Avast WEBforum
Other => Viruses and worms => Topic started by: clsiburt on August 04, 2013, 05:36:12 PM
-
I have tried to go to the website for a local concert venue and Avast has alerted me that it is infected with JS:HideMe-B [Trj]. I did some searching here and found that I should check a few sites to confirm infection. None of those other sites show it as infected, just Avast. Is this a false positive or are the other sites wrong?
hxxp://centennialterrace.org is the site in question.
http://sitecheck.sucuri.net/results/centennialterrace.org shows clean and not blacklisted.
http://www.UnmaskParasites.com/security-report/?page=centennialterrace.org also listed as safe.
Anyone have any thoughts here?
Thanks,
Chris
-
Hello Chris,
i looked up some sites either and it looks safe to me.
Here you can the results for many website check sites: http://ScanURL.net/?u=centennialterrace.org#results
For some you have to copy the URL into a box or a field and then click scan.
-
You can report a false positive over this site here: http://www.avast.com/contact-form.php
-
Thanks! I will try reporting it and see what happens.
-
Various malware reported for same IP: http://support.clean-mx.de/clean-mx/viruses.php?as=AS31815&sort=email%20asc&response=alive
indicator obfuscation possible for JCEMediaBox....update to JCE 2.3.2. please or report to twitvid.com/player/
polonus
-
Hi,
I have experienced the same issue, same error/infection from Avast, relating to this site hxxp://www.graceniagara.ca
These two scans look clean,
http://sitecheck.sucuri.net/results/graceniagara.ca
http://www.unmaskparasites.com/security-report/?page=graceniagara.ca
I have already reported it to Avast (yesterday), I haven't heard back yet.
Thanks for any help.
-
PLEASE, help me...My site is CLEAN, but Avast has alerted me that it is infected with JS:HideMe-B [Trj]...
How can i fix it??
I have already reported it to Avast, but nothing yet... :(
-
Hi all,
JS:HideMe-B is triggered when seeing this piece of code:
<div id='hideMe'>components inside recipe ingredients referred to as lifestyle Daily cia lis pill <a href="hxxp://sotrueradio .org/">Cia lis without prescription, canada</a> </div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>
Of course the exact ad may vary, but this is the template.
From my experience, this is most often appended right after <body> tag.
Honza Zíka
avast viruslab
-
Hi all,
JS:HideMe-B is triggered when seeing this piece of code:
<div id='hideMe'>components inside recipe ingredients referred to as lifestyle Daily cia lis pill <a href="hxxp://sotrueradio .org/">Cia lis without prescription, canada</a> </div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>
Of course the exact ad may vary, but this is the template.
From my experience, this is most often appended right after <body> tag.
Honza Zíka
avast viruslab
Thank you for that... I did find that in my site. I removed it.
How do I get access back to the site now since Avast is still blocking it? Is there some "unblock" feature, I can't find one.
Thanks
-
When we are talking about ScriptShield, there is no database of URLs. If avast cannot see the signature, it does not raise popup message. Maybe you still have the infected version in browser cache?
-
When I visit my work's main page http://yumalibrary.org/public (http://yumalibrary.org/public) I get the same thing. I searched for the <div id='hideMe'> in the code, but can't find it. What gives?
-
When I wget your page (yumalibrary.org/public), I can see it:
<div id='hideMe'><p>The drugs also treat..........................Buy branded vi a gr a</a> .</p></div>
<script type='text/javascript'>
if(document.getElementById('hideMe') != null){
document.getElementById('hideMe').style.visibility = 'hidden';
document.getElementById('hideMe').style.display = 'none';
}
</script>
Keep in mind that this code does not have to be on the server in plain text, but if you use any server-side scripting, such as PHP, it can be inserted via some obfuscation (base64, gzinflate, rot13, ...).
-
Same with my works website.
Kfum-mus.dk
And now we cant enter it. Pls fix this
-
Hello Daffy,
you can report this as a false positive ofer this form here: http://www.avast.com/contact-form.php
-
Please follow the instructions given in previous posts.
Thanks,
~!Donovan
-
Hello,
it is not a false positive. I found this script (JS:HideMe-B [Trj]) on this site:
<div id='hideMe'> <p>Erection failure or Casino en ligne gratuit <a href="http://cafel.fr/">En ligne casino</a> <p>Erectile dysfunction treatment method has come a Liquid cialis <a href="http://sotrueradio.org/">Cialis with atenolol</a> </div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>
I scanned it on virustotal and here results: https://www.virustotal.com/ru/file/a8c41f5b560db3f278ea1cd63fd9f2fc940d62d35f1d9fd2c8cd76cc4d89578b/analysis/1376756619/
-
also detected by Sucuri. http://sitecheck.sucuri.net/results/kfum-mus.dk
Malware entry: MW:SPAM:SEO. http://labs.sucuri.net/db/malware/malware-entry-mwspamseo
HideMeBetter – SPAM injection Variant
http://blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html
-
Get no alerts now on htxp://www.graceniagara.ca/
polonus
-
I have a website infected as well. I have looked through many files, but can't find the malicious code. Can someone point me in the right direction on how to find the file that contains the code. I am running a Joomla website.
