JS:Redirector-H7 [Trj]

Personally I would simply let avast delete it as it is a temporary file, delete temporary internet files in your browser and reboot.

I honestly don’t believe to do a Rootkit Revealer scan, it isn’t a very friendly tool just an analysis and I don’t believe this JS:Redirector-H7 is related to any rootkit activity. I think polonus found this link, http://www.bleepingcomputer.com/forums/lofiversion/index.php/t43051.html[/t136502.html but that isn’t for the file that was found on your system.

The malware redirects (hence the name) to a malicious site that will try to infect your system, the web shield and network shield should also protect against that.

Yes DavidR is true but for sure yes a Redirector is a virus that redirect you to a malicious site i was thinking if i should post the respond or no lol. Well DavidR was more brave on this way. :slight_smile:

If the trojan redirects to a malicious site – how do you know if you have been infected…I ran the Avast scan twice and have found no problems so far…

Thank you :slight_smile:

Hi Arthurk,

In my second reply I have already remarked that using the rootkit revealer was no longer necessary, because the find was in a temporary file that you easily could delete.
Because of avast shield you more likely than not never landed at the mailicous download site/found a malicious e-mail attachment, don’t worry,
I think everything is fine now, you could still perform a full scan with MBAM form here: http://www.malwarebytes.org/mbam-download.php
You can also check the abvast logfiles if a connection to a JS-Redirector-HJ7 [Trj]-site was intercepted by your avast av-solution, it can be found in an email attachment that you’ll need to locate and delete the entire email,

polonus

If you ran the Avast! scan and if he find no virus then you are ok. JS:Redirector are a script that is redirecting to another website which contain a malware and can cause your pc to turn into a zombie. But if Avast! seeing it and you moved it to the chest or deleted it then you are same with Avast! on this case. If you are not sure you can take the Malwarebytes like polonus said. But i dont think he is on your computer because Avast! did helped you to fight it so have fun on your computer.

And have a nice day.

Mr.Agent

If it happened to be active, not likely in this case some other html page would have to load off-line for it to call this javascript file before it could redirect anything. If and it is a big if, then firstly the network shield may have that malicious site on its block list and even if not, you also have the web shield’s protection and a final fall back the standard shield. So I feel that the risk is minimal, certainly in this case.

Having run another scan without a result, you should be fine.

JS:Redirector are a script that is redirecting to another website which contain a malware and can cause your pc to turn into a zombie.

Contrary to Mr.Agent’s comment, there is no certain action that is taken as it, a) depends on the site you are sent to and b) what the particular payload can change frequently. So you would never know what might be at the URL on the other end of the redirect.

Thanks to all for the help…FYI - I am using Avast4 (free home edition)…I hope that is enough for now…

Thanks again :slight_smile:

You’re welcome.

It doesn’t hurt to have anti-spyware/malware applications to compliment avast.

If you haven’t already got this software (freeware), download, install, update and periodically run them.

Don’t worry about reported tracking cookies they are a minor issue and not one of securty, allow SAS to deal with them though.
1a. Or Spyware Terminator Resident scanner (if you use this don’t install the toolbar or crawler or the anti-virus module). - I suggest trying them in order as the order that represents the better detection and clean-up. Some elements of the programs might not work if you have an older OS like win9x or winME, this is namely the resident protection in SpywareTerminator.

I did download MalwareBytes Anti-Malware and ran it…all seems to be fine…and that should do it for now…

Thanks again and God Bless…

arthurk

No problem.

i have seen this trojan JS:Redirector-H7 before too and i’m sure it infected me once… well i dont know…

i believe i got it from hxxp://www.thisisblythe.com i have contacted the owner of the site but she has ignored my email.

but you see now, when i use Fire FTP - an addon to Firefox, whenever it starts up i get the message

“550 can’t change directory to /favicon.ico: No such file or directory”

which is obviously something trying to hack my website and infect MY favicon (my site doesn’t have one, hence it cannot infect)

what’s scary is that it keeps trying and i’ve had avast to a deepscan of my computer, i’ve just deleted all cache files as recommended earlier in this forum. the ftp add on still does this whenever i connect…

my ftp settings are to go to the /public_html not some /favicon.ico
also nothing appears in the ftp logs about this request.

what can i do?

You are right; the site is part of the Gumblar botnet.
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=221600700
http://wepawet.iseclab.org/view.php?hash=b6b22571e54b0b45fd3833431ce3fb89&t=1259091388&type=js

This can be a trick, by placing a link to a file that doesn’t exist, this would normally result in a 404 error, this can take the form of a custom 404 error page and this is frequently placed there for that purpose (of triggering the malware) or modifying an existing 404 page, to redirect to a malicious site.

– HACKED SITES - This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
    “default.cfm” pages as those are popular targets too.

  2. Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    “strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.