False trojan detected in my video on ebay

[866greg]

we run an ebay setup selling machines and on some listings we provide demonstrational videos of the units for buyers to watch. We currently run Avast Home Edition 4.8.
recently recieved a message from a user on ebay informing us that one of our videos was detected as a worm when they click on the link to download and watch it.
this has happened before in our case when we sometimes launch our own videos from the ebay listing to view it except avast detects it as a trojan, not a worm. we don't know what anti-virus the concerned ebay user has installed but they seem to be sharing the same problem. in our case however this particular listing the user is speaking of is giving us no problems. We use tripod as a server to host the videos and we downloaded the file from the server to scan it only to come up clean.
the listing can be found here (the link for the video is included in the listing):
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&rd=1&item=160355535279&ssPageName=STRK:MEUS:IT
and the file containing the video hosted on tripod here:
http://greg866.tripod.com/tert9.wmv
I'm new to posting about technical issues on these forums so work with me if i'm doin anything wrong or any more information is needed.
We want our customers to experience security when they view our listings and we don't know if this is a false positive or if someone really hacked into the tripod server that hosts our videos and planted a virus/trojan? all help is appreciated.

[malcontent]

we run an ebay setup selling machines and on some listings we provide demonstrational videos of the units for buyers to watch. We currently run Avast Home Edition 4.8.
recently recieved a message from a user on ebay informing us that one of our videos was detected as a worm when they click on the link to download and watch it.
this has happened before in our case when we sometimes launch our own videos from the ebay listing to view it except avast detects it as a trojan, not a worm. we don't know what anti-virus the concerned ebay user has installed but they seem to be sharing the same problem. in our case however this particular listing the user is speaking of is giving us no problems. We use tripod as a server to host the videos and we downloaded the file from the server to scan it only to come up clean.
the listing can be found here (the link for the video is included in the listing):
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&rd=1&item=160355535279&ssPageName=STRK:MEUS:IT
and the file containing the video hosted on tripod here:
http://greg866.tripod.com/tert9.wmv
I'm new to posting about technical issues on these forums so work with me if i'm doin anything wrong or any more information is needed.
We want our customers to experience security when they view our listings and we don't know if this is a false positive or if someone really hacked into the tripod server that hosts our videos and planted a virus/trojan? all help is appreciated.

When I click on : hxxp://greg866.tripod.com/tert9.wmv

Kaspersky warns of a trojan: Trojan-Downloader.JS.Gumblar.a

The file that Kaspersky is detecting is: hxxp://greg866.tripod.com/favicon.ico

[866greg]

this must mean that the worm is located on my tripod web server...
however i cannot find the favicon.ico file in my tripod file manager to remove it.

Edit: when clicking on the favico.ico file avast detects the same thing.

http://forums.techguy.org/malware-removal-hijackthis-logs/847843-trojan-downloader-js-gumblar.html
reading this article it seems as if kaspersky is giving a false detection of the worm and will only remove it if you buy their product.. do you have the full paid version or free version?

[malcontent]

this must mean that the worm is located on my tripod web server...
however i cannot find the favicon.ico file in my tripod file manager to remove it.

Edit: when clicking on the favico.ico file avast detects the same thing.

http://forums.techguy.org/malware-removal-hijackthis-logs/847843-trojan-downloader-js-gumblar.html
reading this article it seems as if kaspersky is giving a false detection of the worm and will only remove it if you buy their product.. do you have the full paid version or free version?

It's quite possible that Kaspersky is detecting a false positive. As far as I know, Kaspersky will remove it and anything else it detects if your using the 30 trial or have a paid license.

I'll email Kaspersky with the tripod link and ask if it's a false positive.

[DavidR]

I don't believe it is a false positive, on the hxxp://greg866.tripod.com/tert9.wmv that page has an associated favico.ico file, this the web browser tries to load the icon to the left of the browsers address bar and this file has been hacked.

So avast also alerts on the favico.ico file, image 1.

Checking the page source of that alert, there is a script tag after the closing html tag (a standards no, no and most suspect. Add to that and the content of the script tag is obfuscated javascript, making it even more suspect  (image 2, the sctirpt is on a single line, which I have broken down to make it easier to view).

Why you can't see the favico.ico file is beyond me, but perhaps it is something that tripod controls, I don't use tripod so I can't say.

[malcontent]

I emailed Kaspersky about this and they say it's not a false positive. This is what they said:

Hello,

This is not false alarm.

This page has a script, that is trying to dowload exploit from site "martuz.cn

[Yanto.Chiang]

Dear All,

When i open your forum with this subject, i got warned from avast :

avast! [YANTOCHIANG-PC]: File "http://greg866.tripod.com/favicon.ico" is infected by "JS:Redirector-H7 [Trj]" virus.
"Resident protection (Web Shield)" task used Version of current VPS file is 090901-0, 09/01/2009

Maybe in the future, please don't put the website address with www.xxxxxxxx.com just advice and to avoid if user got infected with attacks thru the posting.

Regards,
Yanto Chiang