-
Hi
I'm getting this message too, not sure how to access code. Our site is xww.kinikikids.com - are you able to assist?
Rob
-
Hi
I'm getting this message too, not sure how to access code. Our site is xww.kinikikids.com - are you able to assist?
Rob
Thanks, found the code and removed it.
-
The same message keeps popping up for www.pawstown.org:
&p_prc=C:\Program%20Files\Mozilla%20Firefox\firefox.exe&p_obj=http://www.pawstown.org/&p_var=.%2Ffa%2Fen-us%2Fvirus-alert-champion&p_elm=7&p_lex=317&p_lid=en-us&p_lng=en&p_lqa=0&p_lqe=0&p_lst=0&p_lsu=24&p_pro=0&p_vep=8&p_ves=0&p_vbd=1489&p_hid=dd443ccb-8e24-4f2d-9e3d-5d894a140088]http://www.avast.com/en-us/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_80_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-us%2Fvirus-alert-default&p_vir=JS:HideMe-B%20[Trj]&p_prc=C:\Program%20Files\Mozilla%20Firefox\firefox.exe&p_obj=http://www.pawstown.org/&p_var=.%2Ffa%2Fen-us%2Fvirus-alert-champion&p_elm=7&p_lex=317&p_lid=en-us&p_lng=en&p_lqa=0&p_lqe=0&p_lst=0&p_lsu=24&p_pro=0&p_vep=8&p_ves=0&p_vbd=1489&p_hid=dd443ccb-8e24-4f2d-9e3d-5d894a140088 (http://www.avast.com/en-us/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_80_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-us%2Fvirus-alert-default&p_vir=JS:HideMe-B%20[Trj)
Infection Details
URL: hxtp://www.pawstown.org/
Process: C:\Program Files\Mozilla Firefox\firefox...
Infection: JS:HideMe-B [Trj]
Plugged the link into OnlineLink Scan, they claim the site is safe:
http://onlinelinkscan.com/results/pawstown-org/ (http://onlinelinkscan.com/results/pawstown-org/)
-
Well here we find something else: http://sitecheck.sucuri.net/results/www.pawstown.org/
polonus
-
that site contain lots of v i a g r a spam. ;)
-
Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.
-
Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.
Hello,
search for "hideme" in the html source code.
Milos
-
In order to do as Milos suggests, use this service to go through the code: http://aw-snap.info/file-viewer/
Fileviewer is an online tool for siteowners and webmasters alike.
When there are remaining questions, report back here on the forum,
polonus
-
Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.
Hello,
search for "hideme" in the html source code.
Milos
I'm running a Joomla site and I didn't find it.
-
Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.
Hello,
search for "hideme" in the html source code.
Milos
I'm running a Joomla site and I didn't find it.
Hello,
see http://forum.avast.com/index.php?topic=131579.msg972447#msg972447
Do you have same variant (JS:HideMe-B [Trj] or there is different letter instead of "B")?
Milos
-
Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.
Hello,
search for "hideme" in the html source code.
Milos
I'm running a Joomla site and I didn't find it.
Hello,
see http://forum.avast.com/index.php?topic=131579.msg972447#msg972447
Do you have same variant (JS:HideMe-B [Trj] or there is different letter instead of "B")?
Milos
Mine shows an I. I just tried using the link that Polonus said and it still blocked me. I just scanned on virus total and it was a clean scan. Here are the results. https://www.virustotal.com/en/url/3f373af653aed2c145a1736d0044660a90d054fabbc0e7f037fce3b38dc69f24/analysis/1379392651/ Could it be possible that this is a false positive?
-
Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.
Hello,
search for "hideme" in the html source code.
Milos
I'm running a Joomla site and I didn't find it.
Hello,
see http://forum.avast.com/index.php?topic=131579.msg972447#msg972447
Do you have same variant (JS:HideMe-B [Trj] or there is different letter instead of "B")?
Milos
Mine shows an I. I just tried using the link that Polonus said and it still blocked me. I just scanned on virus total and it was a clean scan. Here are the results. https://www.virustotal.com/en/url/3f373af653aed2c145a1736d0044660a90d054fabbc0e7f037fce3b38dc69f24/analysis/1379392651/ Could it be possible that this is a false positive?
Hello,
Avast complains about using certain extensions (such as "sharethis"), which use bad practice (hidden links). Either disable them, or delete the code that hides the links (function dnnViewState() { var a=0,m,v,t,z,x=new Array('9091968376'............)
