Infected by the JS/TrojanDownloader virus

Discussion in 'ESET NOD32 Antivirus' started by vitalyx, Jun 13, 2008.

Thread Status:
Not open for further replies.
  1. vitalyx

    vitalyx Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    2
    Hello,

    I have NOD32 the latest version with the latest updates installed, but yesterday got infected by the JS/TrojanDownloader virus which NOD32 doesn't see. I had to download a separate tool (SmitfraudFix) which removed the virus in the safe mode, but since NOD32 doesn't provide protection from it, I got infected again a few hours later :(
    The virus pastes the "<script language="javascript" SRC="~Link removed.~:53/ads.js"></script>" line before the <html> tag or in the <head> section of a site's page. Looks like it doesn't affect all sites however, in my case, that's only my site. My site's localhost files are intact (so there's no change I uploaded infected files), as well as server ones (so the virus isn't there too), so it resides somewhere in my computer and intercepts and modifies the data before I see it in the browser... It's a pity NOD32 lets this virus to do his dirty job... Looking forward for a fix!
     
    Last edited by a moderator: Jun 13, 2008
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I'd rather say that you visit compromised websites that have been hacked either due to a vulnerability or a weak admin password. Java script is easy to obfuscate, one with average knowledge of Java can create a new code and obfuscate it to avoid detection. If you suspect that your computer has been contracted with a threat not detected by NOD32, send a log from ESET SysInspector to samples[at]eset.com with this thread's url in the subject.
     
  3. vitalyx

    vitalyx Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    2
    Thank's a lot for your reply. I sent a log to the mentioned email.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    It looks like a man-in-the-middle attack, so called ARP poisoning. I'd suggest installing ESS as the firewall should prevent such attacks.
     
Thread Status:
Not open for further replies.