Have I been infected with JS:Downloader-GA?

[Duncan9999]

Trying to stay calm here.

Was surfing around using FF and visited a site I have been to many times. (Digital Dreamdoor music lists) Suddenly a pop up box with an alarm comes up from Avast telling me it had detected a virus.

Note: information comes from Avast's log viewer under Warning tab:
Sign of JS:Downloader [Trj] has been found on hXXp://goodshoot1.xom(I left out the rest of it)  

I was stunned. I think I vaguely read that Avast told me not to worry, that it had stopped it before it could get in and I would be ok if I clicked on abort, which I quickly did.

Now in the log viewer the event is listed as a warning. Under the resident web shield (where it was detected) it is listed as 1 infected file with http address of same website above. (goodshoot)

Am running a full system scan with Avast now. If no files come up infected here, is it safe to say I am clean?  

Note: I am running Vista 32 Home Premium with Sp2 installed with all Vista/IE security patches installed.

Thanks.

[CharleyO]

***

You should be safe as avast aborted the connection to the malware but it will not hurt to run the scan with avast.

What the log is telling you is that there is malware at hXXp://goodshoot1.xom and the warning is so you will know this.

Anyway, let us know the results of the scan.


***

[polonus]

Hi Duncan9999 and CharleyO,

Good you had the avast webshield to disconnect before this could have landed on your machine:

General information
Location of website     Nederland/Netherlands (Europe)

Analyzed by Norton Safe Web goodshoot1.Xom because of security and safety-problems.

Report of one of threats found
Total number of threats: 1

    Drive-bydownloads (redirect to a malcode infested site)
Threats found: 1
Here the full list:
Name of threat:   MSIE MS MPEG2TuneRequestControl ActiveX Instantiation
Location:    hXtp://goodshoot1.com/news.php?s=b39477f35c

Unmasked parasites reports:
What is the present status of  goodshoot1.Xom?
This site has been marked as suspicious - visiting this site can seriously damage your computer.

Part of the site has once been noticed for suspicious activities.

What happened when Google visited this site?
Last time suspicious content was found, was on2009-11-12.
Malicious software includes 25 trojans.

This site was hosted on 1 network(s) including AS34305 (EUROACCESS).

Has this site been functioning to redirect malware and hosting malware?

Yep, this site has been hosting malcode and infected 27 domains, e.g. nissan-arabia.com/, gamemew.com/, allthearticles.com/.

How that happened?
Under certain conditions third party attackers can add malcode to real sites, wherefore we issue a warning then.

So we can say effectively that the avast website has saved you there, it is also advisable to use the Firefox or Flock webbrowser with the add-on NoScript installed so that malcode scripts cannot hurt you, because they are blocked. The add-on RequestPolicy will even make the browser safer because you can only allow the requests you need and request for third party (malicious) domains etc. are being blocked,

Stay safe and secure is the wish of,

polonus (malware fighter)

[Duncan9999]

Results of Avast full system scan were good, there were no infected files found.

I am relieved. 

Polonus, thanks for the info on the No Script. I have not heard of this before, can you tell me what does it do and does it require a lot of configuring?


 

[Philo]

I have come across this on fairly regular basis. Funny, never get this when using IE, just Firefox. So long as you aborted the connection like Avast! recommended,you should be ok. Never hurts to check after the fact however. I have had these JS drive-by's show up in my Firefox cache during Avast! scans. Specifically, Firefox/cache_03. Avast! will take care of this as well if you should find them during a scan.
That being said, you should be ok.
Good luck
Philo

[Philo]

@Polonus:

I was wondering, where do you get the info on the domains infected/last time infected etc, that you posted. very informative. How do you get that info?
,
Philo

[Yanto.Chiang]

Hi Duncan,

For NoScript it is easy to use, since i got referenced from Polonus i implemented it on my notebook. But one thing that you need to know that each browsing you should to concern whether your visited website it's safe or not. You could got it at :

https://addons.mozilla.org/en-US/firefox/search?q=NoScript&cat=all&advancedsearch=1&as=1&appid=1&lver=3.0&atype=0&pp=20&pid=5&sort=&lup=

Hi Philo,

Sure you could use these references site to scan :

http://safeweb.norton.com/report/show?url=http%3A%2F%2Fgoodshoot1.com%2Fnews.php%3Fs%3Db39477f35c&x=16&y=5

http://www.mywot.com/en/scorecard/goodshoot1.com

Have a nice research with malware.

[Philo]

@Yanto:

Thanks very much for the links. Undoubtedly a very useful tool.

Philo

[YoKenny]

Also read:
Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

[polonus]

Hi Philo,

This is one way to check if a particular site is suspicious or not, go to:
http://www.unmaskparasites.com/security-report/
Go there give in for instance http:// this is my site to check.org  and then click on check,
Then go on the same site further down, e.g.: http://www.google.com/safebrowsing/diagnostic?site=ad.nl
Another one to check with is wepawet: http://wepawet.cs.ucsb.edu/
Another one to check with  is http://online.us.drweb.com/?url=1  Give in the url and scan in real time.
Check against finjan: http://www.finjan.com/Content.aspx?id=574
Also use this: http://safeweb.norton.com/   also info there on particular threats,

Enjoy your analysis of suspicious sites through these online URL check sites,

polonus (malware fighter)