More info can be found here: http://forum.joomla.org/viewtopic.php?t=795946
Milos
-
For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected,
polonus
-
I know this thread is a little older, but I am getting several warnings from JS:HideMe-J [Trj] with Avast for my personal website, as well.
Here is the link to my website... www.talkintheshadows.com
Can someone please help me?
-
hi ShadowLady,
http://sitecheck.sucuri.net/results/www.talkintheshadows.com/ (http://sitecheck.sucuri.net/results/www.talkintheshadows.com/)
http://urlquery.net/report.php?id=6424328 (http://urlquery.net/report.php?id=6424328)
http://zulu.zscaler.com/submission/show/9043705ff95671493f87cbe11a0d73c8-1381177406 (http://zulu.zscaler.com/submission/show/9043705ff95671493f87cbe11a0d73c8-1381177406)
is a start.
-
Additional code hick-up:
talkintheshadows dot com/wp-content/plugins/wp-monalisa/script.js?ver=9999 benign
[nothing detected] (script) talkintheshadows dot com/wp-content/plugins/wp-monalisa/script.js?ver=9999
status: (referer=talkintheshadows dot com/)saved 5790 bytes d07d89ae1939ebae6820c391d192493eabf1ca05
info: [img] talkintheshadows dot com/wp-content/plugins/wp-monalisa/
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined function jQuery
suspicious:
polonus
-
As earlier up in the thread, this site has not been cleansed yet. For this infection the avast! Shield detection is valid and avast detection is unique in this sense.
The scanner of choice to detect these infections is Sucuri's for htxp://www.dfgwear.com/ -> http://sitecheck.sucuri.net/results/www.dfgwear.com/
(checked a few minutes ago) other scanners alas miss this: http://urlquery.net/queued.php?id=45317449 as they haven't got the right instrumentation to detect this form of SEO Spam insertion. The vulnerable wevsite software to blame (because the version was not being updated in time) is Joomla:
Web application details:
Application: Joomla! - Open Source Content Management - http://www.joomla.org
Web application version:
Joomla Version: 2.5.9
Joomla Version 2.5.x - 3.0.x for: htxp://www.dfgwear.com//media/system/js/caption.js
polonus
-
I know this thread is a little older, but I am getting several warnings from JS:HideMe-J [Trj] with Avast for my personal website, as well.
Here is the link to my website... www.talkintheshadows.com
Can someone please help me?
url was unblocked
was fixed in VPS update 131014-0.
-
Pls, i'm managing www.kapaniaris-hotel.gr (Joomla version 1.5.25) and it haves the same problem. Trying to access it and the pop up warning is coming up for JS:HideME-J[Trj].
I wasn't able to find any of suspicious "hide" code at my files. I have undestood that it is my homepage that it is infected, since when i put directly in my broswer some other page of the website, there is no problem at all. Also, i tried through http://aw-snap.info/file-viewer, but the pop up message comes up again before managing to have a report...
Pls, if somebody can help me, i would really appreciate it.
Thanks
-
Sucuri report. http://sitecheck.sucuri.net/results/www.kapaniaris-hotel.gr
-
Pls, i'm managing www.kapaniaris-hotel.gr (Joomla version 1.5.25) and it haves the same problem. Trying to access it and the pop up warning is coming up for JS:HideME-J[Trj].
I wasn't able to find any of suspicious "hide" code at my files. I have undestood that it is my homepage that it is infected, since when i put directly in my broswer some other page of the website, there is no problem at all. Also, i tried through http://aw-snap.info/file-viewer, but the pop up message comes up again before managing to have a report...
Pls, if somebody can help me, i would really appreciate it.
Thanks
hello
(http://i.imgur.com/Bx3ujQX.png)
There is a line such as that must be removed
reset or modify the code
(http://i.imgur.com/LVtIrGn.png)
-
Pondus and Santiag, thanks for your fast reply. I tried to find the part of the code in my files, but even through cpanel, avast didn't allow me to open or to download the "infected" file so as to edit it. (For a little bit of time, i had also a problem to enter at avast.forum because the pop up warning window appeared again!). So, searching for another solution, i went to the backend and unpublished from my website the AustonSlideshow component....and now everything is OK! No warnings! But in any case....i believe that in general this issue remains a problematic situation that has to be resolved...
-
sucuri now say clean.... but still outdated joomla. http://sitecheck.sucuri.net/scanner/
-
sucuri now say clean.... but still outdated joomla. http://sitecheck.sucuri.net/scanner/
That's gotta be fixed soon, or else you'll soon be back with a similar issue and problem.
-
Hi mchain,
You are so right with that remark, just read through this when we have outdated Joomla in mind, just an example: http://www.spamfighter.com/News-18099-Hijacked-WordPress-Joomla-Websites-Install-Scareware-SANS-ISC.htm
Also think of the recent grand scale outbreaks of SEO Spam campaigns.
polonus