Torjan Horse, or "false positive"?

[wisteria]

Hello there,

I've been trying to enter a furniture website here in the UK, but I keep receiving a message from Avast telling me there is a Trojan horse file attached to the shopping cart, thus I always have to abort the connection.   

Website address: wXw.riversidefurniture.co.uk

I've telephoned the company and they admit that someone had hacked into their computer recently. However, they think their computer is now clean and that my anti-virus software is over-reacting.  They use Norton to protect their computer, which says it all.  I've recently uninstalled Norton and switched to Avast Professional due to a number of issues experienced with Norton. 

Any way, whenever I try to enter the furniture site, Avast continues to warn of a Trojan horse.   

I've now contacted technical support at Avast and await their response, as I'm wondering if this is a 'false positive'?   

If anyone here is brave enough to visit the aforementioned site, I'd be interested to know if Avast sends you the same Trojan horse warning.

[mkis]

yes I checked page that page - its css - its www home page

- looks messy to me - but no malware as far as I can see - wait for second opinion

I will check shopping cart

[Pondus]

This page seems to be <clean>
http://www.UnmaskParasites.com/security-report/?page=www.riversidefurniture.co.uk

Wepawet
http://wepawet.iseclab.org/view.php?hash=c75b9bc82841381355327fb64b4aa37a&t=1270999328&type=js

Anubis
http://anubis.iseclab.org/?action=result&task_id=1c873c1275cdca424a955d944e8c3346d

[krypton]

yes i also got virus alert while opening http://riversidefurniture.co.uk/shoppingcart/

trojan horse virus

[DavidR]

The whole point of asking The original poster to modify the link is to avoid accidental exposure to an infected site. 

Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

[rdmaloyjr]

yes i also got virus alert while opening http://riversidefurniture.co.uk/shoppingcart/

trojan horse virus

No virus (or trojan) alert while opening hxxp://riversidefurniture.co.uk/shoppingcart/.

I guess Opera is blocking the malware before avast! 5 can detect it.

[mkis]

problem most likely very messy html

script outside main body of page - that is, google tracker script (see screenshot)

they need to talk to or change their webmaster (pardon my impudence)

- in fact page is worse this, I've edited it for easier reading - there was a ton of blank space amongst this lot (very untidy)

okay I edited again with Picture Manager so I think you have to download screenshot now
- sorry I loaded Office 2003 today - I'll see what I can do wit Faststone as page is good example of incorrect html

[DavidR]

The index page of the shopping cart has been hacked and is still not clean.

See image 1, this script is hanging around isolated from other code on the page, so it is hidden from casual checks.

See image 2, where it shows the intent to run a javascript file on googie-anaiytics.net, note the i where the l would be in the legit google-analytics url. So it is trying to appear legit, see http://www.google.com/support/forum/p/Google+Analytics/thread?tid=3d83e46dc03910ad&hl=en

This script is in a two places in that page, the second about 50 blank lines below the closing HTML tag (and once again way out to the right of the screen to try and hide), a standards no, no and highly suspect.

The the company needs to get cleaning again.

[mkis]

Thanks David - I guess just waiting to be hacked again anytime now - I'll edit my post

[DavidR]

No problem, they fooled the people supposed to be the web master/designer who reportedly said it was clean also

[mkis]

David, is that script still active like that, or have they just made a mess of cleaning it up?
oh yes I see the analysis - interesting

[wisteria]

Thanks everyone for confirming that the site is still infected.  It's a great pity as I need to buy some particular pieces of furniture for my own business (their prices are lower than average), but the owner doesn't want to hear that he needs a professional to come in and tidy up his computer and website.  Ah well, if he can't be persuaded, I will have to shop elsewhere.

What baffles me is how on earth he's getting any customers at all with that dire Trojan horse warning - or is Avast the only anti-virus software picking up the problem on the furniture site?  When my son uninstalled Norton from my computer and installed Avast (because the computer was running at a snail's pace), he discovered a number of viruses had slipped by Norton.     
 

[Pondus]

When my son uninstalled Norton from my computer and installed Avast (because the computer was running at a snail's pace), he discovered a number of viruses had slipped by Norton.

No security program have 100% detection.
Here you can see one that slipped past avast and Norton  http://forum.avast.com/index.php?topic=58394.0
But avast is very god at detecting infected websites


Recomended to use with avast www.malwarebytes.org

[polonus]

These are the novirusthanks scan results
http://scanner.novirusthanks.org/analysis/e03f3b7767710bfd9b53c4d22d18677c/c2hvcHBpbmdjYXJ0/

polonus

[DavidR]

David, is that script still active like that, or have they just made a mess of cleaning it up?
oh yes I see the analysis - interesting

Yes it is still active as the script tag is intact and would run, attempting to run a javascript file on googie-anaiytics.net, which avast also has on its malicious sites list, image1.