Author Topic: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]  (Read 14720 times)

0 Members and 1 Guest are viewing this topic.

FireDart

  • Guest
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #15 on: June 21, 2012, 08:39:42 PM »
There would be to much stuff to check, i figured I will just post the code at pastebin:
pastebin.com/iZggTndj

Just want to warn other people and the Avast team about that site. "coucht arts" (space added and .com removed)

Interestingly enough the sites comes up clean:
http://zulu.zscaler.com/submission/show/a9fc881158ff034352fcf23abfca0882-1340304027

Is this aggressive marketing??!!?
« Last Edit: June 21, 2012, 08:42:02 PM by FireDart »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #16 on: June 21, 2012, 09:06:05 PM »
Best if you remove that script from your htaccess file.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

FireDart

  • Guest
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #17 on: June 21, 2012, 09:08:32 PM »
Already have.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #18 on: June 21, 2012, 11:26:59 PM »
Hi FireDart,

Hope you have solved that issue. Just on a side note. If you wanna post code here, do it in the form of an image, that will render it harmless for viewers.
Give you a random example attached,
« Last Edit: June 21, 2012, 11:28:45 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

FireDart

  • Guest
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #19 on: June 22, 2012, 01:52:50 AM »
Well on the website side it is fixed however on my side Avast! is still throwing Threat: JS:Iframe-FG [Trj]...
Saying this is trojan:
C:\Users\<My Username>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile id>\tidy\tidy_last_validated.html

However at first it did not exist.... Now it exist and it's this current post! When it got alerted on another site.

Looking into it I see it gets updated when I change pages however it is a plugin I installed called HTML Validator 0.9.5.1. It's a plugin that sees if errors exist on the page and to see if they meet W3C Validator.

I have removed it, hopefully it fixes things.


==Edit==
It has solved the problem, now I wonder if it was hijacked as I have used it for ages (past 3 years and no problems) or if it was really a sleeping trojan.

The plugin in question: https://addons.mozilla.org/en-US/firefox/addon/html-validator/?src=ss
« Last Edit: June 22, 2012, 01:58:45 AM by FireDart »

FireDart

  • Guest
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #20 on: June 22, 2012, 08:23:38 PM »
This is just getting plain weird, after removing the plugin I was all fine however it seems the error has comeback now.
Since the real time shield was preventing me from seeing the source of the warning I temporarily disabled it. It's saying it's linking to another site (link is a picture):
http://i.imgur.com/xK9BX.png

I don't have a virtual box/worthless pc of sorts to check if the site exists or not and it's not coming-up on google searches.

I have two pc's at my house and both are getting blocked. I have yet to try it on a pc out of my network so I am unable t o determine if it's on my network or on the site.

Checking on the site's side and everything seems fine.

This leads me to believe it's on my pc/network. I have ran Avast! and Malwarebytes but with no success.
I have also checked the System32\drivers\etc\host.file for any weird redirect but it's clean.
I have also tried multiple browsers thinking the new update of FireFox may have contained something but again it comes-up with the same error.

Does anyone have any suggestions?

Am sorry for keeping this thread dragging but it's driving me crazy now.


==EDIT==
I was just informed another family member of mine (who also edits the site) used their Nook (tablet) to work on the site. Is it possible something leaked in from the Nook onto the Network?
« Last Edit: June 22, 2012, 08:33:17 PM by FireDart »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #21 on: June 22, 2012, 08:36:21 PM »
Hi FireDart,

We will be taking the direct approach.

Please navigate to the directory containing the folder of your website contents.
  • Right click the folder
  • Hover over "Send To"
  • Click "Compressed (zipped) folder"

A new zip file should show. Rename the zip file to "website.zip" We will need this for the next section.

We will use a website called SendSpace to upload the zip file. The website has the following benefits:
  • You do not need to register
  • Your maximum filesize is 300MB
  • The link can be deleted once we are finished
  • If you forget the deletion link: after 30 days and no downloads the link will be removed

Click on the SendSpace link provided.
**IMPORTANT** If you are using NoScript or NotScripts, you need to allow sendspace.com in order to continue.

Click on the button that says "Browse". A new window should open.
  • Navigate to the folder containing the zip file
  • Click (once only) on the zip file
  • Click "Open"

The window should close and new content should show on the site. Click "Upload" Once the upload finishes, please do the following:
  • Copy the link inside "Download Link"
  • Reply to our topic using this link
  • Paste the SendSpace link in the reply box

THEN

Edit the SendSpace link from http:// to hXXp:// to prevent the unaware to download the zip file. Put any additional comments after the url and submit your post when finished.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

FireDart

  • Guest
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #22 on: June 22, 2012, 10:25:05 PM »
The file was sadly over 300MB so I uploaded to the site:

I have stripped any files that had config info about the db's and passwords. Am happy your willing to take your time to check for me but your still someone I don't know so am still taking precautions about private info.

Thank you again.

P.S If you could tell me when you have downloaded it it would be great. Would like to remove the link.
« Last Edit: June 23, 2012, 12:43:14 AM by FireDart »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #23 on: June 23, 2012, 12:22:33 AM »
You can remove the link. thanks

« Last Edit: June 23, 2012, 01:04:56 AM by !Donovan »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #24 on: June 23, 2012, 01:28:01 AM »
Check Here:
\core\cache\mgr\smarty\default\b8e3a026080a74ae0e8470acb30fe6984417c5da.file.header.tpl.php
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

FireDart

  • Guest
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #25 on: June 23, 2012, 04:30:20 AM »
I see it now.
Modx caches all it's files and that cache file linked backed to the template file that was edited.

Thank you so much !Donovan!

May I ask what program you used to find the file?

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #26 on: June 23, 2012, 02:24:33 PM »
Also some bad stuff here:
* \manager\templates\default\header.tpl


This leads me to believe it's on my pc/network. I have ran Avast! and Malwarebytes but with no success.
I have also checked the System32\drivers\etc\host.file for any weird redirect but it's clean.
I have also tried multiple browsers thinking the new update of FireFox may have contained something but again it comes-up with the same error.

Does anyone have any suggestions?

Am sorry for keeping this thread dragging but it's driving me crazy now.


==EDIT==
I was just informed another family member of mine (who also edits the site) used their Nook (tablet) to work on the site. Is it possible something leaked in from the Nook onto the Network?

If you are unsure and want to be sure that this is not caused by an infection on your computer, then follow the instructions here: http://forum.avast.com/index.php?topic=53253.0
And create a new topic in the viruses&worms section. One of the qualified malware removal experts will assist you.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."