My site has been blocked by Avast for past 2 days. I haven’t made any changes and can’t figure out what is causing this. Every other scanner out there as cleared me but Avast
Can any of the admins please take a look and help me out with this?
My site has been blocked by Avast for past 2 days. I haven’t made any changes and can’t figure out what is causing this. Every other scanner out there as cleared me but Avast
Can any of the admins please take a look and help me out with this?
Here is the link to my site
http://www.siasat.pk/forum/showthread.php?223107-Trojan-in-Siasat-pk-I-can-not-open-any-thread
If someone can point out the issue, it will be great.
Of interest, I have just tried to open the link given and I too am blocked by my Avast program ; it tells me there is a Trojan there or similar ; I got a huge notice telling me to not go there ???
Is This a blog/forum site
This is a vbulletin forum
Exactly. There is no change in the code and I started getting this all the sudden two days ago.
i am having a bad 3G connection at the moment so not able to get these online scanners to run
try scan hxxp://wxw.sisat.pk at these online scanners
the detection may be a result of something somone have posted there…
it sometimes happens here also if somone post malicious code in the forum
Thank you for taking the time to respond
Both of them have cleared me
http://zulu.zscaler.com/submission/show/21830c1aab2b87c96b8a90f8627439ad-1386668283
and the other one
https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-frc3/1499509_249274681898384_1704221649_n.png
report it to avast lab… in your case i suggest using the first option posted below
you may add a link to this topic in case they reply here
You can upload files and report issues to avast here : http://www.avast.com/contact-form.php (select subject according to Your case)
You can use mail
send to virus@avast.com in a password protected zip file
mail subject: False Positive / undetected sample (select subject according to your case)
zip password: infected
or you can send files from avast chest
how to use the chest. http://www.avast.com/faq.php?article=AVKB21
I did report to Avast 2 days ago through the forum link you provided but they haven’t responded yet, that is the reason I’m here.
What files do I need to send them?
How long do they usually take to respond?
since this is a website… no file to upload
response time can be anything from 1 hour to … they forgot you…depends on lab workload i guess
you have to wait and see
Is it possible your vbulletin site got exploited? I’ve seen it before happen. I don’t think that’s uncommon either.
The main link is not infested: http://www.siasat.pk/forum/showthread.php?223209-Siasat-pk-infected-JS-Autolike-E-Trj&goto=newpost
This script is not flagged either: http://www.siasat.pk/forum/clientscript/yui/connection/connection-min.js?v=422
There is a homeurl/bburl variable mixup in stock templates -=> http://jsunpack.jeek.org/?report=d3dd2808884e0ee4779220a9a221b28e7cd18a61
The virus found is a hijacker trojan virus that connects to unsafe ad websites and connects out to IRC.
Suspicious: wXw.siasat.pk/forum/clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v=422 benign
[nothing detected] (script) wXw.siasat.pk/forum/clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v=422
status: (referer=wXw.siasat.pk/forum/showthread.php?223107-Trojan-in-Siasat-pk-I-can-not-open-any-thread)saved 61619 bytes 315e9836288696569c93aa0a908d285b3f15d6a2
info: [decodingLevel=0] found JavaScript
suspicious:
And I see this in a file viewer outside html →
Content after the < /html> tag should be considered suspicious.
400:< !-- END TEMPLATE: STANDARD_ERROR →
polonus
Thank your for looking into this.
I have made some changes as you asked for. Can you please check if all is ok now?
How long does it for avast to take to remove the flag after issue is fixed usually?
How long does it for avast to take to remove the flag after issue is fixed usually?as soon as you remove The code avast see as malicious....detection Will be gone
Hello, if you see warning about Autolike-E infection, it means there is malicious javascript on web page, which follows your mouse with facebook iframe. Its also known as Clickjack.
I have changed every single file to default on my server so it is the original Vbulletin code but I’m still getting this error. If it was the Vbulletin error then the issue would be on all of their forums.
The code in this file
wXw.siasat.pk/forum/clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v=422 benign
is exactly as any other forum out there, so why is it only pointing finger at me?
It has been 4 days since my users aren’t able to access the forum. I have emailed 3 times to avast but still no response from them. Kindly help
Hi farrus786, problem is not in javascript file.
In main page right afted tag is function “mouseFollower(e)”. It is relic from facebook autolike script.
Remove this script and you will not see any more warnings.
Hi farrus786,
What Tondah points out, you can see in the attached image,
polonus