On my personal home page (www.nilsandreas.info) I get a warning for the “JS:Cruzer-B [trj]” from Avast, and then I cannot access my home page. I don’t exactly know when this started - one or three months ago, possibly?
I have made no changes to my home page in that period of time, so I don’t understand what this is?
From the log I have copied this:
01.06.2008 21:30:29 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
01.06.2008 21:30:32 SYSTEM 1812 An error has occured while attempting to update. Please check the logs.
05.06.2008 13:12:22 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
05.06.2008 13:12:25 SYSTEM 1812 An error has occured while attempting to update. Please check the logs.
03.09.2008 14:43:41 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x00000001, dwRes is 00000001.
13.09.2008 10:16:11 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x00000001, dwRes is 00000001.
29.11.2008 10:57:29 SYSTEM 1848 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
01.12.2008 12:17:29 ˜ 1844 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142.
29.01.2009 00:21:54 SYSTEM 1840 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142.
27.02.2009 18:22:49 SYSTEM 1848 Sign of "JS:Cruzer-B [Trj]" has been found in "http://www.nilsandreas.info/" file.
Your website was hacked! There is injected piece of javascript at the end of html code - after closing tag and many tabs. You will find it by searching string “.charAt(” without qoutes.
Please check possible vulnerable software on your server, change your password (to stronger one) and check your own code for possible bugs.
I had the same alert but JS:Cruzer-C [trj] instead of JS:Cruzer-B [trj] on one of my my pages (yv5huj.org)
I saw a strange code after closing as you said, so I just replaced the public index.html file for the original one in my backup files and now everything is OK.
I do not know if it is, but …
In line with my thoughts, such as anti-virus bitdefender says, is a Trojan.Downloader, avast and it says the file is called http://www.nilsandreas.info/, not index.html, the server may have a virus.
In bitdefender is a Trojan.Downloader!
But in the avast! I saw what was written JS, JS might be a script.
So this site puts a file that is Trojan.Downloader
I am from Portugal and had to use the google translator, so my text can not be very good.
Make your links in the forum posting non-clickable for the curious of nature, like htxp:// or wXw
Check: No zeroiframes detected!
Check took 0.41 seconds
(Level: 0) Url checked:
htxp://www.nilsandreas.info/
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (frame source)
htxp://www.nilsandreas.info/bi.html
Blank page / could not connect
No ad codes identified
(Level: 1) Url checked: (frame source)
hxtp://www.nilsandreas.info/sscr.html
Blank page / could not connect
No ad codes identified
The Trojan uses obfuscated Javascript to download other malware onto the users’ computer.
It is part of a “drive-by exploit chain” which uses known security flaws to infect computers which are not updated,
If you use the bitdefender and record the page, we see that the virus is not on the page, is the transmission of the page (I guess) is that the server may have virus.
I can not find anything of the virus in source code.
Here is the source-code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!--This file created 23:15 06.02.2006 by Claris Home Page version 2.0--><HTML><HEAD><TITLE>Sscr_fra_ImageReady</TITLE>
<META content="MSHTML 6.00.6000.16825" name=GENERATOR><X-SAS-WINDOW RIGHT="764"
LEFT="14" BOTTOM="601" TOP="46">
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1"></HEAD>
<BODY bgColor=#82241c>
<P><!-- ImageReady Slices (Sscr_fra_ImageReady.psd) --><MAP
name=Sscr_fra_ImageReady_Map><AREA shape=RECT alt=Tsongkhapa
coords=511,109,608,289
href="http://www.nilsandreas.info/Buddhisme/Tsongkhapa.htm"><AREA shape=CIRCLE
alt=erstad@nilsandreas.info coords=571,446,31
href="mailto:erstad@nilsandreas.info"><AREA shape=RECT alt=""
coords=18,423,127,443 href="http://www.nilsandreas.info/teknisk"><AREA
shape=RECT alt="Pictures from movies where I was an extra"
coords=511,321,608,407
href="http://www.nilsandreas.info/statist/index.htm"><AREA shape=RECT
alt="Sikkim - New Delhi - Goa" coords=378,317,489,402
href="http://www.nilsandreas.info/gammel/index2.html"><AREA shape=RECT
alt="Some of my cameras" coords=252,316,366,401
href="http://www.nilsandreas.info/kamera"><AREA shape=RECT alt="Where I live"
coords=138,315,237,406 href="http://www.nilsandreas.info/drammen"><AREA
shape=RECT alt="My cars" coords=21,311,116,402
href="http://www.nilsandreas.info/bil"><AREA shape=RECT
alt="Buddhist texts and links" coords=400,167,536,195
href="http://www.nilsandreas.info/Buddhisme/THE_STORY.doc"><AREA shape=RECT
alt="Sceptical links and texts" coords=247,109,347,137
href="http://www.nilsandreas.info/skepsis"><AREA shape=RECT target=NEW
alt="Some texts and photos - noen tekster og bilder" coords=22,19,587,67
href="http://www.nilsandreas.info/hjemmeside/homepage.htm"></MAP><IMG height=480
src="http://www.nilsandreas.info/Sscr.gif" width=640 align=bottom
useMap=#Sscr_fra_ImageReady_Map
border=0><!-- End ImageReady Slices --></P></BODY></HTML>
Guys, initial post is more than 2 months old - nils webpage is clean now.
I think erivera has been hitted with new variant of JS:Cruzer that is higly spreding right now.
This could be suspicious: (Level: 1) Url checked: (frame source)
hxtp://www.nilsandreas.info/bi.html
Blank page / could not connect
No ad codes identified
I have the same problem on my own site :-[ It is a JS:Cruzer-C
My computer is scanned with Avast and Spybot Search & Destroy, and it is clean.
This weekend the host will move the site (with the others) to another server.
I following the instructions over here, but I can’t find the trojan horse.
This is de link to my site (be carefull) www.oude egypte.nl
I did not found anything obvious in the code.
I could open the site in Firefox with NoScript. Maybe some script is infected? ???
Are you running the latest avast version?
I clicked all the forum categorys in Internet Explorer 7 and didn’t get any warning. What exact place are you talking about? (Starts clicking more links)
Last weekend (may 23) there was a current down in the datacentra and sunday (may 24) the server (where my site is host) crashed and totally died. The hoster has put all the sites on another server, but the file for the ftp, the emails and the directadmin was corrupt and the hoster makes all new one for us.
This weekend the hoster will move all the sites to a new server.
I have mail the hoster about this.
Thank you for help.
@Igor:
empty pages ?? Which empty pages?? I don’t understand this. Sorry :-[
@Donovansrb10:
It’s everywhere on the forums, not only there where you found it. It is also there when I post e reply there.
I downloaded the mentioned webpage. It looks “clean” (I mean the source code) - but if you notice that there are a lot of empty lines there and scroll to the real end, there’s an appended malicious script there.
my mistake