Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ColdWinterWind on November 21, 2011, 06:21:49 AM
-
My version of Avast! Definitions 111120-1, v 6.0.1289 keeps showing that this site
hxtp://s243213379.e-shop.info/
has an iFrame trojan dropper. Online scans of the site are mixed. Can anyone give me a definitive answer: is this site safe?
Thank you in advance.
ColdWinterWind
-
Hi coldwinterwind,
I'm just a forum member!
I ran some tests for you.
http://www.virustotal.com/ - Clean
http://sitecheck.sucuri.net/scanner/ - Infected
http://www.urlvoid.com/ - Clean
These are some of the tools used here on the Avast forum.
And I see what you mean by Mixed results...
Also the correct message board for Viruses and FP's is - http://forum.avast.com/index.php?board=4.0 (but since you already posted there's is no need to open another thread.)
-
Well avast isn't alone in finding this live_tinc.js file (see image) as best suspect that javascript file buried in a sub-folder of templatemedia has a number of iframe creations in it. I personally don't know exactly what they subsequently do, but many scanners don't like it.
These are the VirusTotal Results (http://www.virustotal.com/file-scan/report.html?id=5845430c31a0421da7ff6a51e925f6200685f29dbbea0a0c0a244384a0b69718-1321876066) on the temporary copy of live_tinc.js that avast scanned and I uploaded for scanning (17 detections of 42 scanners).
-
...is this site safe?
No.
-
See specific image extract of sucuri scan on the full path to the live_tinc.js file.
-
See specific image extract of sucuri scan on the full path to the live_tinc.js file.
Details: http://sucuri.net/malware/malware-entry-mwiframehd203
-
Norman lab confirm infected website
s243213379.e-shop.info.htm - Processed - HTML/Agent.QO
live_tinc.js - Processed - JS/Iframe.JT
UrlQuery - Detected Blackhole exploit kit v1.1 HTTP GET request
http://urlquery.net/report.php?id=9189
-
I think we can reasonably say that the avast detection was good.
-
I think we can reasonably say that the avast detection was good.
Absolutely. :)
-
I think we can reasonably say that the avast detection was good.
Absolutely. :)
I thank you all for your able (and fast!) replies. I've been wanting to order something thru this eShop for a while, but keep running into this problem. And the owner, while 'Net savvy, is not a programmer, and has said a couple of times that the site is okay now.
So I really needed an external reality check to find out if I had a mis-configured browser cache, or something. This eShop is hosted with a provider that I also use; and I need to be thoroughly convinced that there's no/little chance of cross-contamination before I take MY eShop live.
Again, thank you all so much. I apologize for posting this in the wrong forum.
-
I thank you all for your able (and fast!) replies.
You're welcome..!
-
hxtp://s243213379.e-shop.info/
has an iFrame trojan dropper.
ColdWinterWind
Turns out the offending jscript was part of the hosts domain-parking, google ads mix. Only had the POTENTIAL to cause harm. Avast's behaviour shield did it's job - err on the side of caution. Still needs to be fixed (it IS an eShop<g>) but at least we know it's not spewing badness.
But now I wonder why Norton doesn't flag the file. Oy, will the questions never end?
Thanks again everyone. Your corroboration/validation of my iffy findings prompted me to keep digging.
ColdWinterWind
-
You're welcome.