Website shows infected with JS:HideMe-B [Trj]

[Milos]

Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.

Hello,
search for "hideme" in the html source code.

Milos

I'm running a Joomla site and I didn't find it.

Hello,
see http://forum.avast.com/index.php?topic=131579.msg972447#msg972447
Do you have same variant (JS:HideMe-B [Trj] or there is different letter instead of "B")?

Milos

Mine shows an I. I just tried using the link that Polonus said and it still blocked me. I just scanned on virus total and it was a clean scan. Here are the results. https://www.virustotal.com/en/url/3f373af653aed2c145a1736d0044660a90d054fabbc0e7f037fce3b38dc69f24/analysis/1379392651/ Could it be possible that this is a false positive?

Hello,
Avast complains about using certain extensions (such as "sharethis"), which use bad practice (hidden links). Either disable them, or delete the code that hides the links (function dnnViewState() { var a=0,m,v,t,z,x=new Array('9091968376'............)

More info can be found here: http://forum.joomla.org/viewtopic.php?t=795946

Milos

[polonus]

For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected,

polonus

[ShadowLady]

I know this thread is a little older, but I am getting several warnings from JS:HideMe-J [Trj] with Avast for my personal website, as well.

Here is the link to my website... www.talkintheshadows.com

Can someone please help me?

[mchain]

hi ShadowLady,

http://sitecheck.sucuri.net/results/www.talkintheshadows.com/
http://urlquery.net/report.php?id=6424328
http://zulu.zscaler.com/submission/show/9043705ff95671493f87cbe11a0d73c8-1381177406

is a start.

[polonus]

Additional code hick-up:
talkintheshadows dot com/wp-content/plugins/wp-monalisa/script.js?ver=9999 benign
[nothing detected] (script) talkintheshadows dot com/wp-content/plugins/wp-monalisa/script.js?ver=9999
     status: (referer=talkintheshadows dot com/)saved 5790 bytes d07d89ae1939ebae6820c391d192493eabf1ca05
     info: [img] talkintheshadows dot com/wp-content/plugins/wp-monalisa/
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined function jQuery
     suspicious:

polonus

[polonus]

As earlier up in the thread, this site has not been cleansed yet. For this infection the avast! Shield detection is valid and avast detection is unique in this sense.
The scanner of choice to detect these infections is Sucuri's for  htxp://www.dfgwear.com/ -> http://sitecheck.sucuri.net/results/www.dfgwear.com/
(checked a few minutes ago) other scanners alas miss this: http://urlquery.net/queued.php?id=45317449 as they haven't got the right instrumentation to detect this form of SEO Spam insertion. The vulnerable wevsite software to blame (because the version was not being updated in time) is Joomla:
Web application details:
Application: Joomla! - Open Source Content Management - http://www.joomla.org

Web application version:
Joomla Version: 2.5.9
Joomla Version 2.5.x - 3.0.x for: htxp://www.dfgwear.com//media/system/js/caption.js

polonus

[jefferson sant]

I know this thread is a little older, but I am getting several warnings from JS:HideMe-J [Trj] with Avast for my personal website, as well.

Here is the link to my website... www.talkintheshadows.com

Can someone please help me?

url was unblocked
was fixed in VPS update 131014-0.

[mpinky]

Pls, i'm managing www.kapaniaris-hotel.gr (Joomla version 1.5.25) and it haves the same problem. Trying to access it and the pop up warning is coming up for JS:HideME-J[Trj].
I wasn't able to find any of suspicious "hide" code at my files. I have undestood that it is my homepage that it is infected, since when i put directly in my broswer some other page of the website, there is no problem at all.  Also, i tried through http://aw-snap.info/file-viewer, but the pop up message comes up again before managing to have a report...
Pls, if somebody can help me, i would really appreciate it.
Thanks

[Pondus]

Sucuri report. http://sitecheck.sucuri.net/results/www.kapaniaris-hotel.gr

 

[jefferson sant]

Pls, i'm managing www.kapaniaris-hotel.gr (Joomla version 1.5.25) and it haves the same problem. Trying to access it and the pop up warning is coming up for JS:HideME-J[Trj].
I wasn't able to find any of suspicious "hide" code at my files. I have undestood that it is my homepage that it is infected, since when i put directly in my broswer some other page of the website, there is no problem at all.  Also, i tried through http://aw-snap.info/file-viewer, but the pop up message comes up again before managing to have a report...
Pls, if somebody can help me, i would really appreciate it.
Thanks

hello




There is a line such as that must be removed
reset or modify the code

[mpinky]

Pondus and Santiag, thanks for your fast reply. I tried to find the part of the code in my files, but even through cpanel, avast didn't allow me to open or to download the "infected" file so as to edit it. (For a little bit of time, i had also a problem to enter at avast.forum because the pop up warning window appeared again!). So, searching for another solution, i went to the backend and unpublished from my website the AustonSlideshow component....and now everything is OK! No warnings! But in any case....i believe that in general this issue remains a problematic situation that has to be resolved...

[Pondus]

sucuri now say clean.... but still outdated joomla.   http://sitecheck.sucuri.net/scanner/

[mchain]

sucuri now say clean.... but still outdated joomla.   http://sitecheck.sucuri.net/scanner/

That's gotta be fixed soon, or else you'll soon be back with a similar issue and problem.

[polonus]

Hi mchain,

You are so right with that remark, just read through this when we have outdated Joomla in mind, just an example: http://www.spamfighter.com/News-18099-Hijacked-WordPress-Joomla-Websites-Install-Scareware-SANS-ISC.htm

Also think of the recent grand scale outbreaks of SEO Spam campaigns.

polonus