Author Topic: How to cure website from SNH-gen [Trj] - or is there really an infection?  (Read 13327 times)

0 Members and 1 Guest are viewing this topic.

Offline Fanky2

  • Newbie
  • *
  • Posts: 2
Hi,
While accessing website I coded I get Avast notice it blocked  SNH-gen [Trj].
I'm hopelessly looking into the scripts for any signs of malicious code,
Unfortunatelly, the notice doesn't appear on every reload, only on some, so I cannot disable parts of code and see results.
Any string to search the code for? Or other advice?
Thank you very much!

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5564
  • Spartan Warrior
Sure.

Need url to look at it.  Also attach screenshot of block.
Windows 10 Home 64-bit 22H2 Avast Premier Security version 24.1.6099 (build 24.1.88821.762)  UI version 1.0.797
 UI version 1.0.788.  Windows 11 Home 23H2 - Windows 11 Pro 23H2 Avast Premier Security version 24.2.6105 (build 24.1.8918.827) UI version 1.0.801

Offline Fanky2

  • Newbie
  • *
  • Posts: 2
Thanks, I've already solved the issue. It was no virus at all, but a code to hide e-mail address from bots. Avast apparently searches for occurence of eval() functions and decides that there's a trojan if it finds it.
This was the script causing the error. For anyone with the same trouble, search your files for "eval".

Code: [Select]
<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" +
"=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" +
".substr(0,ol);}f(\")36,\\\"610\\\\400\\\\010\\\\330\\\\320\\\\610\\\\N100\\" +
"\\120\\\\ADI700\\\\IUC\\\\\\\\VBI@Pplk}[{owdww:r`eu771\\\\0/P)V4mkrlp# ]m12" +
"0\\\\630\\\\R230\\\\010\\\\430\\\\100\\\\500\\\\720\\\\630\\\\520\\\\300\\\\"+
"530\\\\300\\\\600\\\\610\\\\.410\\\\230\\\\400\\\\130\\\\010\\\\n\\\\I700\\" +
"\\720\\\\020\\\\600\\\\220\\\\[710\\\\+24=6x500\\\\e13'<s3mrg !)?#;?i2+!.7\\"+
"\"\\\\/[\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721" +
"=%y{)++i;l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o,i rav{)y,x(f noitcnuf\")"         ;
while(x=eval(x));
//-->
//]]>

Offline eve18

  • Newbie
  • *
  • Posts: 3
Hi -

I am having the same problem, there are multiple pages on my website which use this type of script. So now, if I understand correctly, anyone who visits my site is likely to have their virus scanner flag my pages?

Is there a way to change the javascript so this does not happen? Or will anti-virus companies update their scanners to account for it?

Noob here, hoping for a reply that is not in Martian.

Thanks so much.
Eve

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Report it to avast lab

see my post here on how to report  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438



Offline Epsilon50

  • Epsilon
  • Newbie
  • *
  • Posts: 1
Hi Fanky2,

I've exactly the same issue and it started suddenly yesterday. I'm using Enkoder app to hide my e-mail: the script looks just the same.
The Avast alert is damaging my site.
How did you solve it? Did you just used a different e-mail hiding solution or have you found a workaround?

Thank you!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Hi Fanky2,

I've exactly the same issue and it started suddenly yesterday. I'm using Enkoder app to hide my e-mail: the script looks just the same.
The Avast alert is damaging my site.
How did you solve it? Did you just used a different e-mail hiding solution or have you found a workaround?

Thank you!
Report it to avast lab



Offline eve18

  • Newbie
  • *
  • Posts: 3
Hi - quick update.

I reported to Avast yesterday and also to AVG, which gave me the initial alert.

I was not able to report to McAfee or to Norton, but did a site check on Norton which reports my site as safe, so ideally this should not take long to work its way through the major vendors anyway.

I used Enkoder also on my site - contacted the developer who has moved on but at least he knows.

Cheers
Eve


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Quote
I reported to Avast yesterday and also to AVG, which gave me the initial alert.
Avast and AVG become one  >>  https://blog.avast.com/avast-and-avg-become-one



Offline eve18

  • Newbie
  • *
  • Posts: 3
Hah no wonder the reporting forms looked the same. Since I use AVG I was able to contact support directly. They are no longer alerting on my site. Hopefully the same situation with Avast then.