JS:Illredir-AK[Trj] what is this?

[wamishda_21]

I heard you can watch movies/shows on there, and i went there to check it out, but AVAST blocked the website
stating it has "JS:Illredir-AK[Trj] "  I dont get it..ive been on that website before, BEFORE i had AVAST, and nothing seemed to be wrong with it.
Anyways, there is the link to the website"

http: / /www .missedashow. net

thanks for the help  
oh and someone please explain to me what that trojan is, and what it does, and can it harm my computer?
thanks.  

[Lisandro]

Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
Maybe you could contact its webmaster.

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0

Please, edit the links to not-live ones (change http for hxxp, for instance or add spaces between the url).

Check here how to clean and make a website secure.

The vast majority of malware today is distributed over the web, mostly by means of hacked (otherwise legitimate) sites. The attacker usually injects malicious some scripts into some (or all) pages on the site, waiting for an unsuspecting user to visit the site and possible infect his/her machine.

And this is where avast’s detection capabilities really excel. Its abilities to detect these web-based malicious scripts are second to none, and thanks to the Web Shield and Script Blocking providers, they are used exactly when needed, doing an excellent job stopping the web-based malware right on the entry point.

[wamishda_21]

thanks, im not going back to THAT site again lol
anyways, Avast recently caught a trojan located in my temporary internet files  called " JS:Downloader-NM"
It's currently in the Virus Vault. my computer is, at the moment "protected" however, i notice the performance is sometimes extremely slow and it just freezes up (and this hasn't happened before). i'll be doing some tasks, i.e typeing up something on Word document, and i'll suddently freeze up and i cannot do anything but to manually turn off the computer, so i can resume my task. My computer seems to be getting SLOWer and slower each day, and i never download anything, i dont visit innapropriate sites etc.
thanks.

[Lisandro]

Maybe a full scanning with avast and also with other security programs like MBAM, for instance.

[mkis]

Yes I get a block on that site. (screenshot)

I know you have spread spaces amongst the link address so it cannot be activated as it is.

However, could you please change http to hxxp (or similar) because, on this forum, this substitution method is how we present sites that are suspected of carrying malware. The way you have deactivated the web address is still confusing, and may entice visitors to the forum to try ways to activate, unaware of dangers.

x-posted

[DavidR]

@ wamishda_21
The hXXp://wXw.missedashow.net index page has been hacked there is a huge chunk of obfuscated javascript all on a single line. See image, I have broken that line down to make it easier to see and it goes on for some considerable way.

@mkis
I don't know what the purpose of the image is as it isn't for the original URL (I know it is for an analysis tool, but you have to exclude analysis tools results page or it is no use as an analysis tool) ?

[mkis]

well no, the tool that I was using to read the source code on the website has been erased from behind the image, largely because it seems that a different detektor tool is now favored by the forum, and I do not want to push my preference on to forum members.

my tool would not return the source code to my screen (so maybe the lesser good tool), the avast image - block trojan - precluding that particular option, and so, all that I was left to work with was the image.

And so that is why it is there - as proof that the block was effected. But I can leave it out next time. 
It was not the analysis that I was looking for - but there you have it, that is what I got.

For this URL - http: / /www .missedashow. net  (borken   so it will not activate - I will change as well)
sorry if that is not the original URL    my friend 

btw - I have looked at the image and I can see what you mean, but Object line is not entirely correct

[DavidR]

That is the problem with using a tool which will actually retrieve and display the offending script avast is going to alert. So you can add the retrieved data page to the web shield exclusions, that allows you to use the tool to see the information (which isn't live on that page).

I don't know what you mean by "I have looked at the image and I can see what you mean, but Object line is not entirely correct "

If you are referring to the line being broken, that is to make it easier to see in the image and was mentioned in the comment about the image, it isn't meant to be a true representation, gut to show what is going on.

[mkis]

Hmm...that is a good idea. It has happened once before. Just sentiment why I still use the detektor tool. It was relatively easy running in avast 4, but looks not to be the case in v5. For the better then, I must concede.

I'm not big on Exclusions. Maybe exclude each time I want to use the tool, as a reminder about what you say, rather than leave excluded - just in case something untoward happens to the detektor tool, which I gather is no longer being developed.

Thanks for pointer, DavidR.

[DavidR]

You're welcome.

[polonus]

Hi wamishda_21,

Here you get presented the whole illustrious Illredir-family: http://www.whitefirdesign.com/resources/port-8080-malware.html

Just what is waiting for you on an infected site, like this one:
Threat Report

Total threats found: 18

Small-whitebg-red    Drive-By Downloads

Threats found: 18
Here is a sample:
Threat Name:    23616
Location:    htxp://livejasmin-com.istockphoto.com.yoka-com.supermicrotag.ru:8080/mihanblog.com/mihanblog.com/gameztar.com/google.com/zimbio.com.php

   
Threat Name:    23616
Location:    hxtp://adult-empire-com.traidnt.net.softlayer-com.supermicrotag.ru:8080/pplive.com/pplive.com/ovh.net/google.com/zhaopin.com.php

   
Threat Name:    23616
Location:    hxtp://clarin-com.r10.net.vmn-net.supermicrotag.ru:8080/w3schools.com/w3schools.com/lauxanh.us/istockphoto.com/google.com.php

   
Threat Name:    23616
Location:    hxtp://telegraph-co-uk.mysql.com.people-com-cn.supermicrotag.ru:8080/alot.com/alot.com/google.com/tnaflix.com/king.com.php

   
Threat Name:    23616
Location:    hxtp://buy-com.bluehost.com.surveymonkey-com.supermicrotag.ru:8080/ebay.co.uk/ebay.co.uk/gazeta.pl/ebay.it/google.com.php

   
Threat Name:    23616
Location:    hxtp://travian-ae.livedoor.biz.ucoz-ru.supermicrotag.ru:8080/google.com/google.com/shoplocal.com/gmodules.com/free.fr.php

   
Threat Name:    23616
Location:    hxtp://google-cn.2ch.net.google-com-sg.supermicrotag.ru:8080/google.com/google.com/besttubeclips.com/zimbio.com/hostgator.com.php

   
Threat Name:    23616
Location:    hxtp://17173-com.domaintools.com.www-net-cn.supermicrotag.ru:8080/51.com/51.com/who.is/google.com/dangdang.com.php

   
Threat Name:    23616
Location:    hxtp://google-ae.xing.com.google-hr.supermicrotag.ru:8080/google.com/google.com/irctc.co.in/google.co.jp/mixx.com.php

   
Threat Name:    23616
Location:    hxtp://yomiuri-co-jp.gamer.com.tw.fanpop-com.supermicrotag.ru:8080/google.com/google.com/doctissimo.fr/voila.fr/gutefrage.net.php

   

polonus

[polonus]

Hi malware fighters,

Here consequently another site that downloads this malcode:

http://safeweb.norton.com/report/show?url=bestnewsmall.ru%2F&x=12&y=10
see: http://www.google.com/safebrowsing/diagnostic?site=bestnewsmall.ru/

polonus