False Positive ? qrjuice.com

A site that I receive RSS feeds from has started showing up as having a Trojan however the name seems to change. I have tried contacting the site in question qrjuice.com however no response.

I’m wondering if this is just a false positive. Appreciate any feedback and comments.

thanks

what is the full avast message…can you attach a screenshot ?

Jotti: http://virusscan.jotti.org/en-gb/scanresult/3c962e89641522c22837dda1147f9df192d90ab0
metascan: http://www.metascan-online.com/results.cgi?uid=rlxeh30b21fyoms20dzi9ihxf16g7w3m

Sucuri say - infected
see screen shot - click to enlarge

Malware info: http://sucuri.net/malware/malware-entry-mwjsdepack

Description:Encoded javascript using a packer by Dean Edwards. This packer can be used on legitimate applications, but is often deployed by attackers to hide their scripts.

Wepawet
-http://wepawet.iseclab.org/view.php?hash=3c8edf5696bb22b85178531bc6c75a54&t=1324591024&type=js

Hi Pondus,

You should put a - to -http://wepawet.iseclab.org/view.php?hash=3c8edf5696bb22b85178531bc6c75a54&t=1324591024&type=js
because our unaware users with the avast shields up get an alert on the malcode, namely for
JS:ScriptSH-inf[Trj]
suspicious =
-qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/jquery.fancybox-1.3.4.pack.js?ver=1.3.4 suspicious
[suspicious:2] (ipaddr:216.172.185.51) (script) -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/jquery.fancybox-1.3.4.pack.js?ver=1.3.4
status: (referer=-qrjuice.com/)saved 15624 bytes caeb31e930068ce5820b239d44d8415f95957138
info: [embed] -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/
info: [iframe] -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable Image
error: line:22: TypeError: Image is not a constructor
suspicious incomplete…

polonus

Thank you for that swift reply.

Apologies for my late reply, I didn’t see an alert that someone had responded already.

I’ll upload a screen within the day.

thanks

The site in question is owned by me. QrJuice.com.

Whilst most of this conversation has gone completely over my head, I can tell you the malware has been removed.

Hi you siteowner,

Your site may be clean(sed) now, there is still an alert that your Wordpress version is outdated according to sucuri’s: Wordpress internal path: /home/qrjuice/public_html/wp-content/themes/Polished/index.php
That means you could be re-infected again, other recommendations is for the website server. That server gives away a full version number of the server software. This should be avoided, so would-be-hackers would not know what exploits would work against it. It is a bit like in Little Red Ridinghood’s fairytale - just pull the cord hanging out the door and you can come in…and then they could,

Stay safe and secure is the wish of,

polonus