Hello I am having an issue with avast showing up as trojan warnings on my site.
I have checked the site with countless other programs and it comes up clean.
Is there a way to get this cleared or at least checked on?
http://www.51bass.net/51bass/wp-content/uploads/2012/01/sampletrojan-example.png
website is
hxxtp://xwww.51bass.net
Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.
Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0
Please, edit the links to not-live ones (change http for hxxp, for instance or add spaces between the url).
Check here how to clean and make a website secure.
The vast majority of malware today is distributed over the web, mostly by means of hacked (otherwise legitimate) sites. The attacker usually injects malicious some scripts into some (or all) pages on the site, waiting for an unsuspecting user to visit the site and possible infect his/her machine.And this is where avast’s detection capabilities really excel. Its abilities to detect these web-based malicious scripts are second to none, and thanks to the Web Shield and Script Blocking providers, they are used exactly when needed, doing an excellent job stopping the web-based malware right on the entry point.
Sucuri say - INFECTED see attached screen shot
Malware entry: MW:JS:2368 http://sucuri.net/malware/malware-entry-mwjs2368
Jotti - 10/20
http://virusscan.jotti.org/en/scanresult/4ed7bbaaed04677d7105db1f4b7d5a5df18aeadd
VirusTotal - 14/43
https://www.virustotal.com/file/85834f73d366151c6dfc5e37d1c1a9815bd3dd5619a0e975edbb1ef48bc4cc1e/analysis/1327434552/
guys, my ebookportugal.net site is having the same alert.
but:
how come does avast apoints for trojan errors?
thanx
These are redirector trojans…
Basicaly,some sites a have some script that redirects to a exploit pack or some other piece of malware…as a side note not all AV softwares detect such pieces of redirect attempts but avast does…consider yourself lucky to have avast!
see a very live piece of this malware that i encountered a few months ago and avast! saved me from it…see the report below:
https://www.virustotal.com/file/d8e9b0e0a9f0ba87523358f0f58c18e3fdaa229a999e560ee036756e43fd68aa/analysis/1323619848/
Hi Hellvis, welcome to the forum 
avast is alerting on a script that doesn’t appear to belong on line 19 of the page source.
Scott
Hello,
Must i remove the script? The one on 19 homepage line is a feedburner script.
thanx for your help and warm welcome.
I am unsure as to what exactly is going on in the script.
There is a reference to a blocked site within it, so that suggests that it may be malicious.
I think someone from the avast team would be more helpful here…
Hi Hellvis and spg SCOTT,
Not all that is being flagged by sucuri is detected through the webshield as JS:Redirector-NL [Trj]
Site is being given safe here: http://urlquery.net/report.php?id=19148
But malware still out there: -http://jsunpack.jeek.org/?report=ce56a42dcc28b3d1b501863ceb847b42b84bb66f (visit when security savvy, with ample script protection and in a VM) - Read for description of this malware: http://wordpress.org/support/topic/kaspersky-going-haywire-please-help (blog post author = dematrixshow)
But avast webshield flags: -http://www.51bass.net/51bass/wp-content/themes/rt_refraction_wp/js/rokutils.inputs.js that is being blogged
and -http://www.51bass.net/51bass/wp-content/themes/rt_refraction_wp/js/roknewsflash-packed.js
See likewise finds reported here for another infected site: https://badwarebusters.org/main/itemview/20203
found up by jenifer from soswebscan.com.
The following link is not flagged by the avast shield: -http://jsunpack.jeek.org/?report=83f55ce6d76069a551537a6127ae0b72c452431f
And again this one is flagged by the webshield: -http://www.51bass.net/51bass/wp-content/plugins/gigpress/scripts/gigpress.js?ver=3.3.1
And this again is not being flagged by avast webshield: -http://jsunpack.jeek.org/?report=4261a3dc4a3844b0fa0281f2ac9f20e7b85500f1
Nor this link -http://www.51bass.net/51bass/wp-content/plugins/nextgen-gallery/js/ngg.js?ver=2.1
Update and patch your hacked Wordpress installation, it has been hacked and malcode injected,
One redirect is for -http://91.196.216.64/ see: http://urlquery.net/report.php?id=19149
polonus
Hi spg SCOTT,
Another example of that particular code you gave, re: http://pastebin.com/60rmh9L8
Pastebin holds a lot of dubious code, so go there with care!
It is open-X Iframe malware. For what site it is pointing to, see: http://google.com.au/safebrowsing/diagnostic?site=analyze.int.tf/ with 6 trojans, 2 exploits, 1 scripting exploit reported,
polonus
Yes, this code appears to create an iframe that points to the site (analyze…) in question.
Hi spg SCOTT,
I launched that code found at pastebin at jsunpack and instantly avast webshield blocked it as JS.Redirector-NT[Trj], so proof of this being identical malcode. Yet another one found at pastebin redirects to gone dot cn dot com, see: http://google.com/safebrowsing/diagnostic?site=gone.cn.mn/ , a site with 9 trojans, 7 exploits, 4 scripting exploits. See for this one:
-http://jsunpack.jeek.org/dec/go?report=ce34c6c964c8012761336e9299df81bbad0c2b3a
(Visit jsunpack links only when security savvy, with ample script protection and in a VM)
The scan with bad iFrame detektor found this:
No zeroiframes detected!
Check took 0.65 seconds
(Level: 0) Url checked:
-http://www.51bass.net
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (meta refresh)
content=0;-http://51bass.net/51bass/index.php
-http://www.51bass.net/51bass//IFrame_11[e3] - *
Blank page / could not connect … because of redirection to -http://51bass.net/51bass
No ad codes identified and the DrWeb URL scan there did not detect:
-http://51bass.net/51bass redirects to -http://51bass.net/51bass/
-http://51bass.net/51bass/ redirects to -http://www.51bass.net/51bass/
see the url scan: http://urlquery.net/report.php?id=19179
polonus
Hello guys, i’ve just remove the plugin. The scriptline was removed, as far as i know…
I’ve went to ebookportugal.net and had no alert. Could you please check if you don’t get the alert message also?
Regards 8)
HELLo
I’m still having the same problem. It points to that erro, even I’ve deleted the plugin.
How can i solve this?