JS:ScriptSH-inf [Trj] Trojan Horse found...

[KleyMEN]

Uh... When I was wandering in the forums, suddenly Avast! started to alarm saying that a trojan horse was found. It says me to abort connection and even if I abort the connection it says that it has found a trojan horse over and over until I close the website... Any explanation to this weird occurence?


Here are details:

File Name: http://forums.3drealms.com/vb/external.php?type=RSS2\{gzip}
Malware Name: JS:ScriptSH-inf [Trj]
Malware Type: Trojan Horse
VPS version: 090305-0, 05/03/2009

[Joe Siegler]

Somehow I doubt that, or everyone would be reporting it. Does it continue to happen, or was it a one time fluke?

[KleyMEN]

Quote:

Originally Posted by Joe Siegler

Somehow I doubt that, or everyone would be reporting it. Does it continue to happen, or was it a one time fluke?

It's persistent. Everytime I come to the forums, it pops and says a trojan horse was found. (And it started today to behave like that.)

Here, an image to show you what kind of a warning i'm getting:

[Phait]

Sounds like a false-positive. I use Avast and have never gotten this.

[KleyMEN]

Quote:

Originally Posted by Phait

Sounds like a false-positive. I use Avast and have never gotten this.

It's possible, I doubt that there's any malicious software lying behing the forums or something.

[IwantMORE]

Try looking here...

http://forum.avast.com/index.php?topic=41676.0

[KleyMEN]

Quote:

Originally Posted by IwantMORE

Try looking here...

http://forum.avast.com/index.php?topic=41676.0

Thanks, i'll post here if I'll come up with any solutions.

Damn viruses

[Dave-ros]

I've started getting this exact error today, so unless we've both got the same virus, it's probably something to do with Avast!'s latest update causing a false positive

Edit: the message appears four times on each forum page... is this a subtle way to stop me going to the Post Thread?

Edit 2: this didn't happen last night, and started happening today when I started my computer and immediately went to this site. 'Tis most strange, but hopefully a false positive

[Shielder]

I'd like to point out that the exact same thing has just happened to me as well, and I'm also using Avast.

[KleyMEN]

Quote:

Originally Posted by Dave-ros

I've started getting this exact error today, so unless we've both got the same virus, it's probably something to do with Avast!'s latest update causing a false positive

Edit: the message appears four times on each forum page... is this a subtle way to stop me going to the Post Thread?

Edit 2: this didn't happen last night, and started happening today when I started my computer and immediately went to this site. 'Tis most strange, but hopefully a false positive

Damn this is weird...

Now I have to write on the forums while that nuke sign is whirling on the corner of my screen...

[Dave-ros]

Judging from the source code for the site, it's the RSS script that's triggering Avast!, so hopefully it's just a false positive, and someone hasn't hax0red the site after its move!

---------- Post added at 06:55 PM ---------- Previous post was at 06:15 PM ----------

More useful (?!) information: this only happens in Firefox (and yes, it happened before I updated it to 3.0.7 or whatever) -- doesn't happen in IE7, on which I am writing this. In Firefox it happens throughout the forums.3drealms.com website, even if I'm logged out...

[Shielder]

Just to throw a spanner into the works, it happens to me regardless of the browser i'm using, whether it be IE7, Firefox, Opera, etc...

I've even gone as far as trying to access other vBulletin based forums to see if its something to do with that, but no.

[Joe Siegler]

I use avast at home, and haven't seen this at all.

[KleyMEN]

Quote:

Originally Posted by Dave-ros

More useful (?!) information: this only happens in Firefox (and yes, it happened before I updated it to 3.0.7 or whatever) -- doesn't happen in IE7, on which I am writing this. In Firefox it happens throughout the forums.3drealms.com website, even if I'm logged out...

Yes, IE8 for me works well but as soon as open 3DR Forums website on Firefox, I get that warning insistantly saying that a trojan horse was found...

Joe, are you using FF or IE as a browser?

[Joe Siegler]

Firefox.

I do have IE, Opera, & Chrome on this system, but generally just for testing. The lion's share of my browsing is Firefox.

[KleyMEN]

I've just tried disabling all the add-ons and plugins I had installed on Firefox and enabled them one by one to see if it has something to do with the add-ons. Apparently, turning off the add-on named "Cool Iris" solved the problem for me. Annoying pop-ups are no more!

[Dave-ros]

Confirmed -- disabling Cool Iris stops the trojan alert from appearing! Damn, and I already submitted a "false positive" report to Avast!... should we tell the makers of Cool Iris that they're causing problems?

[KleyMEN]

Quote:

Originally Posted by Dave-ros

Confirmed -- disabling Cool Iris stops the trojan alert from appearing! Damn, and I already submitted a "false positive" report to Avast!... should we tell the makers of Cool Iris that they're causing problems?

I think there's a conflict between Avast! and Cool Iris when we open these forums. But why did it start today? I don't remember Avast! updating itself...

[Dave-ros]

Avast! updates itself every time I turn my computer on -- indeed, it defaults to updating every couple of hours! I've fired off an e-mail to the Cooliris people as well, though God knows what they'll make of it...

Shielder, do you have Cooliris installed on your other browsers (as I note it's not just a Firefox thing)?

[KleyMEN]

Quote:

Originally Posted by Dave-ros

Avast! updates itself every time I turn my computer on -- indeed, it defaults to updating every couple of hours!

