Trojan Alert on Ajaxian website

General discussion about the NoScript extension for Firefox
Post Reply
noscript_user
Posts: 7
Joined: Tue Apr 07, 2009 12:23 pm

Trojan Alert on Ajaxian website

Post by noscript_user » Sun Apr 26, 2009 12:36 pm

Dear All,

I need your help and advice. Some days ago, when looking for information about browser memory usage, I visited the website Ajaxian. Noscript was activated and nothing was allowed for this website at all. Unfortunately, I got an antivirus alert, saying that something on that website is a JS/Exploit.gen (Trojan) which is in the browser cache and which has been moved to quarantine now. I immediately closed firefox, deleted all cache content and the vir-file in the quarantine as well, and did a complete scan of the machine. Can i now assume that my pc is clean?

Thanks a lot in advance.

Browser: Firefox 3.0.8
Add-ons: Noscript, Adblock+, Context search, personal menu
Firefox 3.0.9, Add-on: Noscript, Adblock+, Context search, personal menu
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9 (.NET CLR 3.5.30729)

User avatar
therube
Ambassador
Posts: 7669
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Trojan Alert on Ajaxian website

Post by therube » Sun Apr 26, 2009 1:45 pm

I would say there is nothing to worry.

If I were to visit the page, the same would happen to me, except I would not be notified, because I have nothing that would notify me.

Your A/V scanned the web page from within your /cache/. It found "nefarious" code - which is very likely posted (rather then hosted) on the site. But that is to be expected, finding such code fragments on website dealing with security issues.

Another possibility is that the website or its host, or ads running on the website had been exploited. I'll assume that is not the case here & that it is the code fragments that your A/V was finding.

In any case, I would think it extremely difficult for you to get infected on a Mozilla browser just by something having ended up in your /cache/. If you clicked an .exe, that would be different. If there were a known "drive-by" exploit, if you were running IE ...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090423 SeaMonkey/2.0b1pre

noscript_user
Posts: 7
Joined: Tue Apr 07, 2009 12:23 pm

Re: Trojan Alert on Ajaxian website

Post by noscript_user » Sun Apr 26, 2009 2:16 pm

Thanks for your reply. That was not an exe file, and I would noway click on any exe from an untrusted website. The file was named something like "7DCD5A1Dd01" which you can often find in the firefox cache directory. A search on the mcafee website for "JS/Exploit.gen" does not reveal much information. By the way
therube wrote:If I were to visit the page, the same would happen to me, except I would not be notified, because I have nothing that would notify me.

Does that mean you dont have any A/V?
Firefox 3.0.9, Add-on: Noscript, Adblock+, Context search, personal menu
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9 (.NET CLR 3.5.30729)

User avatar
therube
Ambassador
Posts: 7669
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Trojan Alert on Ajaxian website

Post by therube » Sun Apr 26, 2009 2:51 pm

Correct, no A/V.
I run naked ---------------------------------------------------------------------------------------------------------------------------->

7DCD5A1Dd01 is likely the cached version of the Ajaxian web page itself.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090423 SeaMonkey/2.0b1pre

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3347
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Trojan Alert on Ajaxian website

Post by GµårÐïåñ » Sun Apr 26, 2009 11:49 pm

As therube pointed out earlier, these are usually either a drive-by exploits intended for IE users but once in the cache the heuristics of the AV will still detect and notify, or it was simply a coincidence in the heuristic filter flagging something that partially matched a signature but was actually benign. No way to really know for sure without dissecting the code on the site but ultimately I would got with therube's suggestion, stop worrying. ;)

On an added note, although I would not suggest to just ANYONE running naked without an AV, its fair to say that you don't need a huge heavy artillery, standing army of AV solutions to stay safe if you practice safe common sense practices on and around the web. In fact I only have AV on ONE machine and that's simply because we run all our exploit test cases on it and we don't want the little buggers getting away from us, that's all. :)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9 AdblockPlus/1.0.2 RequestPolicy/0.5.5 NoScript/1.9.2.1

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Trojan Alert on Ajaxian website

Post by Tom T. » Mon Apr 27, 2009 3:12 am

For the novice-to-average user, I see no harm, and considerable potential benefit, in running one of the several good AV products available free for personal home use. They generally are self-updating and require no user action unless a virus event is detected. An occasional full scan of the machine is a sensible precaution, perhaps when the product is first installed, and then every month or two. Most do not require large amounts of disk space or RAM.

Power-users who can dissect any source code for possible danger are in a different category from the majority of home users. So I have no argument with power-users "running naked", but hesitate to discourage average users from using a single AV product at no cost or inconvenience.

As for "suite" products, I like Giorgio Maone's philosophy of why NoScript concentrates on executable web content rather than including cookie management, AV, etc: "Do one thing, and do it well".

