avast is saying that it has blocked an infection when accessing the american airlines site (aa.com).
The infection is VBS:Obfuscated-gen [Trj]
Is this real?
– Larry
post a screenshot of avast popup warning
@ Pondus i think his system infected with .vbs scripts.Website(aa.com) is fine :)Pls go to https://forum.avast.com/index.php?topic=53253.0
https://www.virustotal.com/en/url/d13b1a85b4784492079fbac9145d5c950cd8c7bfa8bf3864f5bf2d48406ad7d5/analysis/1445240607/
that is why we need the screenshot so se we can see all info given by avast
Here are images of the Avast PopUp and the More Details info. These were captured when I got the PopUp while trying to log in. Previously I got the same PopUp just by going to the main aa.com site.
Thanks,
Larry
I posted the screenshot…
I am not able to reproduce the detection myself, so I need you (or whoever gets the detection) to help me.
What I need here is the exact file that is triggering the detections. We will take advantage that all files that are tested are temporarily stored in c:\Windows\Temp_avast_, until Avast decides what to do with them. We need to set up Avast to “Ask” when it encounters something, so we have time to extract the detected file from the location above.
Follow these steps to retrieve the file:
- Set Avast to “ask”. Avast → Settings → Active protection → Webshield - Customize → Actions → Virus → Ask (please witness my excellent image-editing skills in the pic below)
http://i.imgur.com/ftrQObd.png
- Go to the page that triggers the warning and let Avast pop up. Do not close the popup!
- Go to c:\Windows\Temp_avast_. Select the file that is the most recent. This is the file that is triggering the warning, and that we actually need. When you scan this file with Avast, the same detection name should appear.
- Attach the file to your post here (only if you are sure it doesn’t contain any sensitive data) OR you can zip the file with a password and attach the zipped file here and send me the password via PM.
If Avast somehow deleted your file and you have to trigger the detection again, either restart the shields or your PC.
Thank you all for your help!
Honza
Hi HonzaZ,
Couldn’t it be the website is clean when there is no iFrame link to an infection of sorts triggering the generic detection mentioned and that the detection is on the server the victim uses to get access to that site? There was a similar issue way back in 2008 with Avast alerting the same generic detection. Then and there it was on a college webserver.
Damian
This could be the case, which is why I am not saying it is a false positive :-). Usually, though, the bigger the website (and aa.com sure is big), the lower the chance that there is an infection. But to decide, I need the file. I still have some ways to test it (different computer, …), so I will keep you guys updated.
I’m the OP. I did what HonzaZ described but discovered that I can’t get access to the avast folder. I even tried changing the access setting but I couldn’t change them either. Windows, or something, is very protective of that folder. Yes, I am the administrator. However, I use a search program called Search Everything and it allowed me to open that folder. Hmmmmm…
So then I went to aa.com but could not get avast to complain about anything, even after rebooting my system. I guess whatever was going on at aa.com is not going on any more.
Unless it happens again for me, or someone else, I guess I will just wait and see.
Thanks for all your support!
–Larry
Hm, I have had the same reports from others. I cannot confirm if this was an issue on aa.com side, or on Avast side, but I sure am glad it is ok now 