JS:HideMe-J [Trj] false positive

[galactex]

My website has not been updated in over a year, but just recently Avast! started detecting a JS:HideMe-J [Trj] false positive whenever someone visits.  No other virus protection sees anything.  I have tried reporting this, but get no response.  The website is wxw.galactex.com

[Pondus]

why does everyone say false positive when avast detect infected websites   

Your site is injected With HideMe spam   http://sitecheck.sucuri.net/results/www.galactex.com
and the spam is about cash loan..

SPAM:seo  http://labs.sucuri.net/db/malware/malware-entry-mwspamseo

hideme spam  http://blog.sucuri.net/?s=hideme+

[Secondmineboy]

Even your link is blocked Pondus.

[Pondus]

Even your link is blocked Pondus.

not surprised since sucuri display the injected code avast detect


virustotal
https://www.virustotal.com/en/file/bdc1b26761bd9516887369bb789e86a2eea5ae6f85797571e59cf93de49ea58d/analysis/1385238545/

[polonus]

Yes, and it is not only avast! that detects this SEO Spam. A spam check via Web Security Test revealed:

Suspicion of Spam

y way to see the finance best payday loans <a href="hxtp://paydayloans10doqd.com/payday-loans/best-payday-loans" title="...

see the image of the script attached.
External links -> http://urlquery.net/queued.php?id=52204875 etc.

See web code: http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://www.galactex.com/&uag=MSIE+8.0+Trident&ref=http://www.google.com&aen=&req=GET&ver=1.1&fmt=AUTO

polonus

[midnight]

@Pondus.....This popped up when I clicked on your first link.

[polonus]

Hi -midnight,

That was avast!'s Web Shield in action because there was so much of the SEO Spam malcode revealed on the Sucuri scan site scan
that the avast! Web Shield didn't know any better than to alert this as if it were the real McCoy...
Later on you got an explanation as to what happened inside the browser.
So there was absolutely no danger from clicking Pondus's link. This was not real SEO-Spam malware,
but something innocent that looked like the real malcode.
Bet you are glad the avast! Web Shield is that trigger happy, it even shoots when it thinks it smells danger. .

polonus

[hostricity]

why does everyone say false positive when avast detect infected websites   

Perhaps, because Avast is registering false positives.

I used your suggested Sucuri on a WordPress website that is triggering HideMe-J. Sucuru found the site to be clean.

My friend updated her WordPress website to the latest 3.7.1 this morning and updated the plugins. Now, she is getting this alert from  Avast and the site is blocked.

She tried putting the url in the bypass on Avast and it blocked it again.

What's worse, is that Avast provides no information useful in identifying the source of the problem.

[Pondus]

Perhaps, because Avast is registering false positives.

always?
i dont have any statistic, but from all the infected website posts that comes in here and websites we check i would say avast is correct in more the 90% of the cases

My friend updated her WordPress website to the latest 3.7.1 this morning and updated the plugins. Now, she is getting this alert from  Avast and the site is blocked.

what is the message from avast? .... a screenshot maybe
and what is the URL you have problem with?

[polonus]

Avast is one of the rare av solutions that is so accurate with the Web Shield detection.
It will get all those SEO-SPAM detections, like JS-Hide etc. very accurately.
When it was injected deliberately as Blackhat SEO-SPAM who is going to admit to these detections on their websites  ?
For all other cases feel glad avast! has this accurate detection.
Love these avast! shields they cover so much, they detect, block and in such a way protect.
Where users haven't installed  NoScript and RequestPolicy extensions in the browser to thwart all of first line and  third party script infections,
the avast shields is the next best thing that was to come to your browser defense,

polonus

[Milos]

My website has not been updated in over a year, but just recently Avast! started detecting a JS:HideMe-J [Trj] false positive whenever someone visits.  No other virus protection sees anything.  I have tried reporting this, but get no response.  The website is wxw.galactex.com

Hello,
if you see detection JS:HideMe-J [Trj]then there is crypted JavaScript. Search for "parseInt" in html source code.

Milos