Hi foto,
The live-magazine dot eu link is also flagged by finjan as having malicious code,
polonus
I am also getting a VBS:malaware-gen message when visiting what I believe to be a safe company website.
hXXp://www.thelawrencegroup.com/
Filename hXXp://www.thelawrencegroup.com/AC_RunActiveContent.js
VBS:Malware-gen
Virus/Worm
090109-0, 01/09/2009
Please let me know if this is a false positive.
There is a big chunk of obfuscated document write (javascript) at the bottom of the script.
I have no idea what that is intended to do or why it would be obfuscated in that way or even if it is meant to be there. Since javascript is meant to be a plain language scripting language when obfuscated in this way I get suspicious at what they have to hide.
So it may well be a legit detection but you could submit it (as a possible false positive) for further analysis.
I’m getting this same warning for hXXp://ssbresins.com/. It has the same line of compressed/weird JS as some of these other pages. Just thought I’d chime in.
Well if it is your site or one you regularly visit it has probably been hacked.
Considering its location just before the closing Body and HTML taks it certainly looks like code injection into the page.
Please modify your post, changing the http tp hXXP so the link isn’t active, avoiding accidental exposure, e.g. hXXp://ssbresins.com/.
Getting Malware-gen for hXXp://icamaxi.se, any idea if it’s a FP?
Thanks
Not a false.
As kubecj said not a false positive, a big chunk of javascript (which I have edited to make it easier to see in the image) trying to look like an advert script, but it has an obfuscated link at the end of it. There should be no legitimate reason to do that, e.g. what are they trying to hide.
So it looks like the site has been hacked.
Please modify your post change the http to hXXp to break the link to avoid accidental exposure (as in the quoted text above).
I plugged in my digital camera and the virus notification came up and said I had VBS:Malware-gen, so I put it in the virus chest and scanned it and it said it was in this file AutoRun.inf. I just had to completely wipe, format and reinstall vista the other day due to not having an antivirus and the first thing I did when I got it running was download avast. I know for sure theres nothing up with my laptop…
If anyone could help me please do!
This is somewhat different to what is covered here, hacked web sites and is for a different malware name.
- Please start a New Topic of your own as this seems unrelated to the original subject and will just confuse the topic and we will try to help.
- Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.
I clicked on www.thtndc.org
avast 4.8 database 090806-1 08/06 also popped up and warned me of VBS:Obfuscated-gen [trj]
This site was a good one and meant no harm.
Can someone check it please to see if there is any more trojan or malware?
Please also check www.phiatruoc.net as it is a site administered by the same team of the above.
Well it tries to install a chat-room-client without asking the user and at best is down right rude and at worst possibly malicious.
It is also creating an applet and an object where it appears to be hiding (obfuscating) what the purpose is and I don’t like what it tries to do directly in the C:\ drive.
avast isn’t alone in thinking there is something wrong with this, http://www.virustotal.com/analisis/d430171aface541b88b199daef5962168ec1686e0ab2d8cb95ea9f85dfecea59-1249663618
–post removed-- wrong section
Hello
Please can you start a new topic as your problem is unrelated to the original poster’s and will cause some confusion.
Also, please can you modify your post (and change your next one) to break the link (i.e.change http to hXXp)
Thanks,
-Scott-
Sorry bout that. Will do.
When you do, I didn’t find anything, so some more info is required.
I have just visited the home page hXXp://www.greenbeanery.ca/bean/home.php with firefox 3.5.2 and I had no alert, so if you can be more specific on the URL where the alert lies - Please ‘modify’ your post change the URL from http to hXXp or www to wXw (as in my example), to break the link and avoid accidental exposure to suspect sites, thanks.
Since I’m on dial-up and the site is media rich, it takes forever to load, so I can’t go browsing in the hope of finding it.
Hello,
yesterday, juste when closing the computer (Windows XP SP2), the Avast (visrus base updated) showed the alert VBS-malware-gen in logonui.exe and blocked the computer. Today, after the restart I checked logonui.exe with the Avast - same problem. Avast proposes me to cure it, I accept, then it proposes to change the file with a sane copy, I accept it, and the alert re-appears again and again.
I have no idea of where from the virus came. To check with an alternative mean, I launched CureIt! which ran also in Win32, and it didn’t find anything suspicious. Could it be an Avast error or shoul I really worry?
Thank you for help!
Hello,
send us (virus@avast.com) the file to analyze and put “False positive” to subject. But “VBS-malware-gen” in .exe looks at 1st look suspisious (VBS is Visual Basic Script – text file not binary).
Thank you
Milos
Plz help me also, i am having problem with the file D:/autorun.inf and its showing on the screen again and again that the file is infected with vbs:malware-gen. Plz some1 help how to remove this :-\
Thank You