On copy and paste the word in the search tab, trojan popup (test by me)
On click search, after the search page shown, trojan popup (test by Chinese user as discussed in http://tieba.baidu.com/p/3172730216) I don’t know how they do it but avast prevented the search when I click search.
??? I don’t know if there is a different, but I pasted the search key from this search http://www.baidu.com/s?cl=3&wd=avast and then click search, the result stay avast and the page go white like when IE crashed on that page but it does not crash. The page go to hxxp://www.baidu.com/s?cl=3&wd=%E5%AE%B6%E5%B1%85%E8%A3%85%E4%BF%AE%E9%A3%8E%E6%A0%BC&tn=baidu&ie=utf-8&bs=avast&f=3&rsv_bp=1&rsv_sug3=2&rsv_sug4=356&rsv_sug1=2&rsp=0
Which is blocked.
By looking at the wd=%E5%AE%B6%E5%B1%85%E8%A3%85%E4%BF%AE%E9%A3%8E%E6%A0%BC the search key does change, only the result does not.
edit: It is also prevented from the main page, look at the attached picture
edit2: I successed in bypassing the prevent search problem, but avast blocked a different url as trojan
hxxp://www.baidu.com/s?wd=%E5%AE%B6%E5%B1%85%E8%A3%85%E4%BF%AE%E9%A3%8E%E6%A0%BC&rsv_bp=0&tn=baidu&rsv_spt=3&ie=utf-8&rsv_sug3=2&rsv_sug4=262&rsv_sug1=1&f=3&rsp=0|{gzip}
JS:ScriptPE-inf [Trj]
This is still happening (same search key: 家居装修风格).
Plus the following search key: 加勒比海盗
hXXp://www.baidu.com/s?ie=utf-8&mod=1&isid=8be4b48900005339&pstg=2&cl=3&wd=%E5%8A%A0%E5%8B%92%E6%AF%94%E6%B5%B7%E7%9B%97&rsv_sid=undefined&csor=5&_ck=1291.0.-1.-1.-1.-1.-1&_cr1=10312|{gzip}
This is just the movie “pirate of the Caribbean”, so I don’t know why there is trojan horse in it.
The file “s.htm” come with the website. Avast also give it an alert “JS:ScriptPE-inf [trj]”. Most of the time avast alert and then the search is prevented (no result is being displayed)
Pondus
Avast is blocking the same file (s.htm) as quttera detected as suspicious, but if it really malware, avast should have detected the trojan on all search keys instead of a few.
Only a slight change in the search key can make avast not alert. For example, avast alert when using the search key “加勒比海盗” but not for “加勒比海盗1”.
1.
A few day ago, the problem is back for the following search key “狗hank”.
Another s.htm file were moved to virus chest.From there I scan all the s.htm file and see how selective avast block the search page :o
The old problem was solved. But this one is a new block. Upon checking the user comment in the avast forum in baidu, avast is actually blocking the redirection script used in the well known Chinese search engine.
hxxp://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&ch=&tn=baidu&bar=&wd=%E7%8B%97hank&rsv_enter=0
Only the red colored part is changed for different search key.
2.
The problem is back with another search key “哑银不干胶”
The url format is changed this time, but the blocked file is same (s.htm)
hxxp://www.baidu.com/s?cl=3&wd=哑银不干胶