Hello,

This evening I found a strange r.php file after deleting two phishing sites from my server. When I pulled it down to see what it was, avast! immediately informed me I had a Trojan. I moved it to the chest and then checked the warning log which indicated avast! had found sign of “JS:TrojDnldr-16[trj]” in the r.php file.

I’m guessing this is the source of the phishing sites that appeared. Does anyone know anything about this particular trojan?

Thanks in advance for any information/help.

The name would tend to indicate a JavaScript Trojan Downloader, so in that page there would a script to download malware.

Trojan Downloaders do as the name suggests download more malware from the internet to infect your system (they are more usually found on your system rather as a file than part of a web page).

if you know which file caused the infection send to avast for inspection

I see no point in sending it to avast as avast detected it. The infection wasn’t on the users system but on his server.

David is right. The only case that this will be useful is a false positive detection.