JS/ScrInject.B trojan HTML/Refresh.BC trojan

[CMS 8]

Hi Support,

 

I've tried to call your UK support number, but it's engaged.

 

This morning we're getting lots of notifications about the JS/ScrInject.B trojan HTML/Refresh.BC trojan, from staff seemingly visiting innocuous websites.

 

Could this signify some sort of outbreak, or a lot of false positives?

 

Some example links that trigger ESET:

 

hxxp://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0ahUKEwjx78nO35zLAhXDXBoKHaPbDbgQFggrMAI&url=hxxp://worksheets.theteacherscorner.net/make-your-own/word-search/&usg=AFQjCNEq5F5ptXApo_sMMEmJJLdcP7EuEw

 

hxxp://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0ahUKEwi-tu-B4JzLAhVHBBoKHdAHB_8QFggiMAE&url=hxxp://www.iboard.co.uk/activity/Word-Search-Maker-59&usg=AFQjCNE3Z2HE2eNnBvtEI2b7ZyXJzlJKeA

 

hxxp://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0ahUKEwjx78nO35zLAhXDXBoKHaPbDbgQFghKMAc&url=hxxp://softschools.com/language_arts/worksheets/word_search_maker/&usg=AFQjCNFi840ks7uGRgAMQxAMyS2rUwLWRA

 

hxxp://www.audiomicro.com/royalty-free-music?wlexpid=83C632B45AC548EAA93A2162D37B2B01&wlrefapp=5

 

hxxp://h30434.www3.hp.com/t5/LaserJet-Printing/page-too-complex-error-message/td-p/120310

 

Thanks

[alex.mohora 0]

After updating the ESET antivirus, it blocks every .js file from right about any webpage that my users are trying to access. An answer from the ESET team would be highly appreciated.

[Ledruz 0]

No sign in at eset forum JS/ScrInject.B trojan.

[cav 0]

Please help, same here with one of the biggest sites in Poland - gazeta.pl, allegro.pl - JS/ScrInject.B.

[CMS 8]

See this thread in the Business Products forum https://forum.eset.com/topic/7550-wrong-detection-website-infection-jsscrinjectb/

[RaDoe 0]

Hello,

 

we are getting the same Message at all of our PCs running ESET NOD32 Antivirus 8.

I think its a false positive. I checked our Systems with third Party products (and NOD32) but it didnt found anything.

It seems the Message apears randomly. Also on Websites we host internal (for example our Mail Server Mgt. Console).

 

Is it really a false positive?

 

Thank you!

[Piotrek 1]

I have the same problem. Problem appeared after update signature.ver number 13102. 

At this moment, problem occurs in polish site - onet.pl and o2.pl, when i try sign into  email account in this sites on IE.

 

In my opinion this is 100% false notification, because I have email account in this two sites 10 years hehe....

Edited February 29, 2016 by Piotrek

[Tony.Skid 0]

Same here in Italy, almost 90% of the sites being blocked, same update signature 13102.

[Hozza12163 0]

this has just started to me since this morning's update

 

it's reporting viruses in my temperature monitoring kit and my Netgear smart switch - I'm hoping someone at Eset broke the virus definitions?

[Alfasolution 0]

We have the same issue with a lot of our customers.

This seems to happen in Internet Explorer, no problem in Firefox.

Example : hxxp://i68.tinypic.com/2q8u8g8.jpg

[Member-DP 0]

We are receiving the same issue here across 80 computers - again the UK support number is engaged so it seems a widespread issue (definitely a false positive). This is causing messages to flash up on every machine and then asking to reboot.

[Kferguson 0]

This is also triggering for me this morning.

hxxp://www.eset.ie/ie/ (!)

hxxp://www.myhome.ie

[MYTH 0]

50% OF WEBSITES IS MARKED AS TROJAN BY ESET!// 

[Kaloryfer 0]

Each link opens the search engine Google is recognized as a threat Refressh.BC or JS/ScrInject.B

 

V.definition -13102

[MYTH 0]

hxxp://prntscr.com/a9cq03

[CMS 8]

Official word from ESET https://forum.eset.com/topic/7567-jsscrinjectb-and-htmlrefreshbc-false-positive/

[Piotrek 1]

Eset NOD32 also blocked :

hxxp://www.wykop.pl/ludzie/lechwalesa//2 ( official Lech Wałęsa site - polish nobelist hahaha)

hxxp://bedroomproducersblog.com

www.chomikuj.pl

hxxp://nk.pl

www.allegro.pl

hxxp://windows7.pl

hxxp://zakamarkiaudio.pl/2011/08/jak-osiagnac-glosny-master-czesc-3-z-6.html

 

and many, many more..

 

This is not a funny!

[Mohammad Wasiullah 0]

I just an update call 13103 and my problem has been solve, no notification now i can log in any website and forum, if it happened again will inform.

 

Thanks Eset for solve this issue very fastly.

 

Mohammad

[subyroo 1]

I have used NOD32 for the past 25+ years and this is the 2nd or 3rd problem in all that time that I have ever encountered (from memory), so I can live with it as they are already onto the problem.

 

Keep up the good work NOD32.

[val4o0o0 0]

I received the same thread of my online game project.

Is bug or... ?

[mirko041 0]

also for me:

JS/ScrInject.B trojan horse

 

I try to remove with other progs:

 

-AdwCleaner 5.037

-malwares antibytes

-superantispyware

 

but nothing, it is a virus or a nod false positive?

thank you.

[Kferguson 0]

Confirmed as working with 13103.

[watanukichihiro 0]

same with me, I think my computer is affected by Trojan

hxxp://prnt.sc/a9oew3

[Marcos 5,074]

same with me, I think my computer is affected by Trojan

hxxp://prnt.sc/a9oew3

 

You have posted more than 24 hours after the problem was resolved. It should not be reported on popular sites with the signature database 13103 or newer. The most current signature database version is 13107 at the moment.

[SweX 871]

same with me, I think my computer is affected by Trojan

hxxp://prnt.sc/a9oew3

What VSD are you on ?.....(If you are on 13103 -> solution is to update.)

 

If you are on 13104 or later......

 

"If the detections are triggered after update to 13103 or higher, they should be correct. If you are unsure if a particular detection is ok or not, report it to the ESET Malware Research Lab"

hxxp://support.eset.com/alert5879/

Edited March 1, 2016 by SweX