JS:agent-JX[trj]

xxx.wigetmedia.com/tags/tankaner.com.js is that a fale alarm?

Attach down is a copy of the code avast give alarm on

upload it to virustotal.com and post the result here then we can say if its a real or false threat.

only detected by avast 5
http://www.virustotal.com/file-scan/report.html?id=d8abf3b5eb142a82a3f5301031700ffa7d4cffe761ef9e7bc62d5b10a99c73b6-1305734413

and the decoded file at jsunpack looks suspicious…

I always get suspicious at these double file extensions like .com.js even before any analysis.

As Pondus said jsunpack decode of this file looks suspect there is a lot of obfuscated script, whilst there may be a legitimate reason for this, I’m always suspicious about what they have to hide.

Seems like much of this revolves (excuse the pun) around an advert rotator.

Well SoSWebscan gives it clean: The site URL -http://www.wigetmedia.com/tags/tankaner.com.js has been successfully scanned. And No Malware or badwares found. Hosted at Leaseweb in the Netherlands the site has a bad WOT rep, e.g. four reds: http://www.mywot.com/en/scorecard/wigetmedia.com = Very Poor!
It is the link there to -http://wmedia.rotator.hadj7.adjuggler.net/servlet/ajrotator/75527/0/vh that seems suspicious…
Random JS Toolkit malware, and for connection points, see: http://www.malware-control.com/statics-pages/606153094a37ddd34acd5c20cfcde1b4.php

polonus

Norman analysis

attached as GIF.pic since it contain some code

I am the developer of that popup-code and I can assure you that it is not malicious in any way other than that it opens a new browser window.
It must be a false positive caused by the javascript obfuscation, if you open the javascript file mentioned in the first post you can now see how it looks without any obfuscation.

Hello,

it was a false positive and it is fixed in the current VPS.

Best regards

Alena Varkockova