JS:Redirector blocking site. Others report clean.

[grinlord]

Hi. My friend runs a company with this website:

hxxp://www.nationwidegutters.co.uk/

However, when I try to visit it, Avast blocks it claiming an infection of JS:Redirector.
I don't have any virusses on my PC, I have checked it on other PC's also running Avast, they all show the same warning. I have asked the AVG online link scanner to check it, and it is reported clean. The web host also reports it clean.

Is this a false positive?
How do I enable access or get Avast to overcome this?

Thanks,
Alex.

[polonus]

The site is infected with malcious script:
Web site:   -http://www.nationwidegutters.co.uk/
status:   Site infected with malware
web trust:     Not Blacklisted
See: http://sucuri.net/malware/malware-entry-mwiframehd203
Make the link you gave non-click-throug like -hhtp or htxp or wXw

also see: http://wepawet.iseclab.org/view.php?hash=afaab6506b810acf917fe62026a33ee4&t=1315575290&type=js
where a iFrame is re-directing to: -http://maseoi1l4f.c0m.li/i/fttpp27vecher,
a known dangerous site, see: http://www.urlvoid.com/scan/maseoi1l4f.c0m.li

Inline suspicious script found by unmasked parasites:
http://www.unmaskparasites.com/security-report/#report  = FOOTER virus-XSS worm code

polonus

[Pondus]

see attached screen shot (click to enlarge)

VirusTotal - HTML scan - 10/44
http://www.virustotal.com/file-scan/report.html?id=1d04b8aa4c424c8aed3fd8a7714bd0c0565035e476d50e8531cebc5a46361ea1-1315861827

[grinlord]

So if other some anti-virus programs don't detect this malicious script, are they just not doing their job properly?

The domain and web host have reported that there is nothing wrong with it.

What's the next step, show them the above code?

[Asyn]

1. So if other some anti-virus programs don't detect this malicious script, are they just not doing their job properly?

2. The domain and web host have reported that there is nothing wrong with it.

3. What's the next step, show them the above code?

1. Yep.
2. They're wrong.
3. Just link to this topic.

[grinlord]

Lol. Thus confirming my allegiance with Avast.
I have forwarded the link to this page. We shall see...

[Pondus]

Information for Website Owners      http://stopbadware.org/home/webmasters
Tips for Cleaning & Securing Your Website   http://www.stopbadware.org/home/security

Protect your interwebs with Sucuri   http://sucuri.net/signup - http://sucuri.net/

[grinlord]

Unfortunately, JustHost.com seem to be refusing to investigate the problem. They have asked us to visit http://www.google.com/webmasters/tools/ for the page to be reviewed.

I don't understand how that will help. There is malicious code in the site. That's surely the web host's responsibility. Perhaps they are assuming the code is stuck in Google's cache?

[stavstav]

Hi everyone

A question regarding this js:Redirector-KE [Trj] alert -

A forum I frequently visit has been infected by this script, how will it affect my personal computer if I do log in to the forum?
I did some reading about this, and from what I gather this is mainly about placing redirect scripts in web sites. So how does it affect me, as the end user?

Just to clarify: Avast IS blocking my access to the forum, but when I access a specific thread (from a link in a notification email) I do manage to access the site. And that has happened yesterday, when I wasn't aware of the problem. Then, when I tried accessing the forum from the browser, I got the "Threat has been detected" alert, and then I ran the scan - and Avast did find infected files on my computer.

So, my question is, how were those infected files affecting me? Assuming this is only redirect scripts, what could it have done to my computer?
And, should I wait for the site owner to clean those redirects, or is it no risk for me to access it anyway?

I hope this is not a stupid question to ask Its just that I'm no security expert, and the only info I have is based on what I read in the last couple of days regarding this issue.
So I would love it if someone here could clarify this a bit more for me.

Thank you 
Stav.

