[SOLVED] JS:Cruzer-C on my forum!!

I have a big problem on my forum It is a JS:Cruzer-C Trojan Horse.
My computer is scanned with Avast and Spybot Search & Destroy, and it is clean.
This weekend the host will move the site (with the others) to another server.

I following the instructions over here, but I can’t find the trojan horse.

This is de link to my site www. oude egypte .nl

I don’t know if the site is hacked.

Last weekend (may 23) there was a current down in the datacentra and sunday (may 24) the server (where my site is host) crashed and totally died. The hoster has put all the sites on another server, but the file for the ftp, the emails and the directadmin was corrupt and the hoster makes all new one for us.
This weekend the hoster will move all the sites to a new server.

I have mail the hoster about this.

What can I do!

Well, like Igor and Tech, I have visited the above URL and no detections.

So what is the full path to the detection ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

When posting URLs to suspect sites, change the http to hXXp so the link isn’t active (clickable) avoiding accidental exposure.

Hi

i have a problem with AVAST giving false positive on THIS: hxxp://itmedia.sk/images/itmediask.gif
you can see a picture from one of my customers who told me about this: http://members.chello.hu/jermij/vir.JPG
There’s no way this GIF could be infected, as it’s the original one which we’re using for years now, and displays correctly.

Please check what gives the false positive, and let me know / fix the search pattern on your database.

Thank you.

Thanks a lot!!

This is the logfile from Avast:

Sign of “JS:Cruzer-C [Trj]” has been found in “hXXp://klanten.bwhs.nl/news/nieuws.php” file.
Sign of “JS:Cruzer-C [Trj]” has been found in “hXXp://www.oudeegypte.nl/” file.
Sign of “JS:Cruzer-C [Trj]” has been found in “hXXp://www.oudeegypte.nl/” file.
Sign of “JS:Cruzer-C [Trj]” has been found in “hXXp://www.oudeegypte.nl/index.php” file.
Sign of “JS:Cruzer-C [Trj]” has been found in “hXXp://www.oudeegypte.nl/index.php” file.
Sign of “JS:Cruzer-C [Trj]” has been found in “hXXp://www.oudeegypte.nl/viewonline.php” file.
Sign of “JS:Cruzer-C [Trj]” has been found in “hXXp://www.oudeegypte.nl/viewtopic.php?f=5&t=130&p=521” file

I will be back tomorrow.

Please start a New Topic of your own as this is hijacking the original posters topic and will just confuse the topic and we will try to help. - Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

I have visited all of those and I don’t get any alerts. Are you still getting alerts on these pages ?

You mentioned your host will be putting all sites on another server, perhaps he has done that and things are clean. Though that wouldn’t account for the first URL klanten.bwhs.nl/news/nieuws.php unless that site too was hosted on the same original server.

Hallo SekhemAkassha,

Ik ben ook naar deze logsite gegaan en geen alerts van avast in Firefox met NoScript actief.
Nagekeken via Exploit Prevention Labs Link Scanner en DrWeb’s av link scanner, blacklistdoctor en unmasked.parasites scan gedaan, alles groen en geen teken van JS:Cruzer-C.

Hier is de listing van de malcode detektor site: No zeroiframes detected!
Check took 2.19 seconds

(Level: 0) Url checked:
hxtp://www.oudegypte.nl
Zeroiframes gedetecteerd op deze site: 0
No ad codes identified

(Level: 1) Url gechecked: (script source)
hxtp://as.casalemedia.com/sd?s=65131&f=1
Blanke pagina / kon geen verbinding maken (blank page could not connect)
No ad codes identified
This could have been it, a link to a WEB OPTIMIZATOR and a 302 re-direct!
Dit had hem eventueel kunnen zijn geweest, link naar een WEB OPTIMIZATOR en een 302 re-direct
(zoeken op sd?s=65131&f=1 geeft malware resultaten)

Just outside the html (Net buiten de html code):

^EDITED with ^....^!--0.167895078659::1::0.00925946235657-->....
^!--0.192685127258--><!--a09-- 

Er moet op een gegeven moment sprake zijn geweest van een omleiden naar een malware-site,
dit hoeft nu niet zo te zijn,

polonus

@DavidR: I don’t get any alerts now. Maybe the site is really move to a another server.

Thank you for looking!

@Polonus:
Dank je wel dat je zo uitgebreid heb gekeken.
Ik krijg nu geen enkele melding meer, dus ik ga er vanuit dat we nu verhuist zijn naar een andere server.
En ik heb mijn pagina’s als index.php, viewtopic.php en nog een paar anderen gisteren na gekeken en ik kon na de HTML-tags geen enkele code vinden.
Ik hoop dat het probleem is opgelost nu.
Nogmaals heel erg bedankt!

You’re welcome, hopefully the Host has resolve it with the move.

Hi SekhemAkassha,

Heel erg fijn voor je en nu maar volop aan de slag met de inhoud van je forum, veel succes daar en blijf veilig online,

polonus

Casalmedia is not bery popular with the WOT users.

Hi John 2009,

Yes a site that is adware and spyware or even virus related, programs that find pop-ups launched by it in Firefox, and also questions with tracking cookies, users reported this also to McAfee SuiteAdvisor, see their report, WOT gives it an all red. as.casalmedia.com redirects to:
hxtp://promotionalproductes.net/?tmp=domain_inquiry_form&keepThis=true&TB_iframe=true&height=450&width=760

polonus

@DavidR: I hope that too.

@Polonus: Met de inhoud gaat het helemaal goed komen, nu dat enge trojan-ding weg is, kan ik weer lekker aan de slag.

I have never heard of Casalmedia, so far as I know and I don’t know how they can put trojans on my site. Maybe it came from the share server where we standing after that the first server crashed.
I hope that all the problems are really over now.