Website shows infected with JS:HideMe-B [Trj]

[Andrey,pro]

Hello,

it is not a false positive. I found this script (JS:HideMe-B [Trj]) on this site:

Code: [Select]

<div id='hideMe'> <p>Erection failure or Casino en ligne gratuit <a href="http://cafel.fr/">En ligne casino</a>  <p>Erectile dysfunction treatment method has come a Liquid cialis <a href="http://sotrueradio.org/">Cialis with atenolol</a> </div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>
I scanned it on virustotal and here results: https://www.virustotal.com/ru/file/a8c41f5b560db3f278ea1cd63fd9f2fc940d62d35f1d9fd2c8cd76cc4d89578b/analysis/1376756619/

[Pondus]

also detected by Sucuri.    http://sitecheck.sucuri.net/results/kfum-mus.dk

Malware entry: MW:SPAM:SEO.   http://labs.sucuri.net/db/malware/malware-entry-mwspamseo

HideMeBetter – SPAM injection Variant
http://blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html

[polonus]

Get no alerts now on htxp://www.graceniagara.ca/

polonus

[dalt1]

I have a website infected as well. I have looked through many files, but can't find the malicious code. Can someone point me in the right direction on how to find the file that contains the code. I am running a Joomla website.

[REDACTED]

Hi
I'm getting this message too, not sure how to access code. Our site is xww.kinikikids.com - are you able to assist?

Rob

[REDACTED]

Hi
I'm getting this message too, not sure how to access code. Our site is xww.kinikikids.com - are you able to assist?

Rob

Thanks, found the code and removed it.

[kd5]

The same message keeps popping up for www.pawstown.org:

&p_prc=C:\Program%20Files\Mozilla%20Firefox\firefox.exe&p_obj=http://www.pawstown.org/&p_var=.%2Ffa%2Fen-us%2Fvirus-alert-champion&p_elm=7&p_lex=317&p_lid=en-us&p_lng=en&p_lqa=0&p_lqe=0&p_lst=0&p_lsu=24&p_pro=0&p_vep=8&p_ves=0&p_vbd=1489&p_hid=dd443ccb-8e24-4f2d-9e3d-5d894a140088]http://www.avast.com/en-us/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_80_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-us%2Fvirus-alert-default&p_vir=JS:HideMe-B%20[Trj]&p_prc=C:\Program%20Files\Mozilla%20Firefox\firefox.exe&p_obj=http://www.pawstown.org/&p_var=.%2Ffa%2Fen-us%2Fvirus-alert-champion&p_elm=7&p_lex=317&p_lid=en-us&p_lng=en&p_lqa=0&p_lqe=0&p_lst=0&p_lsu=24&p_pro=0&p_vep=8&p_ves=0&p_vbd=1489&p_hid=dd443ccb-8e24-4f2d-9e3d-5d894a140088

Infection Details
URL:   hxtp://www.pawstown.org/
Process:   C:\Program Files\Mozilla Firefox\firefox...
Infection:   JS:HideMe-B [Trj]

Plugged the link into OnlineLink Scan, they claim the site is safe:

http://onlinelinkscan.com/results/pawstown-org/

[polonus]

Well here we find something else: http://sitecheck.sucuri.net/results/www.pawstown.org/

polonus

[Pondus]

that site contain lots of v i a g r a spam.   

[anuoluwa1]

Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.

[Milos]

Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.

Hello,
search for "hideme" in the html source code.

Milos

[polonus]

In order to do as Milos suggests, use this service to go through the code: http://aw-snap.info/file-viewer/
Fileviewer is an online tool for siteowners and webmasters alike.
When there are remaining questions, report back here on the forum,

polonus

[anuoluwa1]

Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.

Hello,
search for "hideme" in the html source code.

Milos

I'm running a Joomla site and I didn't find it.

[Milos]

Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.

Hello,
search for "hideme" in the html source code.

Milos

I'm running a Joomla site and I didn't find it.

Hello,
see http://forum.avast.com/index.php?topic=131579.msg972447#msg972447
Do you have same variant (JS:HideMe-B [Trj] or there is different letter instead of "B")?

Milos

[anuoluwa1]

Hi my site shows the same thing. I just searched and I didn't find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.

Hello,
search for "hideme" in the html source code.

Milos

I'm running a Joomla site and I didn't find it.

Hello,
see http://forum.avast.com/index.php?topic=131579.msg972447#msg972447
Do you have same variant (JS:HideMe-B [Trj] or there is different letter instead of "B")?

Milos

Mine shows an I. I just tried using the link that Polonus said and it still blocked me. I just scanned on virus total and it was a clean scan. Here are the results. https://www.virustotal.com/en/url/3f373af653aed2c145a1736d0044660a90d054fabbc0e7f037fce3b38dc69f24/analysis/1379392651/ Could it be possible that this is a false positive?