I am getting a Trojan Horse - "JS:Redirector-H4 [Trj]" error on my avast!

Hello, maybe someone can help me.

I have all my sites hosted by Network Solutions. When I visit any of these sites (more than 10) I get a warning about a Tojan Horse Found warning. In particular - JS-Redirector [trj]. And its not just my computer, EVERY computer that I have avast on, some which I have a licence some which I have the Free version, all get the same warning. Can anyone tell me how to get fid of this. It started Friday. Thanks!

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.

No none of those things. Network Solutions is pretty failsafe. I think in one of the last updates there could have been sothing in ther to trigger this off. Becuse I get it only with computers with avast. I have scanned the system or viruses and spyware and I get nothing.

No, the hacking of sites has become the fastest growing means of exploitation/infection and avast is one of the very few that is capable of detecting these hacked sites you only need to browse this forum to see than.

Of all the reported detections in this forum that I have checked out all have proved to be good detections.

Having made the detection either by the web or network shields, they should block the malware getting on to your system.


Welcome to the forums, Havanaman. :slight_smile:

If you could supply us with the URL of at least one of your sites, we can check it for you.


Hello to all

I noticed the same incidence during the vist of the following sites:

wxw.mmberatung.ch
wxw.logex.ch
wxw.trosoft.ch

Yes, the sites are clearly infected.

Please ‘modify’ your post change the URL from www to wXw as I have done in the quoted text, to break the link and avoid accidental exposure to suspect sites, thanks.

Sorry, thats my first post in a forum ever.

No problem, it isn’t written anywhere that you should do this, but it is just good practice when reporting suspect links. Humans can see the obvious change and those who might investigate would know to replace it.

Welcome to the forums.

I try to avoid flowery phrases: tnx, to igor too for his intervention.

Hi folks,

This is most likely the malcode script:

 ^!-- 
(function(){var .Wm7=('va:72:20:61:3d:22S:63ri:70tEng.......

polonus

Here is one of the sites…

www.capwines.com

We are working on reloading the information today to see if that will work…

Unfortunately, network solutions has done little to help fix the problem.

Any additional thoughts?

Please ‘modify’ your post change the URL from www to wXw as I have done in the quoted text, to break the link and avoid accidental exposure to suspect sites, thanks.

However, having just visited your site I don’t get an alert, so presumably you have reloaded the pages (and/or are you still getting an alert) ?

Merely uploading clean pages will get round this short term, but if you don’t close the vulnerability then it is possible that it could happen again.

  • This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
    “default.cfm” pages as those are popular targets too.

  2. Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    “strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Hi Havanaman

This link is at the crux of the malicious redirect: htxp://www.capwines.com/ac_runactivecontent.js
See the bug for that code: http://www.webmasterworld.com/flash/3426384.htm

Modify your link like this: wXw to make it non-clickable…

Tips for preventing this malcode on websites:
Tips for Cleaning & Securing your Website – StopBadware.org
http://www.stopbadware.org/home/security

Check Unmask Parasites again after the 2 hour cache clears to make sure the External reference to the iFrame is no longer there. It will still say your site is suspicious because you don’t have the flag removed from Google yet.

You also still need to request a malware review through your Webmaster Tools account so that you can get the warning removed from the Google Search Results.

Hey Google, I no longer have badware – Google Webmaster Central
http://googlewebmastercentral.blogspot.com/2008/08/hey-google-i-no-longer-have-badware.html

pol