False Positive on a site - help

Hello, since last week we are getting a false positive on a very popular site here in Brazil. We know it is a false positive, we checked all the possibilities.
It is the www.brainstorm9.com.br .
http://www.UnmaskParasites.com/security-report/?page=www.brainstorm9.com.br
http://www.google.com/safebrowsing/diagnostic?site=www.brainstorm9.com.br

Only avast is saying that there is a problem. All the other antivirus seems to be ok.
Anyone?

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0

Please, edit the links to not-live ones (change http for hxxp, for instance or add spaces between the url).

Anyway, I can’t find anything obviously infected on www . brainstorm9 . com . br
Maybe a more knowledge user can help.

Hi Tech,

The bad stuff detektor analyzed the site as follows.
No zeroiframes detected!
Check took 11.02 seconds

(Level: 0) Url checked:
hxtp://www.brainstorm9.com.br/
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxtp://www.google.com/maps/ms?ie=utf8&hl=en&s=aartsjocx7qnot-b8pwjhikquxrcs6po4q&msa=0&msid=113492700945369796047.000437c2130cd3f01cbcc&ll=15.284185,-79.101562&spn=95.796467,101.953125&z=2&output=embed
Zeroiframes detected on this site: 0
No ad codes identified This could not have been the avast detection…connects to videolog.uol.com.br/video-referencia.php?id_video=394380

(Level: 1) Url checked: (script source)
hxtp://www.brainstorm9.com.br//js/destaques.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.ig.com.br/paginas/home/barra/v8/igbarra.js
Zeroiframes detected on this site: 0
No ad codes identified This is the one: 1 suspicious inline script found.

function $(id){return document.getElementById(id);}if(location.href.indexOf('ibest')>-1){var _oferU... 

Malicious software includes 1 trojan.

(Level: 1) Url checked: (script source)
xttp://partner.googleadservices.com/gampad/google_service.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.brainstorm9.com.br/wp-includes/js/jquery/jquery.js?ver=1.3.2
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
xttp://www.brainstorm9.com.br/wp-content/plugins/audio-player/audio-player.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.brainstorm9.com.br/wp-content/plugins/lightbox/js/prototype.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
xttp://www.brainstorm9.com.br/wp-content/plugins/lightbox/js/effects.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.brainstorm9.com.br/wp-content/plugins/lightbox/js/lightbox.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://v2.afilio.com.br/tracker_js.php?banid=3077&campid=4299;109&siteid=2764
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.google.com/friendconnect/script/friendconnect.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxtp://www.google.com/friendconnect/script/+this.t(a)+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.apture.com/js/apture.js?sitetoken=bdmeqgv
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.brainstorm9.com.br/wp-content/plugins/wp-polls/polls-js.js?ver=2.50
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://static.getclicky.com/11313.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.google-analytics.com/urchin.js
Zeroiframes detected on this site: 0
No ad codes identified

polonus

Thanks Polonus.
Hope the webmasters take a look on it.

Thanks Marco, Tech and Polonus!

I am webmaster of Brainstorm #9. Avast! block entire site, and images in rss feed and newsletters too.

I’ll take a look at this error.

[i]Code:

function $(id){return document.getElementById(id);}if(location.href.indexOf(‘ibest’)>-1){var _oferU…

Malicious software includes 1 trojan.[/i]

Welcome aboard and enjoy avast safety :wink:

Avast! report error in home:

HTML:Script-inf

and in WP-Edit

JS:ScriptIP-inf [Trj]

:confused:

The report below is not the problem. Without “hxtp://www.ig.com.br/paginas/home/barra/v8/igbarra.js” error persists : /

(Level: 1) Url checked: (script source)
hxtp://www.ig.com.br/paginas/home/barra/v8/igbarra.js
Zeroiframes detected on this site: 0
No ad codes identified This is the one: 1 suspicious inline script found.
Code:

function $(id){return document.getElementById(id);}if(location.href.indexOf(‘ibest’)>-1){var _oferU…

Malicious software includes 1 trojan.

Hi cmerigo,

Aren’t you running webstat there, this could also be the problem where avast blocks it.
The code I mentioned was found up through unmask parasites, as I checked all the links I found with Bad Stuff Detektor,

polonus

I’ve blocked the site on 8.7.

Because I didn’t like this url:

hXXp://brainstorm9.com.br/?men_in_black&js

It’s heavily obfuscated and we usually don’t like this. After the closer inspection it looks like obfuscated link to zml.com. Why are you people doing such things?

Removed from the block now, we’ll also try to fix the detection of the obfuscation.

Hello guys,

Thank you for the great help indeed.

I did not know and it was difficult to find this man_in_black, but with the help of the administrator of my server we solved the problem.

A hacker injected a function in my template, functions.php, which call header_print redirect the visitors to another site. Strange. :confused:

Thanks again!