Author Topic: [SOLVED] Need help with Web Shield scan...Is/is not valid warning?  (Read 5022 times)

0 Members and 1 Guest are viewing this topic.

Offline ColdWinterWind

  • Newbie
  • *
  • Posts: 3
My version of Avast!  Definitions 111120-1, v 6.0.1289 keeps showing that this site

hxtp://s243213379.e-shop.info/

has an iFrame trojan dropper.  Online scans of the site are mixed.  Can anyone give me a definitive answer:  is this site safe?

Thank you in advance.

ColdWinterWind
« Last Edit: November 23, 2011, 09:30:34 AM by ColdWinterWind »

Offline Hellion

  • Full Member
  • ***
  • Posts: 138
  • Success is commemorated; Failure merely remembered
Re: Need help with Web Shield scan...Is/is not valid warning?
« Reply #1 on: November 21, 2011, 09:31:34 AM »
Hi coldwinterwind,

I'm just a forum member!

I ran some tests for you.

http://www.virustotal.com/ - Clean
http://sitecheck.sucuri.net/scanner/ - Infected
http://www.urlvoid.com/ - Clean

These are some of the tools used here on the Avast forum.

And I see what you mean by Mixed results...

Also the correct message board for Viruses and FP's is - http://forum.avast.com/index.php?board=4.0 (but since you already posted there's is no need to open another thread.)
« Last Edit: November 21, 2011, 09:34:24 AM by Hellion »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Need help with Web Shield scan...Is/is not valid warning?
« Reply #2 on: November 21, 2011, 01:05:30 PM »
Well avast isn't alone in finding this live_tinc.js file (see image) as best suspect that javascript file buried in a sub-folder of templatemedia has a number of iframe creations in it. I personally don't know exactly what they subsequently do, but many scanners don't like it.

These are the VirusTotal Results on the temporary copy of live_tinc.js that avast scanned and I uploaded for scanning (17 detections of 42 scanners).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72920
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Win 8.1 [x64] - Avast PremSec 21.11.6787.IBC [UI.681] - EEK - Firefox ESR 91.3 [NS/uBO/PB] - TB 91.3.2
Avast-Tools: Secure Browser 96.0 - Cleanup 21.4 - SecureLine 5.14 - Driver Updater 21.4 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Need help with Web Shield scan...Is/is not valid warning?
« Reply #4 on: November 21, 2011, 01:19:52 PM »
See specific image extract of sucuri scan on the full path to the live_tinc.js file.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72920
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Need help with Web Shield scan...Is/is not valid warning?
« Reply #5 on: November 21, 2011, 01:31:51 PM »
See specific image extract of sucuri scan on the full path to the live_tinc.js file.

Details: http://sucuri.net/malware/malware-entry-mwiframehd203
Win 8.1 [x64] - Avast PremSec 21.11.6787.IBC [UI.681] - EEK - Firefox ESR 91.3 [NS/uBO/PB] - TB 91.3.2
Avast-Tools: Secure Browser 96.0 - Cleanup 21.4 - SecureLine 5.14 - Driver Updater 21.4 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37132
Re: Need help with Web Shield scan...Is/is not valid warning?
« Reply #6 on: November 21, 2011, 02:35:24 PM »
Norman lab confirm infected website

Quote
s243213379.e-shop.info.htm - Processed - HTML/Agent.QO
live_tinc.js - Processed - JS/Iframe.JT


UrlQuery - Detected Blackhole exploit kit v1.1 HTTP GET request
http://urlquery.net/report.php?id=9189
« Last Edit: November 21, 2011, 02:48:00 PM by Pondus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: Need help with Web Shield scan...Is/is not valid warning?
« Reply #7 on: November 21, 2011, 03:35:29 PM »
I think we can reasonably say that the avast detection was good.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72920
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Need help with Web Shield scan...Is/is not valid warning?
« Reply #8 on: November 21, 2011, 03:37:56 PM »
I think we can reasonably say that the avast detection was good.

Absolutely. :)
Win 8.1 [x64] - Avast PremSec 21.11.6787.IBC [UI.681] - EEK - Firefox ESR 91.3 [NS/uBO/PB] - TB 91.3.2
Avast-Tools: Secure Browser 96.0 - Cleanup 21.4 - SecureLine 5.14 - Driver Updater 21.4 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline ColdWinterWind

  • Newbie
  • *
  • Posts: 3
Re: Need help with Web Shield scan...Is/is not valid warning?
« Reply #9 on: November 21, 2011, 06:53:08 PM »
I think we can reasonably say that the avast detection was good.

Absolutely. :)

I thank you all for your able (and fast!) replies.  I've been wanting to order something thru this eShop for a while, but keep running into this problem.  And the owner, while 'Net savvy, is not a programmer, and has said a couple of times that the site is okay now.

So I really needed an external reality check to find out if I had a mis-configured browser cache, or something.  This eShop is hosted with a provider that I also use; and I need to be thoroughly convinced that there's no/little chance of cross-contamination before I take MY eShop live.

Again, thank you all so much.  I apologize for posting this in the wrong forum.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72920
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Need help with Web Shield scan...Is/is not valid warning?
« Reply #10 on: November 21, 2011, 06:59:20 PM »
I thank you all for your able (and fast!) replies.

You're welcome..!
Win 8.1 [x64] - Avast PremSec 21.11.6787.IBC [UI.681] - EEK - Firefox ESR 91.3 [NS/uBO/PB] - TB 91.3.2
Avast-Tools: Secure Browser 96.0 - Cleanup 21.4 - SecureLine 5.14 - Driver Updater 21.4 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline ColdWinterWind

  • Newbie
  • *
  • Posts: 3
[SOLVED] Re: Need help with Web Shield scan...Is/is not valid warning?
« Reply #11 on: November 23, 2011, 09:29:16 AM »

hxtp://s243213379.e-shop.info/

has an iFrame trojan dropper.  

ColdWinterWind

Turns out the offending jscript was part of the hosts domain-parking, google ads mix.  Only had the POTENTIAL to cause harm. Avast's behaviour shield did it's job - err on the side of caution.  Still needs to be fixed (it IS an eShop<g>) but at least we know it's not spewing badness.

But now I wonder why Norton doesn't flag the file.  Oy, will the questions never end?

Thanks again everyone.  Your corroboration/validation of my iffy findings prompted me to keep digging.

ColdWinterWind

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85965
  • No support PMs thanks
Re: [SOLVED] Need help with Web Shield scan...Is/is not valid warning?
« Reply #12 on: November 23, 2011, 01:45:48 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security