First off, your posting timeout is TOO SHORT! I lost my entire post.
So here is the short version…
I have two desktops protected by Avast 4.8.1296, VPS 081226-0. One is WinXP Home SP2, the other is WinXP Pro SP3. I usually use Firefox (version 3.0.5) but checked and I have the same issue on IE 6.0.
Nearly all web sites I go to cause an alert for a trojan horse, malware name: JS:Packed-I [trj]
I am seeing the same issue when visiting many websites such as weatherunderground.com.
This started last night and it looks live avast was updated yesterday.
I am running 4.8 Home Edition and the VPS file is 081226-0 that was updated on 12/26/08.
I ran windows update and IE and all other Windows software is fully updated.
Is there a way to back out what Avast updated yesterday?
Interesting. Is there an infection of the banner ad server, or a false positive, or is it perhaps some insidious attempt to track users by the banner ad company?
Can you give some examples of the sites that are detected, edit the URL so they aren’t active, e.g. change the http to hXXp hXXp://www.avast.com, that will avoid accidental exposure for other forum members.
Are they al the same malware name, e.g. JS:Packed- ?
When JavaScript is in some way obfuscated it isn’t normal practice as JavaScript is a plane language script where even without programming experience you can get an idea what it is doing. So to try and obfuscate, pack, encrypt or otherwise change that normal use is strange.
FYI,
This issue has been resolved for me with the update of the VPS file yesterday, 12/27/08.
I have visited all of the web sites I was seeing the issue and I am no longer getting a warning.
Thanks!
Ron
At wunderground.com, Avast detects:
hxxp://ad.doubleclick.net/imp;v1;f;209142946;0-0;0;29658431;300|250;29035617|29053496|1;;cs=u%3fhttp://ad.doubleclick.net/dot.gif?0.5655646313217795
At msn.com:
hxxp://ad.doubleclick.net/ad/N3340.MSN/B3326292.2;sz=1x1;kw=2_k3230_igfam_cd_msn;ord=734686898725
OK, starting to see a pattern in the banner ads, but then I go to:
At wikipedia.org:
hxxp://en.wikipedia.org/wiki/Main_Page
Ok, now this is really odd. On this computer, I just installed adblock plus for Firefox with no problem. On my other computer, when I tried to do the same, I got the malware warning at (hand copied):
hxxp://releases.mozilla.org/pub/mozilla.org/addons/1865/adblock_plus-1.0-fx+sm+tb.xpi
A friend suggested that I uninstall then reinstall avast, as he’s seen some weird things with avast that this fixes. But why would that happen to two computers simultaneously with (nearly) the same problem?
I fear I’ve got some undiscovered virus that is spreading via my home network that has this odd side effect of triggering false positives.
Well doubleclick.net is commonly used to gather information to serve adverts so it is possible that is what is being detected. I don’t know if that is the case as I have doubleclick.net blocked from cookies, etc.
I have just visited the wiki page link that you gave using firefox and no alerts, so I have no idea what is being detected for you, what malware name ?
hxxp://releases.mozilla.org/pub/mozilla.org/addons/1865/adblock_plus-1.0-fx+sm+tb.xpi
Whilst I use adblock plus in firefox I downloaded this manually (so as not to try to install it again) avast didn’t alert so I’m not sure what is going on in your system.
In adblock plus you could block doubleclick.net this may stop the alerts on it at other sites.
Whilst I don’t believe a virus/trojan/adware, etc. would be so selective on what sites it delivered or tried to get an ad or payload, etc. you could run these, they are worth keeping afterwards.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.