JS:Kryptik-B [Trj]

Hello.

I use Avast 6 on my new PC (Yesterday was the first use). I install Avast 6. I wanted to update all my drivers and I went on XXX.pilotespc.com for my DVD recorder. But Avast showed an alert message which said: Avast has blocked … . It was a Trojan.

The complete URL is hXXp://www.pilotespc.com/cstrack.js.

The threat is classified in HIGH and the threat is called JS:Kryptik-B [Trj].

Is it a false positive ?

If it’s a virus, are you sure that my PC is clean and safe ?

If it's a virus, are you sure that my PC is clean and safe ?

Avast’s WebShield has blocked the threat even before it entered your PC. Your PC is safe.

Is it a false positive ?

Generally avast is precise in catching such scripts on website. But, we may have to wait for someone to chime in if its a false positive.

But if you think its a false positive, you can report it here: http://www.avast.com/contact-form.php?loadStyles by selecting the appropriate subject and also putting a link to this topic in the message part.

only if u want to check ur pc

download malwarebytes from here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

do a update and perform full scan and remove wht it finds.

try norton power eraser download link:
http://us.norton.com/support/DIY/index.jsp

also try this:

ownload AVPTool from [url=http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/][color=#FF0000]Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront-1.jpg

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

now remove whatever it finds.
[/quote]

I don’t see any reason for a scan with the all the scanners out there since it is a webscript that has been detected and blocked.

Thank you. I’m delighted.

I check up with antivir and malwarebytes. No anomaly. I check with active scan today.

I wait for a reply from a member who has the same problem to know if it is a false positive.

Thank you again and sorry for my english (I’m french :slight_smile: )

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks. Just a matter of course…

This looks like it may be a genuine detection, the js file has a script in it which uses an array to generate an image. At least that is what results from analysis from malzilla

avast isn’t the only one either:
http://www.virustotal.com/file-scan/report.html?id=d79ad53a0a608daa27a1eb29ef798ee01f1a16743c2d15275a551e89ecd6f53e-1309686657

by the way, your english is fine :slight_smile:

It’s Ok, I changed the link.

So for you it’s an image which is loading and avast blocked it for security ?

I don’t know the term Genuine. What is it ? And “JS” is for Javascript ?

And thank you for your help and for my english :slight_smile:

Hello,

spg SCOTT can you help me again please, to know if I have understood. Because I’m not sure of my translation.

Bonjour solidsnake44

Vous prouver poser votre question dans la zone français de avst international

http://forum.avast.com/index.php?board=23.0

Autrement vous prouvez essayer un autre site de Drivers

http://www.touslesdrivers.com/index.php?v_page=30&v_forum=0

Translation English

Hello solidsnake44

You to prove to put your question in the French zone of avst international

http://forum.avast.com/index.php?board=23.0

Otherwise you prove to test another site of Drivers

http://www.touslesdrivers.com/index.php?v_page=30&v_forum=0

Apologies, I missed this topic.

As far as I can tell, that javascript file doesn’t seem to exist anymore. I get a 404 (not found) error on it. Do you still get alerts?

Thanks, but there is still an active one though :wink:

So for you it's an image which is loading and avast blocked it for security ?
Well, not quite. It is an image link, but it seems to point to an actual page...
I don't know the term Genuine. What is it ?
In this case, by genuine detection, I meant correct. So the detection is correct. Genuine, generally means real/authentic :)
And "JS" is for Javascript ?
Yes.
And thank you for your help and for my english :)
No Problem, welcome to the forum :)

