False Positive for stackoverflow.com?

[harkaimark987]

i googled js/redirector because i interested about it and i found a stackoverflow.com link:hxxp://stackoverflow.com/questions/10084040/jsredirector-nl-trj-how-to-remove-this-trojan
and Avast 7 recognized as the shown trojan... VT report:
https://www.virustotal.com/url/56b1ddbec01d821363085035b44ecf07de2593a0553cdf785c8921bf9e79e50e/analysis/1336593286/
is this site is safe or it's a false positive?

[Pondus]

can you attach a screenshot of the avast

the link goes to a forum, where there is posted some code samples, probably what avast see?

URLVoid
http://vscan.novirusthanks.org/analysis/c833569e4a8017f76dce24894ef2a079/anNyZWRpcmVjdG9yLW5sLXRyai1ob3ctdG8tcmVt/

[polonus]

The answer is a partial yes, and also a partial no, it is all because of and depending on the the way the Webshield functions and adding to the tremendous success of it. Yes, it has saved many avast users. So always and foremost keep the avast Shields up and running under all circumstances!

Well this is caused by the avast Web Shield being exposed to an object it identifies as JS:Redirector-NL [Trj]. As you can safely observe here in the page image taken here: http://urlquery.net/report.php?id=16850 there is so much of the malcode script exposed there (without payload naturally, because "an sich"and formally spoken that page is safe) that the avast Web Shield starts to "bark" aka alert. So in the way the code is presented for the dissection of the malscript this is no FP, in another sense it is.
Now you can understand why we here on the forums always ask users to give code in the form of an image, which is a secure & failsafe method,


polonus

[!Donovan]

This detection is indeed correct. Naturally, you were visiting a site that most likely had malicious coding in the topic. The coding is inside of the CODE tag and thus will not execute. See attached on alerted comment.

[polonus]

Hi !Donovan,

Thanks for making the technical explanation of this visible in the code image you have provided.
This one picture can often say more than a lot of terminology does,

polonus

[harkaimark987]

yes i can attach screenshot and i usnig hungarian version because i'm hungarian

[polonus]

Hi harkaimark987,

I hope you understand why avast Webshield alerted here. Had the analysts of stackoverflow represented their code in the form of an image, like our good friend !Donovan has done in this thread, the avast Webshield would never even have been triggered. Now it was triggered by code without malicious payload, but there was enough of the actual code here to make it alert. I cannot understand why analysts go to present such script representations online?

polonus