Another case of JS:ScriptIP-inf [TrJ], most likely false positive, need help

[REDACTED]

Hello, I came here in order to try to figure out why Avast reports my site as having the above mentioned virus.

I have a forum and one member who obviously uses Avast reported to me that the site is being blocked (please see attachment).

However, Sucury doesn't complain - https://sitecheck.sucuri.net/results/forum.italkmoney.com - and if you click on "Blacklist STatus" tab you'll see all clear marks.

So, could some of you who use Avast doublecheck the result, and if it is indeed positive, could someone from Avast look into this?

Best regards!

Ah yes, the site in question is http://forum.italkmoney.com

[Pondus]

Hello, I came here in order to try to figure out why Avast reports my site as having the above mentioned virus.

avast say trojan, not virus > JS:ScriptIP-inf [TrJ] = Trojan

It means there is a java script containing a blacklisted URL or loading something from a blacklisted URL

[REDACTED]

Well, thanks for correction, but I still need clarification of the report...

[Pondus]

If you think it is wrong, you may report / contact avast lab > https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

[Eddy]

If you mean the Sucuri report, contact Sucuri.

Blacklisted :
https://www.virustotal.com/en/url/2c3dc9334f8fc33ce1a292f1f18932c49f79d7131cf933edcbaff9a197c8a521/analysis/1482254183/
https://www.virustotal.com/en/ip-address/198.144.120.185/information/
http://urlquery.net/report.php?id=1482254228299

Vulnerable library used :
http://retire.insecurity.today/#!/scan/439a32347a44303b8923adcca8f47723df7f3da0b3cb58820bf94367de2335d6

10 trackers blocked by Ghostery
After 5 minutes already 124(!) adds blocked by ABP

JavaScript found that links to a blocked site > http://tcr.tynt.com

Insecure headers :
https://securityheaders.io/?q=forum.italkmoney.com&followRedirects=on

[REDACTED]

There's nothing to complaint about Sucuri report, so I'll contact Avast on the above mentioned link.

[HonzaZ]

Avast is blocking the connection because it tries to execute JS code which contains a blocked URL (mycashbot[.]com).

[Pondus]

mycashbot[.]com
https://virustotal.com/nb/url/afa3ac9f5379aae2401a787a306445ecdc978a3689f0009806c164730d6e9727/analysis/1482424944/

[REDACTED]

First of all thanks for all the information provided.

So, if I understood everything correctly, the reason for Avast to react was Tynt script?

If so, I've removed it, and looks like the whole Tynt site was moved to 33Across, with new script for the same purpose and a lot of other things. Anyway, at the moment the script is gone, and it should not alert Avast any longer.

Could someone confirm it?

[Pondus]

seems it is still there
https://virustotal.com/en/file/f95661e9b7a5f00d9059d274b0ad8d54310fdd51d0ae2a47071f8c89a72e5cb9/analysis/1482428019/

[Eddy]

It for sure is still there.
On the main page already two links to mycashbot

[REDACTED]

What do you mean exactly by "On the main page already two links to mycashbot"?

OK, disregard, I got it.

[Pondus]

see screenshot

[REDACTED]

Yep, I've got it in the meantime. And amended myself.

The "funny" part is that Mycashbot is not blocked by either Eset, Firefox phishing protection or Sucuri, it is clean and indexed by Google and yet it "raises flag" on Avast. Better yet, there is NO online scanner available at Avast (that I know of) where one like me could check if a site is flagged for one reason or another by Avast, before including link to it (or more precisely to a banner on its site) into your site. So it pretty much sucks, IMHO.

Anyway, all the links to Mycashbot are now gone. What's the verdict this time?

[Pondus]

 

https://virustotal.com/en/file/efc4d62f7d016a120deb04bb245aa7ac89ce6976c78b569010dc855d226e26aa/analysis/1482430064/