Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ColdWinterWind on November 21, 2011, 06:21:49 AM

Title: [SOLVED] Need help with Web Shield scan...Is/is not valid warning?
Post by: ColdWinterWind on November 21, 2011, 06:21:49 AM
My version of Avast!  Definitions 111120-1, v 6.0.1289 keeps showing that this site

hxtp://s243213379.e-shop.info/

has an iFrame trojan dropper.  Online scans of the site are mixed.  Can anyone give me a definitive answer:  is this site safe?

Thank you in advance.

ColdWinterWind
Title: Re: Need help with Web Shield scan...Is/is not valid warning?
Post by: Hellion on November 21, 2011, 09:31:34 AM
Hi coldwinterwind,

I'm just a forum member!

I ran some tests for you.

http://www.virustotal.com/ - Clean
http://sitecheck.sucuri.net/scanner/ - Infected
http://www.urlvoid.com/ - Clean

These are some of the tools used here on the Avast forum.

And I see what you mean by Mixed results...

Also the correct message board for Viruses and FP's is - http://forum.avast.com/index.php?board=4.0 (but since you already posted there's is no need to open another thread.)
Title: Re: Need help with Web Shield scan...Is/is not valid warning?
Post by: DavidR on November 21, 2011, 01:05:30 PM
Well avast isn't alone in finding this live_tinc.js file (see image) as best suspect that javascript file buried in a sub-folder of templatemedia has a number of iframe creations in it. I personally don't know exactly what they subsequently do, but many scanners don't like it.

These are the VirusTotal Results (http://www.virustotal.com/file-scan/report.html?id=5845430c31a0421da7ff6a51e925f6200685f29dbbea0a0c0a244384a0b69718-1321876066) on the temporary copy of live_tinc.js that avast scanned and I uploaded for scanning (17 detections of 42 scanners).
Title: Re: Need help with Web Shield scan...Is/is not valid warning?
Post by: Asyn on November 21, 2011, 01:14:39 PM
...is this site safe?

No.
Title: Re: Need help with Web Shield scan...Is/is not valid warning?
Post by: DavidR on November 21, 2011, 01:19:52 PM
See specific image extract of sucuri scan on the full path to the live_tinc.js file.
Title: Re: Need help with Web Shield scan...Is/is not valid warning?
Post by: Asyn on November 21, 2011, 01:31:51 PM
See specific image extract of sucuri scan on the full path to the live_tinc.js file.

Details: http://sucuri.net/malware/malware-entry-mwiframehd203
Title: Re: Need help with Web Shield scan...Is/is not valid warning?
Post by: Pondus on November 21, 2011, 02:35:24 PM
Norman lab confirm infected website

Quote
s243213379.e-shop.info.htm - Processed - HTML/Agent.QO
live_tinc.js - Processed - JS/Iframe.JT


UrlQuery - Detected Blackhole exploit kit v1.1 HTTP GET request
http://urlquery.net/report.php?id=9189
Title: Re: Need help with Web Shield scan...Is/is not valid warning?
Post by: DavidR on November 21, 2011, 03:35:29 PM
I think we can reasonably say that the avast detection was good.
Title: Re: Need help with Web Shield scan...Is/is not valid warning?
Post by: Asyn on November 21, 2011, 03:37:56 PM
I think we can reasonably say that the avast detection was good.

Absolutely. :)
Title: Re: Need help with Web Shield scan...Is/is not valid warning?
Post by: ColdWinterWind on November 21, 2011, 06:53:08 PM
I think we can reasonably say that the avast detection was good.

Absolutely. :)

I thank you all for your able (and fast!) replies.  I've been wanting to order something thru this eShop for a while, but keep running into this problem.  And the owner, while 'Net savvy, is not a programmer, and has said a couple of times that the site is okay now.

So I really needed an external reality check to find out if I had a mis-configured browser cache, or something.  This eShop is hosted with a provider that I also use; and I need to be thoroughly convinced that there's no/little chance of cross-contamination before I take MY eShop live.

Again, thank you all so much.  I apologize for posting this in the wrong forum.
Title: Re: Need help with Web Shield scan...Is/is not valid warning?
Post by: Asyn on November 21, 2011, 06:59:20 PM
I thank you all for your able (and fast!) replies.

You're welcome..!
Title: [SOLVED] Re: Need help with Web Shield scan...Is/is not valid warning?
Post by: ColdWinterWind on November 23, 2011, 09:29:16 AM

hxtp://s243213379.e-shop.info/

has an iFrame trojan dropper.  

ColdWinterWind

Turns out the offending jscript was part of the hosts domain-parking, google ads mix.  Only had the POTENTIAL to cause harm. Avast's behaviour shield did it's job - err on the side of caution.  Still needs to be fixed (it IS an eShop<g>) but at least we know it's not spewing badness.

But now I wonder why Norton doesn't flag the file.  Oy, will the questions never end?

Thanks again everyone.  Your corroboration/validation of my iffy findings prompted me to keep digging.

ColdWinterWind
Title: Re: [SOLVED] Need help with Web Shield scan...Is/is not valid warning?
Post by: DavidR on November 23, 2011, 01:45:48 PM
You're welcome.