Hey,

I frequent a site (wwx.orca-cola.com/forum - I’ve changed one of the w’s to an x so as not to have it be a link) and have done for ages, but over the past couple of days Avast has started bringing up alerts that various parts of the site have the JS:Redirector-CV trojan on it, when this is not the case.

I’ve updated my virus definitions and program to the most recent ones, and it continues to happen. It’s not even a regular thing, I can be surfing that forum for an entire day and have no problems, and then it’ll start bringing up alerts to entire pages, smilie images, anything at all, but after I refresh the page there are no alerts at all.

The report I have on this PC is this:

*
* Shield stopped: 12 November 2010 21:03:05
* Run-time was 6 hour(s), 21 minute(s), 19 second(s)
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, November 12, 2010 10:56:20 PM
*

13/11/2010 23:28:50	http://www.orca-cola.com/forum/ [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:31:04	?P?X://www.orca-cola.com/forum/images/medals/report.png [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:31:04	http://www.orca-cola.com/forum/styles/OrcaCola/imageset/en/icon_contact_www.png [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:31:04	http://www.orca-cola.com/forum/styles/OrcaCola/imageset/en/icon_contact_www.png [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:31:04	http://www.orca-cola.com/forum/styles/OrcaCola/imageset/en/icon_contact_yahoo.png [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:21	http://www.orca-cola.com/forum/images/icons/misc/heart.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:21	http://www.orca-cola.com/forum/images/icons/misc/star.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:21	http://www.orca-cola.com/forum/images/icons/smile/question.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:21	http://www.orca-cola.com/forum/images/icons/misc/thinking.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:21	http://www.orca-cola.com/forum/images/icons/smile/alert.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:21	http://www.orca-cola.com/forum/images/icons/smile/redface.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:21	http://www.orca-cola.com/forum/styles/OrcaCola/template/editor.js [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:22	http://www.orca-cola.com/forum/images/smilies/pushBack.png [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:22	http://www.orca-cola.com/forum/images/smilies/icon_eek.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:22	http://www.orca-cola.com/forum/images/smilies/icon_e_confused.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:22	http://www.orca-cola.com/forum/images/smilies/icon_cool.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:22	http://www.orca-cola.com/forum/images/smilies/icon_redface.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:22	http://www.orca-cola.com/forum/images/smilies/icon_evil.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:22	http://www.orca-cola.com/forum/images/smilies/icon_e_ugeek.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:39:22	http://www.orca-cola.com/forum/images/smilies/icon_e_geek.gif [L] JS:Redirector-CV [Trj] (0)
13/11/2010 23:52:37	http://www.orca-cola.com/forum/skaven/ [L] JS:Redirector-CV [Trj] (0)
14/11/2010 00:42:29	http://www.orca-cola.com/forum/ [L] JS:Redirector-CV [Trj] (0)

Thanks for any help you can give me!

There is a javascript file that looks like it has been hacked. That script attempts to load a number of sites cracks, keygens, adult material, etc. etc. and that is my guess that is what avast is alerting on as I imagine any number of these sites could well be malicious.

See image, there are only two lines in this file and the second goes on and on and on, I have broken it up so you can see some of it. Si I would imagine that some of the other detections are the same or very similar, especially when it is in an image file.

How would you go about fixing that hack?

If you aren’t the site webmaster, then the only thing you can do is report it to them.

Same problem here, but no hack: http://forum.avast.com/index.php?topic=65971.0

The server hosts have checked the server, and couldn’t find any problems at all. However, I’ve not been getting alerts for the trojan today. Could you check if it’s still popping up for you DavidR?

Tested with IE8 / Chrome / Opera and i get no avast! warning…

Well I don’t get the alert in my last post now, so they must have found something as the ca_scripts.js file no longer holds that script I posted. But appears to be a legit javascript file now. So to me ot looks like that file at the least was hacked, see image extract of current ca_scripts.js file.