Google search virus?

[DavidR]

Yes, nothing obvious there, cookies are really an issue.

So I'm not sure what else to suggest, other than monitor it as previously mentioned and if it happens again try to gather as much information as possible.

[knowlengr]

Occurrences are fairly regular:

4/20/2009 9:33:50 AM   SYSTEM   1460   Sign of "JS:ScriptSH-inf [trj]" has been found in "httpx://www.ijoomla.com/ijoomla-magazine/ijoomla-magazine/overviewfavicon.ico" file. 
4/20/2009 9:33:54 AM   SYSTEM   1460   Sign of "JS:ScriptSH-inf [trj]" has been found in "httpx://www.ijoomla.com/ijoomla-magazine/ijoomla-magazine/overviewfavicon.gif" file. 
4/20/2009 8:18:42 PM   SYSTEM   1460   Sign of "JS:ScriptSH-inf [trj]" has been found in "httpx://www.ijoomla.com/ijoomla-magazine/ijoomla-magazine/overviewfavicon.ico" file. 
4/20/2009 8:18:43 PM   SYSTEM   1460   Sign of "JS:ScriptSH-inf [trj]" has been found in "httpx://www.ijoomla.com/ijoomla-magazine/ijoomla-magazine/overviewfavicon.ico" file. 
4/20/2009 8:18:47 PM   SYSTEM   1460   Sign of "JS:ScriptSH-inf [trj]" has been found in "httpx://www.ijoomla.com/ijoomla-magazine/ijoomla-magazine/overviewfavicon.gif" file. 
4/20/2009 8:18:59 PM   SYSTEM   1460   Sign of "JS:ScriptSH-inf [trj]" has been found in "httpx://www.ijoomla.com/ijoomla-magazine/ijoomla-magazine/overviewfavicon.gif" file. 
4/20/2009 9:02:04 PM   SYSTEM   1460   Sign of "JS:ScriptSH-inf [trj]" has been found in "httpx://www.ijoomla.com/ijoomla-magazine/ijoomla-magazine/overviewfavicon.ico" file. 
4/20/2009 9:02:08 PM   SYSTEM   1460   Sign of "JS:ScriptSH-inf [trj]" has been found in "httpx://www.ijoomla.com/ijoomla-magazine/ijoomla-magazine/overviewfavicon.gif" file. 

What's in the IE8 browser session is Yahoo Mail, a Microsoft site, the forum page and a Sharepoint page.  Understand that the traffic may be originating elsewhere.

Yes, nothing obvious there, cookies are really an issue.

So I'm not sure what else to suggest, other than monitor it as previously mentioned and if it happens again try to gather as much information as possible.

[DavidR]

Yes but 'exactly' what  are you doing before you receive the alert as I can't replicate it.

I have visited the site clicked on the ijoomla-magazine link from the home page and no overviewfavicon.gif or overviewfavicon.ico. I have checked the page source code and no reference to either of those files, so I will need more detailed information as I simply can't find this. A direct search for overviewfavicon.gif or overviewfavicon.ico results in a 404 error, not found.

[knowlengr]

I understand your frustration. Same here.

* I have never intentionally or knowingly visited that ijoomla site in recent memory;  of course it's possible that malware created a redirect to the site.  I visit too many sites a month to guess which one might have done so.  My last known/remembered visits to developer Joomla sites were in 2007; many sites use it under the covers, of course
* The 9A-ish log entries occurred during a time when I was not even on the computer - this is a home computer and I was already at work.  IE8 was open at a couple of sites I use regularly, e.g., Toodledo and Google, and a usual complement of other non-browser tasks, some of which require the web access, were running. I have looked at the logs for some of these apps and see nothing unusual.
* It's not uncommon to see the message after I've left the machine "idle" for awhile, but I also see it when I'm using the machine
* There's no obvious connection between what I'm doing on the machine and the appearance of the message, though it's tempting to conclude it's a JS-related signature associated with something Google or Yahoo email perform, since both are actively using Ajax in the pages I visit regularly

In sum, I can't reproduce it, either, but it's become regular.  Given the possibility of undetected malware, I'm telling the Avast shield to abort the transfer. 

Is there any way to capture more information about the port 80 event?  Are we sure it's port 80? 

Thanks

[DavidR]

If you don't visit that site then you could also block it in your firewall.

Or possibly in the web shield, URL blocking section, add wwwXX.ijoomla.com/*/overviewfavicon.ico and wwwXX.ijoomla.com/*/overviewfavicon.gif. Remove the XX from the URL, the * is a wildcard so you don't have to enter the full URL. Care has to be taken when using wildcards the above would only block the two icons but not the rest of the site, should you ever need to venture there.

The baffling thing there is nothing found in the various scan that is possibly responsible for this. Which is why I was trying to get more information as it could be that this isn't on your system but in a site that you are visiting regularly (given the frequency of the alerts).