://www.nilsandreas.info/
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (frame source)
htxp://www.nilsandreas.info/bi.html
Blank page / could not connect
No ad codes identified
(Level: 1) Url checked: (frame source)
hxtp://www.nilsandreas.info/sscr.html
Blank page / could not connect
No ad codes identified
The Trojan uses obfuscated Javascript to download other malware onto the users' computer.
It is part of a "drive-by exploit chain" which uses known security flaws to infect computers which are not updated,
polonus
-
Here is VT report: http://www.virustotal.com/cs/analisis/4700e0a3444feab9f370aa5a997069dd
Let's recognize - again - that avast is a step forward on detection of these kind of infection. GData uses avast engine and virus databases.
-
If you use the bitdefender and record the page, we see that the virus is not on the page, is the transmission of the page (I guess) is that the server may have virus.
I can not find anything of the virus in source code.
Here is the source-code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!--This file created 23:15 06.02.2006 by Claris Home Page version 2.0--><HTML><HEAD><TITLE>Sscr_fra_ImageReady</TITLE>
<META content="MSHTML 6.00.6000.16825" name=GENERATOR><X-SAS-WINDOW RIGHT="764"
LEFT="14" BOTTOM="601" TOP="46">
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1"></HEAD>
<BODY bgColor=#82241c>
<P><!-- ImageReady Slices (Sscr_fra_ImageReady.psd) --><MAP
name=Sscr_fra_ImageReady_Map><AREA shape=RECT alt=Tsongkhapa
coords=511,109,608,289
href="http://www.nilsandreas.info/Buddhisme/Tsongkhapa.htm"><AREA shape=CIRCLE
alt=erstad@nilsandreas.info coords=571,446,31
href="mailto:erstad@nilsandreas.info"><AREA shape=RECT alt=""
coords=18,423,127,443 href="http://www.nilsandreas.info/teknisk"><AREA
shape=RECT alt="Pictures from movies where I was an extra"
coords=511,321,608,407
href="http://www.nilsandreas.info/statist/index.htm"><AREA shape=RECT
alt="Sikkim - New Delhi - Goa" coords=378,317,489,402
href="http://www.nilsandreas.info/gammel/index2.html"><AREA shape=RECT
alt="Some of my cameras" coords=252,316,366,401
href="http://www.nilsandreas.info/kamera"><AREA shape=RECT alt="Where I live"
coords=138,315,237,406 href="http://www.nilsandreas.info/drammen"><AREA
shape=RECT alt="My cars" coords=21,311,116,402
href="http://www.nilsandreas.info/bil"><AREA shape=RECT
alt="Buddhist texts and links" coords=400,167,536,195
href="http://www.nilsandreas.info/Buddhisme/THE_STORY.doc"><AREA shape=RECT
alt="Sceptical links and texts" coords=247,109,347,137
href="http://www.nilsandreas.info/skepsis"><AREA shape=RECT target=NEW
alt="Some texts and photos - noen tekster og bilder" coords=22,19,587,67
href="http://www.nilsandreas.info/hjemmeside/homepage.htm"></MAP><IMG height=480
src="http://www.nilsandreas.info/Sscr.gif" width=640 align=bottom
useMap=#Sscr_fra_ImageReady_Map
border=0><!-- End ImageReady Slices --></P></BODY></HTML>
-
Guys, initial post is more than 2 months old - nils webpage is clean now.
I think erivera has been hitted with new variant of JS:Cruzer that is higly spreding right now.
-
It s not clean !
Contains Trojan.Downloader.JS.SMALL ( bitdefender found ! )
-
Hi ivanhugo,
This could be suspicious: (Level: 1) Url checked: (frame source)
hxtp://www.nilsandreas.info/bi.html
Blank page / could not connect
No ad codes identified
polonus
-
Ouch, sorry for that. I didnt looked there, just thought that two months after it will be cleaned :( my mistake
Avast still detects JS:Cruzer-B and I have to go sleep to get more power for tomorow fight with malware :)
Again, sory for my mistake.
Regards
-
I have the same problem on my own site :-[ It is a JS:Cruzer-C
My computer is scanned with Avast and Spybot Search & Destroy, and it is clean.
This weekend the host will move the site (with the others) to another server.
I following the instructions over here, but I can't find the trojan horse.
This is de link to my site (be carefull) www.oude egypte.nl
What can I do!
-
This is de link to my site (be carefull) www . oudeegypte . nl
Let the link NOT live. Broke it.
Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
-
I did not found anything obvious in the code.
I could open the site in Firefox with NoScript. Maybe some script is infected? ???
Are you running the latest avast version?
-
If you scroll down a few empty pages, you'll see the encrypted script.
-
I clicked all the forum categorys in Internet Explorer 7 and didn't get any warning. What exact place are you talking about? (Starts clicking more links)
-
Scratch that, I found a problem. When you exit the Lezingen in Nederland en België place, it alearts the site has malware and has to be aborted.
-
@Tech:
Yes, I have the latest version of Avast.
I don't know if the site is hacked.
Last weekend (may 23) there was a current down in the datacentra and sunday (may 24) the server (where my site is host) crashed and totally died. The hoster has put all the sites on another server, but the file for the ftp, the emails and the directadmin was corrupt and the hoster makes all new one for us.
This weekend the hoster will move all the sites to a new server.
I have mail the hoster about this.
Thank you for help.
@Igor:
empty pages ?? Which empty pages?? I don't understand this. Sorry :-[
@Donovansrb10:
It's everywhere on the forums, not only there where you found it. It is also there when I post e reply there. :(
-
I downloaded the mentioned webpage. It looks "clean" (I mean the source code) - but if you notice that there are a lot of empty lines there and scroll to the real end, there's an appended malicious script there.
-
If you scroll down a few empty pages, you'll see the encrypted script.
???
I can't see them with http://www.selfseo.com/html_source_view.php after
</body>
</html>
-
I can... when I scroll 15 pages "down".
-
I can... when I scroll 15 pages "down".
How do you do that?
-
Click into the control and press PageDown 15 times? ;)
-
Click into the control
Control ???
-
The box where selfseo shows you the page source.
-
I have try the "15 pages down" like you said (in the box where selfseo shows the page source) but I can't see that script. :-[
-
The box where selfseo shows you the page source.
Tested, from the beginning, 15 pages after that... I see nothing... can you post a screenshot?
Tried going to the end, click page down 15 times... of course, the cursor stays there where it is in the 'bottom' of the page code.
-
I have looking in my DirectAdmin,and the index.php is clean.
-
Erm, I guess there's a confusion here - I was referring to the original post URL (nilsandreas), not to the follow-up.
You see, it's better to create a new thread for a new problem.
Anyway, I don't get any detection on the other one (oudeegypte)... somebody else does?
-
Erm, I guess there's a confusion here - I was referring to the original post URL (nilsandreas), not to the follow-up.
You see, it's better to create a new thread for a new problem.
I see... it's easy, it's there.
Anyway, I don't get any detection on the other one (oudeegypte)... somebody else does?
No, I don't get anything... it's a forum, seems ok for avast... aren't the links at the bottom?
-
I'm sorry, I will make a own topic about this problem.
The reason why I post in this topic is because it have a similar problem.