Author Topic: Trojans sent to chest, but not there.  (Read 4129 times)

0 Members and 1 Guest are viewing this topic.

Hugger1

  • Guest
Trojans sent to chest, but not there.
« on: February 18, 2009, 01:18:54 AM »
For about the last week whenever I visit one particular site the first time I get one or two popups saying that Trojan horses have been found.  It suggests I move them to the chest.  But when I go to the chest the files aren't there.  What's happening?  Are these false positives?  What should I do?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Trojans sent to chest, but not there.
« Reply #1 on: February 18, 2009, 02:36:53 AM »
Based on the lack of information, I haven't the slightest idea.

What is the URL ?
Modify the link so it isn't active by changing the http to hXXp.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

What is your OS and browser ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Hugger1

  • Guest
Re: Trojans sent to chest, but not there.
« Reply #2 on: February 18, 2009, 04:00:19 AM »
The only URL that the problem appears at is http://www.aprilwine.ca/smf/index.php
I don't understand "Modify the link so it isn't active by changing the http to hXXp."

Here is the log viewer for the last few days:
28/01/2009 6:52:27 PM   SYSTEM   1756   Sign of "JS:FakeAV-F [trj]" has been found in "http://scan1.bestantispywareonlinescan.com/promo/1/freescan.php?nu=880685" file. 
07/02/2009 10:38:09 AM   SYSTEM   1720   Sign of "JS:FakeAV-D [trj]" has been found in "http://antimalwareliveproscanner.com/promo/6/en/freescan.php?id=880685" file. 
10/02/2009 9:13:25 PM   SYSTEM   1780   Sign of "JS:FakeAV-D [trj]" has been found in "http://premiumantiviruscheck.com/promo/6/en/freescan.php?id=77068506" file. 
13/02/2009 6:39:05 PM   SYSTEM   1760   Sign of "JS:FakeAV-G [trj]" has been found in "http://antimalwaresuperscanner.com/promo/1/img/flist.js" file. 
13/02/2009 6:39:09 PM   SYSTEM   1760   Sign of "JS:FakeAV-G [trj]" has been found in "C:\Documents and Settings\IBM-NetVista\Local Settings\Temporary Internet Files\Content.IE5\WJ9ZEYZG\flist[1].js" file. 
16/02/2009 1:26:36 PM   SYSTEM   1740   Sign of "JS:FakeAV-G [trj]" has been found in "http://onlineantivirusproscan.com/promo/1/img/flist.js" file. 
16/02/2009 1:26:43 PM   SYSTEM   1740   Sign of "JS:FakeAV-G [trj]" has been found in "C:\Documents and Settings\IBM-NetVista\Local Settings\Temporary Internet Files\Content.IE5\3Z7MMFK6\flist[1].js" file. 
17/02/2009 6:37:16 PM   SYSTEM   1724   Sign of "JS:FakeAV-G [trj]" has been found in "http://onlineantimalwarescan.com/promo/1/img/flist.js" file. 
17/02/2009 6:37:20 PM   SYSTEM   1724   Sign of "JS:FakeAV-G [trj]" has been found in "C:\Documents and Settings\IBM-NetVista\Local Settings\Temporary Internet Files\Content.IE5\1YQ8XLUH\flist[1].js" file. 

OS is Windows XP Pro SP3, browser is IE7.0.5730.13

I've run my anti virus, AdAware, Advanced System Care, Crap Cleaner, Super AntiSpware and Spyware Blaster and nothing is found.
« Last Edit: February 18, 2009, 04:21:25 AM by Hugger1 »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Trojans sent to chest, but not there.
« Reply #3 on: February 18, 2009, 02:11:18 PM »
Seems that the files weren't save in your computer and, if any, was a temporary one, deleted.
Maybe run a full scanning now and be sure you're clean.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Trojans sent to chest, but not there.
« Reply #4 on: February 18, 2009, 04:02:44 PM »
@ Hugger1

The why is is avoids accidental exposure by the curious or careless, that link when clicked will send you to the suspect site, changing the http at the start of the url to hXXp turns it into a simple text string and isn't clickable. For those that can investigate it with a degree of safety they can see what the url is meant to be and copy and paste, etc.

Only the majority of the detections were blocked before they got on your system but the .js (javascript) files ended up in your browser temporary internet files. It is possible that these were also removed by avast, but to be sure you should clear the temporary internet files from the settings in IE7.

I have checked the hXXp://www.aprilwine.ca/smf/index.php link (aprilwine's message board/forum) and get no alert by avast and having checked the page source code I don't see anything obvious that might trigger an alert. It is entirely possible that they became aware of the problem and cleaned up the site.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Hugger1

  • Guest
Re: Trojans sent to chest, but not there.
« Reply #5 on: February 18, 2009, 06:41:31 PM »
I did a full scan last night and it came back clean.

Seems that the files weren't save in your computer and, if any, was a temporary one, deleted.
Maybe run a full scanning now and be sure you're clean.

Hugger1

  • Guest
Re: Trojans sent to chest, but not there.
« Reply #6 on: February 18, 2009, 06:46:09 PM »
Ok, I understand now about why.  But what link should I change and when?

I clear the temporary internet files from the settings in IE7 every time I shut down the PC.

I sent the site administrator an e-mail last night about this.  I noticed the sitre was down this morning.  I guess we'll see what si what when I try to go on the site this evening.  Will post back if I have any further situations.


@ Hugger1

The why is is avoids accidental exposure by the curious or careless, that link when clicked will send you to the suspect site, changing the http at the start of the url to hXXp turns it into a simple text string and isn't clickable. For those that can investigate it with a degree of safety they can see what the url is meant to be and copy and paste, etc.

Only the majority of the detections were blocked before they got on your system but the .js (javascript) files ended up in your browser temporary internet files. It is possible that these were also removed by avast, but to be sure you should clear the temporary internet files from the settings in IE7.

I have checked the hXXp://www.aprilwine.ca/smf/index.php link (aprilwine's message board/forum) and get no alert by avast and having checked the page source code I don't see anything obvious that might trigger an alert. It is entirely possible that they became aware of the problem and cleaned up the site.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Trojans sent to chest, but not there.
« Reply #7 on: February 18, 2009, 08:08:24 PM »
The when is any time you post a URL which might contain malware.
The what, any Links to suspect sites, which is effectively all those in your second post.

e.g.
"hXXp://scan1.bestantispywareonlinescan.com/promo/1/freescan.php?nu=880685"
"hXXp://antimalwaresuperscanner.com/promo/1/img/flist.js"
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security