Well usually when the program updates itself, it shouts "Virus database has been updated!" and if my memory serves me well, I don't recall hearing such a voice today, well... Nvm, at least the problem is solved

[GOK]

I get a very similar using Firefox and Avast - but only when I try to load this thread ----> http://forums.3drealms.com/vb/showth...422#post837422 in the Programming/HTML forum (titled "Anyone know what this Javascript means?").

Edit: Same message in IE.

[KleyMEN]

Quote:

Originally Posted by GOK

I get a very similar using Firefox and Avast - but only when I try to load this thread ----> http://forums.3drealms.com/vb/showth...422#post837422 in the Programming/HTML forum (titled "Anyone know what this Javascript means?").

Haha, me too. Seems like Avast! doesn't like Javascripts.

[Dave-ros]

Aha, that could be something -- does Cooliris somehow "scatter" a bit of JavaScript contained in one thread, and propagate it through the entire forum? (Do I even know what the hell I'm talking about?!) One thing's for sure, that particular thread is what's causing it (Avast! causes it to "disappear" after reporting the trojan), and somehow Cooliris is causing it to "attack" my system four times every time I look at any other thread! Why it's doing so when there's a bit of JavaScript in the text of the thread, rather than the header (where it would actually do some damage), is anyone's guess...

[Joe Siegler]

Quote:

Originally Posted by GOK

I get a very similar using Firefox and Avast - but only when I try to load this thread ----> http://forums.3drealms.com/vb/showth...422#post837422 in the Programming/HTML forum (titled "Anyone know what this Javascript means?").

Edit: Same message in IE.

OK, now I got it. Happens to me at home when I hit this URL.

I submitted a false positive report as the forum admin here. Let's see if they respond to me.

[PartyBooper]

Indeed it IS weird to see a rotating nuke symbol over 3DR's forums. If it wasn't for the really loud and annoying voice of Avast, it wouldn't even stand out.

I can confirm the CoolIris/Avast/3DR forums thing too by the way.

[Tekedon]

I have this problem too now.

Edit: Seems I fixed it by disabling a Veoh plugin in firefox.

[Shielder]

Quote:

Originally Posted by Dave-ros

Avast! updates itself every time I turn my computer on -- indeed, it defaults to updating every couple of hours! I've fired off an e-mail to the Cooliris people as well, though God knows what they'll make of it...

Shielder, do you have Cooliris installed on your other browsers (as I note it's not just a Firefox thing)?

I have to admit that I've never heard of it, but I don't think it's installed anyway although i'm checking to see whether something has been installed without my knowledge.

However, it could be something else that cooliris uses that is on my machine that could be causing it. Wild shot in the dark though.

Quote:

Originally Posted by Tekedon

I have this problem too now.

Edit: Seems I fixed it by disabling a Veoh plugin in firefox.

Funny you should mention Veoh, it's something i've had installed at one time in the past - then uninstalled again when it told me that it's content is only available in the US and not the UK.

[ProAsm]

Thanks for pointing me here Joe.

I've had the exact same problem and uninstalling Cool Iris also solved my problem.
http://www.proasm.com/images/pics/3drv.jpg
Thanks guys

[Blade Nightflame]

I have Cooliris on, but since I don't have an antivirus installed nor enabled, I don't get the problem.

[Dave-ros]

You get the virus instead

---------- Post added at 06:39 PM ---------- Previous post was at 05:03 PM ----------

Just to let you guys know, I've been e-mailing the Cooliris team about this, and they say they're looking into it -- since obviously the program is somehow causing us to get the virus warning on every page of these forums, and not just the one with the alleged malicious JavaScript in it

[Llama Gibbz]

I get a warning from avast trying opening this thread in the programming forum.

[Phait]

I just got it too Extensions I have

[KleyMEN]

Quote:

Originally Posted by Phait

I just got it too Extensions I have

Try disabling them one by one and see which one is causing the problem. Especially look for those which use Javascript in any way.

[Llama Gibbz]

Disabled all of mine and that thread still sets it off.

[Joe Siegler]

What about running Firefox in safe mode? If you still have your Firefox program group, there should be an icon for that in there.

[KleyMEN]

Quote:

Originally Posted by Joe Siegler

What about running Firefox in safe mode? If you still have your Firefox program group, there should be an icon for that in there.

Running Firefox in safe mode didn't change anything for me. Still that thread is inaccessible. There's an add-on named No Script or something like that which might help, haven't tried it yet though.

EDIT: Nope, that's not helping either.

[Dave-ros]

This has been mentioned -- that one specific thread sets off Avast!, presumably because it sees the malicious JavaScript in the body and still thinks it might be dangerous. So it's really up to Avast! to stop it being triggered... or else, it's really dangerous to spell out malicious JavaScript in a web page

It's not due to Firefox -- I get the same error trying to open that thread in IE7. The difference is, it actually opens in Firefox and the thread can be read while the error is on screen, but in IE7 it never appears at all!

[KleyMEN]

Quote:

Originally Posted by Dave-ros

I get the same error trying to open that thread in IE7. The difference is, it actually opens in Firefox and the thread can be read while the error is on screen, but in IE7 it never appears at all!

Really? I can't open that thread in FF either.

[Llama Gibbz]

For me its Avast web shield thinking there's malicious java code is there.

[unforgiven]

It's False Alarm , According to Reports Avast Blocks a few websites which used Apache Mod_Gzip or mod_deflate module , those modules allows output from server to be compressed before being sent to the client over the network. so it seems the Avast web filter can't determine the compressed data by GZIP/DEFLATE and thought it's Binary or Encrypted JavaScript file