Hi,
My site, www.miespaciovirtual.com , was infected some monts ago, the problem was solved long ago, but avast is still blocking my site. I am so worried because it is my professional site! What can I do to fix it? Thanks a lot
Hi,
My site, www.miespaciovirtual.com , was infected some monts ago, the problem was solved long ago, but avast is still blocking my site. I am so worried because it is my professional site! What can I do to fix it? Thanks a lot
NoVirusThanks - 5/17 - INFECTED
http://scanner.novirusthanks.org/analysis/b26eeb8e3791c21db91b89a7d681bb55/aW5kZXg=/
VirScan - 6/36 - miespaciovirtual.com.htm
http://virscan.org/report/b05b780f1838795bab9251de99b4d843.html
Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=c108f3c79b54ea28becf249767510ca8&t=1279447365&type=js
does not look clean…
There is a hidden frame referenced to something like to dolphin.biz.
Bad new, your site is still infected so you may have cleaned up before but there is still likely to be the vulnerability which allowed the site to be hacked in the first place. Unless you resolve this the site could continue to be reinfected.
Obviously the network shield blocks the site completely because of reports of detections, etc. Without the network shield the web shield alerts as the home page (and probably others) is still infected. avast is not alone in finding the home page suspect, http://www.virustotal.com/analisis/74eade022b3cba4bc9f437d6f5c60c58b5956b874a68c7073a77867ff1a6c035-1279464076 10/41 detections. Whilst this is a low number there aren’t many AVs even looking for these hacks much less detect them.
There is an obfuscated script tag directly after the opening BODY tag (see image1) and this is most likely to be the problem, see image2 for the decoded script creating a hidden iframe tag.
Hi titodj,
A lot of scanners does not flag these hacks: hxtp://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.miespaciovirtual.com%2F&x=12&y=10
But Trendmicro has it: This URL is currently listed as malicious.
finjan detects it also as infected with Troj/Badsrc-D Aliases * Trojan-Downloader.JS.Psyme.hz
Troj/Badsrc-D is a malicious script injected into compromised web pages,
for the purpose of loading content from a remote server when the web page is browsed.
http://www.sophos.com/security/analyses/viruses-and-spyware/trojbadsrcd.html?_log_from=rss
php malcode: (iframe) d0lphin.biz/mx/in.php (infected with Trojan.Crypt)
mentioned here: http://www.malwaredomainlist.com/forums/index.php?topic=3190.90
suspiscious here: http://wepawet.iseclab.org/view.php?hash=2dcc99a3c8bffe12543f2ea028cda0cb&t=1251461377&type=js
MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
55a7f1b6b03d2a67ff84298c4b31f6e7
http://anubis.iseclab.org/?action=result&task_id=174420a0055fd55d4a53f4d3493cc8e0e
The attached malscript code is flagged by avast as HTML:Iframe-JF
polonus