Scott

Hi solidsnake44,

spg SCOTT did a thorough script analysis there. I have to add that the site also has vulnerabilities because of the Web apllications used are not fully up to date and exploitable.
Wordpress version: Wordpress
Wordpress version from source: 3.0.1
Wordpress Version > 2.9 for: -http://www.pilotespc.com/wp-includes/js/wp-ajax-response.js
Wordpress Version == 3.0.x for: -http://www.pilotespc.com/wp-includes/js/autosave.js
Wordpress directory: -http://www.pilotespc.com/wp-content
Wordpress theme: -http://www.pilotespc.com/wp-content/themes/universum/
Wordpress internal path: -/home/pilotesp/public_html/wp-content/themes/universum/index.php *
Wordpress internal path: -/home/pilotesp/public_html/wp-content/themes/default/index.php *

  • vulnerable
    This must have created the road in for the malcode. Well for the script links “cufon-yui.js” is exploitable as well and could also lead to malcode in the form of trojan backdoors,

polonus

Thank you all for you help.

Bonjour Jeepava. Merci du conseil. Je pensais que c’était ce site là http://forum.avast.com/fr/index.php le forum français de Avast.

Merci pour les drivers. Je connais mais je ne trouvais pas le driver pour lecteur DVD, du coup je suis allé voir ailleurs, mais malheureusement le site était à priori infecté.

Hello and Thank you spg SCOTT. I try again and I have the same message from Avast which he blocks the site but the page loads.

Sorry I forgot the other link. I changed it.

Ok But it’s strange that only Avast finds the Trj and no paying security like Nod32,Kaspersky,Bitdefender…
http://www.virustotal.com/file-scan/report.html?id=d79ad53a0a608daa27a1eb29ef798ee01f1a16743c2d15275a551e89ecd6f53e-1309686657

Gdata, I think, has the same data base that avast.

Hello polonus. Thank you for the explanation.

Bonjour solidsnake44

Il y a deux forums

Le forum français de Avast international
http://forum.avast.com/index.php?board=23.0

Le forum crée par un québécois français
http://forum.avast.com/fr/index.php

Driver de lecteur DVD
Pouvez vous mettre :
la marque de l’ordinateur et la référence
la marque du DVD et la référence

Je ferais une recherche

Translation English

Hello solidsnake44

There are two forums

The French forum of international
Avast http://forum.avast.com/index.php?board=23.0

The forum creates by a French inhabitant of Quebec
http://forum.avast.com/fr/index.php

Driver of reader DVD
Can you put:
the mark of the computer and the reference
the mark of the DVD and the reference

I would make a research

D’accord, merci pour l’info.

J’ai trouvé le driver mais après avoir “visité” le site infecté hélas. Merci de votre proposition en tout cas, c’est très gentil.

C’est un SAMSUNG Sh-S223C pour information.

Translation:

Thank you for the information.

I have found the driver after visited the infected web site. Thank’s for you help.

Voila se que j’ai trouver

SAMSUNG Sh-S223C

Ces pas pilote ni driver mais Firmware

WORLD WIDE
http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp

PRODUCT MODEL OEM
DVD-Writer Half Height SH-S223C SB
Code FirmWare Ver.
Firmware Version SB07 Date 06 07 2011

http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp?FunctionValue=view&no=733&SearchWord=&SearchMode=&PageNumber=1&product_code=&os_no=

téléchargement
http://www.samsungodd.com/korLib/popup/Download.asp?path=FWDownload&fname=SH-S223C_SB07.exe

Sa pourra servir en qu’a de mise à jour

Translation English

Here are that I have to find

SAMSUNG Sh-S223C

These steps control nor driver but Firmware

WORLD WIDE
http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp

PRODUCT MODEL OEM
DVD-Writer Half Height SH-S223C SB
Code FirmWare Ver.
Firmware Version SB07 Date 06 07 2011

http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp?FunctionValue=view&no=733&SearchWord=&SearchMode=&PageNumber=1&product_code=&os_no=

download
http://www.samsungodd.com/korLib/popup/Download.asp?path=FWDownload&fname=SH-S223C_SB07.exe

Its could be useful in that has of update

Merci beaucoup.

Que penses-tu du fait que les anti virus payants ne détectent pas le problème d’après virustotal ?