system
1
Hello,
Since one week now, Avast is detecting few Virus when opening my website xxx .urbangirl.fr
Here are links of virus :
ad.nce.name/in.cgi?2
pop.mylinkclub.com/in.cgi?2
and one more that i don’t remember.
I’ve done a check up with wepawet : http://wepawet.iseclab.org/view.php?hash=0c773baef63d906146632380d29a27d9&t=1319436678&type=js
it’s detecting a redirection from http://ad.amiadrugaddict.info/in.cgi?2 to http://us.yimg.com/i/s/
Since i saw this problem, i’ve made an update of timthumb.php with the new version and also delete external allowed sites in this request: $ALLOWED_SITES = array ();
I’ve search in each of my files for encrypted text or links but nothing found. Where could be the problem ?
Thank you for helping me 
system
2
Here are links of virus :
ad.nce.name/in.cgi?2
pop.mylinkclub.com/in.cgi?2
and one more that i don’t remember.
http://www.virustotal.com/url-scan/report.html?id=ca9530eb957df93c08f35fa88369c57b-1319433036
http://www.virustotal.com/url-scan/report.html?id=94b54ba17a62c4aef208d02a4ebdd70b-1319433091
when opening my website www.urbangirl.fr
http://www.virustotal.com/file-scan/report.html?id=4b0d7ea7ebcf518230df5029860ce7fe750c8f35e06f009c46fe04b36f0b8423-1319440666
system
3
system
4
sucuri:
web site: hxxp://www.urbangirl.fr/
http://sitecheck.sucuri.net/images/warn2.png
status: Site infected with malware
web trust: Not Blacklisted
system
5
Thanks for the report, but what do we have to do to stop those virus ?
system
6
your site is infected with java script malware…
search your site for any inline scripts…sucuri says it is something like this:
Known javascript malware.
Details:
http://sucuri.net/malware/malware-entry-mwjs221
system
7
Malware found on javascript file:
hxxp://www.urbangirl.fr/wp-content/plugins/g-lock-double-opt-in-manager/js/glock2.min.js
[note:hxxp so that it is unclickable]
try tracing this js file… :
Hi mmmm,
But you also have to make that link non-click-through in your reply 3. The unaware could click on it and get infected when they have no protection installed.
See: http://urlquery.net/queued.php?id=5946
That ip 213dot186dot33dot19 is pumping malware all sorts, Zeus, Koobface, Banker, Dorkbot, all sorts of Trojans, well quite a selection. Domain has 3050 blacklisted URLs: …malicious URLs? Yes
…badware? Yes
…botnet C&C servers? Yes
…exploit servers? Yes
…Zeus botnet servers? Yes
…Current Events? Yes
…phishing servers? Yes
…spam servers? No
…spam bots? Yes
…spam activity? Yes
There is “buzzea_init();^/script^” malware there,
polonus
system
9
I found the ligne to delete in this file.
Buzzea is not a malware, it’s a tracking script for a SEO agency.
What do you mean when you say that (sorry i’m not english :)What do i have to do?:
But you also have to make that link non-click-through in your reply 3. The unaware could click on it and get infected when they have no protection installed.
See: http://urlquery.net/queued.php?id=5946
Pondus
10
What do you mean when you say that (sorry i'm not english :)What do i have to do?:
But you also have to make that link non-click-through in your reply 3. The unaware could click on it and get infected when they have no protection installed.
See: hxxp://urlquery.net/queued.php?id=5946
when posting links that may go to malware you break the link so it is not clickable like this
http as hxxp / www as wxw or just remove the http/www like this urlquery.net/queued.php?id=5946 now you cant click it by accident 
That message from Polonus was to mmmm
system
11
OOOoo sorry i understand now
So no more things to do now that i have delete the ligne that contain the virus in .JS ?