How do I remove JS:Iframe-FG [Trj] ?

[drongo]

Infection Details
URL:   "hxxp://www.user.dccnet.com/invensol/"
Process:   "C:\Program Files\Mozilla Firefox\firefo...
Infection:   "JS:Iframe-FG [Trj]"

Avast found this in a scan a week ago, and I moved it to the chest.

I run Win XP, IE, FF. Last weekend I also updated my windows security, and did the same today. I did boot scan last night, but it did nothing.

At this point both browsers won't even open my website.
Outside users report that my site says it is infected.
Other websites with the same provider do not.

Thanks ahead,

drongo

[Pondus]

Zulu analyser
http://zulu.zscaler.com/submission/show/805be7320c04590272498310505edc64-1339961208

URL scan
http://vscan.novirusthanks.org/analysis/204caab0266d66433c70ff71c49b24f7/aW52ZW5zb2w=/

[bob3160]

Infection Details
URL:  hxxp://www.user.dccnet.com/invensol/
Process:   "C:\Program Files\Mozilla Firefox\firefo...
Infection:   "JS:Iframe-FG [Trj]"

Avast found this in a scan a week ago, and I moved it to the chest.

I run Win XP, IE, FF. Last weekend I also updated my windows security, and did the same today. I did boot scan last night, but it did nothing.

At this point both browsers won't even open my website.
Outside users report that my site says it is infected.
Other websites with the same provider do not.

Thanks ahead,

drongo

Please do not post a possible live infected link. Change the http to hxxp.
Thanks

[!Donovan]

Hi drongo,

http://urlquery.net/report.php?id=70099
[setAttribute src] URL=wXw.couchtarts.com/media.php

I see an iframe to a 3rd party php page, which returns a 302 then redirects to either wXw.kigopuer.tk/XXXXXXXX.html (which is 37.157.255.199 mentioned in urlQuery) or a google page. (Replace XXXXXXXX with 8 random digits).

Nice to know avast! detects these kind of appendChilds.
https://www.virustotal.com/file/36622ced020ff0e247e5241525a558f1e1cb15d6109a09cf9299385fb1b83aa8/analysis/1339963513/

~~~~~~~~~~`

On how to remove it..

Can you edit your source code directly? If so, search/look for "var _q". The code should look like my attachment. When you find the source, remove all content (including "var _q") inside of the <script> tag. Removing anything else could result in unexpected results.

[drongo]

Thank you Bob for esplaining the hxxp protocol.

I asked what the frak this meant about three times on another thread and got moderated for being a newbie.

If it's so important, maybe it should be part of an intro package before people are allowed post.

[iroc9555]

Drongo.

Please go to your first post in this thread and edit ( change ) the URL to nonclickable; Edit http:// to hXXp://. It seems to be a malicious address. We don't want anyone clicking that address by mistake.

Thank you.

Infection Details
URL:   "hXXp://www.user.dccnet.com/invensol/"
Process:   "C:\Program Files\Mozilla Firefox\firefo...
Infection:   "JS:Iframe-FG [Trj]"

[drongo]

Thanks Iroc for clear direction, and Donovan for tracking things down for me.

My service provider T2 says they couldn't find the virus now, and it might just still be being flagged by my domain service.

Sorry for being such a bother, but this website is my livelihood and I may have already lost clients.

drongo

[iroc9555]

No problem.

If you do not have access to the web page codes, you might contact it and direct the web master to Donovan's instructions to get rid of that Iframe.

[polonus]

Hi drongo,

The malware there is now being detected by various av as you can see here: https://www.virustotal.com/file/37730acd892894144ea13059b26d5d18699a5e8e27cc28814f6a8e93c91a6c94/analysis/
For the redirect to -37_157_255_199 as !Donovan mentions, see: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2F37.157.255.199%2F&client=googlechrome&hl=nl 
and: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:24961&client=googlechrome&hl=nl

If you contact the webmaster, also give him the link to this thread,

polonus

[drongo]

Unfortunately, I am the "webmaster".

I have all the website files on my computer.

Since I cannot seem to locate this virus on my computer anymore (Avast scans), is it safe to assume that it resides in the files held on my provider's server?

If this is so, then would the simplest way to remove it be to overwrite all the files of my site with those from my computer?

If not, then where exactly should I look for this "source code" so I can follow !Donovan's instructions?

Thanks again for your help,

drongo

No problem.

If you do not have access to the web page codes, you might contact it and direct the web master to Donovan's instructions to get rid of that Iframe.

[!Donovan]

Hi drongo,

I have all the website files on my computer.

Are they in a specific folder?

[drongo]

Crisis averted.

I overwrote all my website files on my provider's server and now my site is virus free and apparently no longer blocked.

Thanks to everyone.

Hi drongo,

I have all the website files on my computer.

Are they in a specific folder?

[!Donovan]

Glad to see your problem was fixed!

[polonus]

Hi !Donovan & Drongo,

It is OK now,

polonus

[bob3160]

That's done it. No more warnings.