Everyone's usage, system, and mileage may vary. Personal opinion only. Cheers!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3347
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Trojan Alert on Ajaxian website

Post by GµårÐïåñ » Mon Apr 27, 2009 4:03 am

Absolutely Tom, of course, I didn't mean to suggest otherwise. It never hurts to have any of the good ones, like AVG, avast, so on, to run. I am just saying they are not a substitute for good practices and common sense.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9 AdblockPlus/1.0.2 RequestPolicy/0.5.5 NoScript/1.9.2.1

`nar
Posts: 16
Joined: Tue May 05, 2009 6:39 am

Re: Trojan Alert on Ajaxian website

Post by `nar » Tue May 05, 2009 8:07 am

safe practice is better than ANY antivirus program though. If I had a dollar for everytime I heard, "But I thought Norton was supposed to protect me!" I have an Antivirus... for scanning. All resident shields are disabled usually. I hate them killing my files and slowing don my PC. But we can't all be computer experts after all.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Trojan Alert on Ajaxian website

Post by Tom T. » Tue May 05, 2009 8:24 am

`nar wrote:safe practice is better than ANY antivirus program though. If I had a dollar for everytime I heard, "But I thought Norton was supposed to protect me!" I have an Antivirus... for scanning. All resident shields are disabled usually. I hate them killing my files and slowing don my PC. But we can't all be computer experts after all.

Speaking *only* personally, and not for the Forum or the developer, I've heard a number of complaints about Norton. The free products actually seem to be better than the paid ones (sort of like Firefox and NoScript.) I've never had any of the free ones slow down anything or affect my files. Now that you mention it, the reason I went to these products is that the Norton that came on my first puter had grown and bloated so much by the time I got my second machine, that it was doing what you said -- causing conflicts, crashes, freezes, etc. That's when I investigated the alternatives.

I'm not blasting Norton per se. I've heard similar complaints about McAfee and others. It seems that to convince you that you're getting your money's worth, they always have to "look busy" and be telling you what they're doing. A free product doesn't feel that compulsion. I'm sure that there are also many satisfied users of the paid products. Everyone's system and usage vary.

Best defense is *both* the AV that you like, *and* safe surf practices. If one fails, the other is there. Cheers!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

`nar
Posts: 16
Joined: Tue May 05, 2009 6:39 am

Re: Trojan Alert on Ajaxian website

Post by `nar » Tue May 05, 2009 1:16 pm

Well, actually I meant that it slowed me down while I was scanning infected drives with other scanning engines, I run three of them for that. Vipre would scan in 20 minutes, AVG in 45, Norton in about an hour, but you couldn't turn it off completely. So it was always scanning in the background whenever the others were, even if it disabled it, it wouldn't ignore the trojan completely and just log it like it said it was doing. I think it is constantly trying to "fix" the file as if it were a legitimate file merely infected by a virus, not a completely bad file like a trojan. It even deleted my micro burner on my flash drive.

Most complaints about Norton refer back to 2006 when it was very bad. We looked for alternatives back then. But before we could settle on one, Norton started getting better. The 2009 version installs in just a couple minutes, does not need to reboot until after it's first update, uses about 30MB RAM on bootup, and the built in one click support takes you almost directly to a chat session where a Norton Tech can remotely fix any problems you have for free. They've even fixed me up when I installed the trial version and added 244 days!

So, I like Norton as an antivirus for regular people. And it is okay for my work computer, usually. AVG doesn't find as much. Vipre is the easiest to use, and the fastest, but also finds the least. Also, when I read reviews of AV's, Norton is consistently at or near the top of the list in detections. If I went with anything else, I'd be switching yearly, and I don't have the kind of time to re-evaluate that often.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

paolari
Posts: 1
Joined: Sun May 31, 2009 5:41 am

Re: Trojan Alert on Ajaxian website

Post by paolari » Wed Jun 03, 2009 11:56 am

How do I get rid of a trojan virus for free? I am speaking to you guys from my fathers computer, because unfortunately my computer is infested with a nasty trojan and is laggy as hell. I've tried downloading many free virus and spyware protectors such as, Spyware Doctor, but they have little to no effect. If anyone could tell me how I could delete this trojan, for free it would be a great gift to me.
_______________
affiliateelite ~ affiliateelite.com ~ adgooroo ~ adgooroo.com
Last edited by paolari on Sat Jun 06, 2009 6:07 am, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Trojan Alert on Ajaxian website

Post by Alan Baxter » Wed Jun 03, 2009 3:21 pm

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3347
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Trojan Alert on Ajaxian website

Post by GµårÐïåñ » Wed Jun 03, 2009 8:28 pm

Take Alan's advice and just to add, it would help you immensely to know what you are infected with rather than attempting general remedies because some of them know how to avoid and fly under the cleaner's radar. Many times there are specialized tools for removal and you can get them for free from just about any AV provider. But it would help to know what you got first, good luck.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009051909 Firefox/3.0.11

Post Reply