[polonus]

Hi Stav,

I would rather go to the site via a proxy, like http://www.idoproxy.com/
Your visit is secure and you can normally visit it.
See: http://urlquery.net/report.php?id=3860
Also see the rescan I made: http://wepawet.iseclab.org/view.php?hash=afaab6506b810acf917fe62026a33ee4&t=1317237014&type=js
Level: 1) Url checked: (script source)
-http://www.nationwidegutters.co.uk/ac_runactivecontent.js (VBS-Malware gen)
Blank page / could not connect *
No ad codes identified
So I think the site has been cleansed now,

polonus

[Asyn]

Hi Stav,

I would rather go to the site via a proxy, like http://www.idoproxy.com/
Your visit is secure and you can normally visit it.
See: http://urlquery.net/report.php?id=3860
Also see the rescan I made: http://wepawet.iseclab.org/view.php?hash=afaab6506b810acf917fe62026a33ee4&t=1317237014&type=js
Level: 1) Url checked: (script source)
-http://www.nationwidegutters.co.uk/ac_runactivecontent.js (VBS-Malware gen)
Blank page / could not connect *
No ad codes identified
So I think the site has been cleansed now,

polonus

Hi D.,
I don't think he's refering to the OP's site.
asyn

[stavstav]

Hi Stav,

I would rather go to the site via a proxy, like http://www.idoproxy.com/
Your visit is secure and you can normally visit it.
See: http://urlquery.net/report.php?id=3860
Also see the rescan I made: http://wepawet.iseclab.org/view.php?hash=afaab6506b810acf917fe62026a33ee4&t=1317237014&type=js
Level: 1) Url checked: (script source)
-http://www.nationwidegutters.co.uk/ac_runactivecontent.js (VBS-Malware gen)
Blank page / could not connect *
No ad codes identified
So I think the site has been cleansed now,

polonus

Hi D.,
I don't think he's refering to the OP's site.
asyn

True, I was referring to a different site (and I'm a she .
And the forum I'm talking about is still infected according to my Avast (but I know the site owner is working on cleaning it).
I was just wondering how will it affect me to access it anyway. Anyone knows?
What does this virus do to the user's computer?

Polonus, thank you for the proxy tip & link, didn't know I could do that. Cheers.

[Asyn]

1. and I'm a she .
2. I was just wondering how will it affect me to access it anyway.

1. Sorry then.
2. Just don't go there until it's clean.

[stavstav]

1. and I'm a she .
2. I was just wondering how will it affect me to access it anyway.

1. Sorry then.
2. Just don't go there until it's clean.

1. No problem at all
2. Yeah, but why? How is that redirecting script a problem for my personal computer? (Not trying to be a smartass just wanting to understand)

[polonus]

Hi stavstav,

Redirecting scripts can mean real trouble depending as to what silent download site you are actually being redirected to by a particular malscript. If you give us the non-cklickable URL written like hxtp or -http or wXw, we can scan the site for the actual redirecting script that is there, and give you an explanation about the established risks involved. I absolutely won't go to a site flagged in that way. That is why I advised that particular proxy, because the script will then stay at that security proxy site. You can also decide to disable javascript on the proxysite and then you do not run any risk whatsoever.
That is why a lot of educated browser users have NoScript add-on installed in Firefox or the NotScripts extension in Google Chrome (easy to toggle, great for protection) installed, so redirecting and other javascript malware cannot get to endanger their comp via their browsing.

Malcoded (obfuscated) javascript is one main online browsing threats as there are furthermore malicious iFrame (also function through malcoded javascript), SQL attacks etc..

So now I hope you understand why you have to take notice as avast rings an alarm via one of the shields while visiting a particular infected site. The avast guys do everything to be as accurate as can be in flagging these threat-sites, believe me. And I keep an eye out every day that there isn't a single suspicious URL that does not enter that avast sinkhole (as there are others like for instance Pondus, Asyn, spg Scott, and many others here),

polonus