[SOLVED] Need help with Web Shield scan...Is/is not valid warning?

Avast Free Antivirus / Premium Security
1

My version of Avast! Definitions 111120-1, v 6.0.1289 keeps showing that this site

hxtp://s243213379.e-shop.info/

has an iFrame trojan dropper. Online scans of the site are mixed. Can anyone give me a definitive answer: is this site safe?

Thank you in advance.

ColdWinterWind

2

Hi coldwinterwind,

I’m just a forum member!

I ran some tests for you.

http://www.virustotal.com/ - Clean
http://sitecheck.sucuri.net/scanner/ - Infected
http://www.urlvoid.com/ - Clean

These are some of the tools used here on the Avast forum.

And I see what you mean by Mixed results…

Also the correct message board for Viruses and FP’s is - http://forum.avast.com/index.php?board=4.0 (but since you already posted there’s is no need to open another thread.)

3

Well avast isn’t alone in finding this live_tinc.js file (see image) as best suspect that javascript file buried in a sub-folder of templatemedia has a number of iframe creations in it. I personally don’t know exactly what they subsequently do, but many scanners don’t like it.

These are the VirusTotal Results on the temporary copy of live_tinc.js that avast scanned and I uploaded for scanning (17 detections of 42 scanners).

4

No.

5

See specific image extract of sucuri scan on the full path to the live_tinc.js file.

6

Details: http://sucuri.net/malware/malware-entry-mwiframehd203

7

Norman lab confirm infected website

s243213379.e-shop.info.htm - Processed - HTML/Agent.QO live_tinc.js - Processed - JS/Iframe.JT

UrlQuery - Detected Blackhole exploit kit v1.1 HTTP GET request
http://urlquery.net/report.php?id=9189

8

I think we can reasonably say that the avast detection was good.

9

Absolutely. :slight_smile:

10

I thank you all for your able (and fast!) replies. I’ve been wanting to order something thru this eShop for a while, but keep running into this problem. And the owner, while 'Net savvy, is not a programmer, and has said a couple of times that the site is okay now.

So I really needed an external reality check to find out if I had a mis-configured browser cache, or something. This eShop is hosted with a provider that I also use; and I need to be thoroughly convinced that there’s no/little chance of cross-contamination before I take MY eShop live.

Again, thank you all so much. I apologize for posting this in the wrong forum.

11

You’re welcome…!

12

Turns out the offending jscript was part of the hosts domain-parking, google ads mix. Only had the POTENTIAL to cause harm. Avast’s behaviour shield did it’s job - err on the side of caution. Still needs to be fixed (it IS an eShop) but at least we know it’s not spewing badness.

But now I wonder why Norton doesn’t flag the file. Oy, will the questions never end?

Thanks again everyone. Your corroboration/validation of my iffy findings prompted me to keep digging.

ColdWinterWind

13

You’re welcome.