Infection Details
URL: “hxxp://www.user.dccnet.com/invensol/”
Process: "C:\Program Files\Mozilla Firefox\firefo…
Infection: “JS:Iframe-FG [Trj]”

Avast found this in a scan a week ago, and I moved it to the chest.

I run Win XP, IE, FF. Last weekend I also updated my windows security, and did the same today. I did boot scan last night, but it did nothing.

At this point both browsers won’t even open my website.
Outside users report that my site says it is infected.
Other websites with the same provider do not.

Thanks ahead,

drongo

Zulu analyser
http://zulu.zscaler.com/submission/show/805be7320c04590272498310505edc64-1339961208

URL scan
http://vscan.novirusthanks.org/analysis/204caab0266d66433c70ff71c49b24f7/aW52ZW5zb2w=/

Please do not post a possible live infected link. Change the http to hxxp.
Thanks

Hi drongo,

http://urlquery.net/report.php?id=70099
[setAttribute src] URL=wXw.couchtarts.com/media.php

I see an iframe to a 3rd party php page, which returns a 302 then redirects to either wXw.kigopuer.tk/XXXXXXXX.html (which is 37.157.255.199 mentioned in urlQuery) or a google page. (Replace XXXXXXXX with 8 random digits).

Nice to know avast! detects these kind of appendChilds.
https://www.virustotal.com/file/36622ced020ff0e247e5241525a558f1e1cb15d6109a09cf9299385fb1b83aa8/analysis/1339963513/

On how to remove it..

Can you edit your source code directly? If so, search/look for "var _q". The code should look like my attachment. When you find the source, remove all content (including "var _q") inside of the <script> tag. Removing anything else could result in unexpected results.

Thank you Bob for esplaining the hxxp protocol.

I asked what the frak this meant about three times on another thread and got moderated for being a newbie.

If it’s so important, maybe it should be part of an intro package before people are allowed post.

Drongo.

Please go to your first post in this thread and edit ( change ) the URL to nonclickable; Edit http:// to hXXp://. It seems to be a malicious address. We don’t want anyone clicking that address by mistake.

Thank you.

Thanks Iroc for clear direction, and Donovan for tracking things down for me.

My service provider T2 says they couldn’t find the virus now, and it might just still be being flagged by my domain service.

Sorry for being such a bother, but this website is my livelihood and I may have already lost clients.

drongo

No problem.

If you do not have access to the web page codes, you might contact it and direct the web master to Donovan’s instructions to get rid of that Iframe.

Hi drongo,

The malware there is now being detected by various av as you can see here: https://www.virustotal.com/file/37730acd892894144ea13059b26d5d18699a5e8e27cc28814f6a8e93c91a6c94/analysis/
For the redirect to -37_157_255_199 as !Donovan mentions, see: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2F37.157.255.199%2F&client=googlechrome&hl=nl
and: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:24961&client=googlechrome&hl=nl

If you contact the webmaster, also give him the link to this thread,

polonus

Unfortunately, I am the “webmaster”.

I have all the website files on my computer.

Since I cannot seem to locate this virus on my computer anymore (Avast scans), is it safe to assume that it resides in the files held on my provider’s server?

If this is so, then would the simplest way to remove it be to overwrite all the files of my site with those from my computer?

If not, then where exactly should I look for this “source code” so I can follow !Donovan’s instructions?

Thanks again for your help,

drongo

Hi drongo,

Are they in a specific folder?

Crisis averted.

I overwrote all my website files on my provider’s server and now my site is virus free and apparently no longer blocked.

Thanks to everyone.

Glad to see your problem was fixed!

Hi !Donovan & Drongo,

It is OK now,

polonus

http://my.jetscreenshot.com/2701/m_20120617-seyy-99kb.jpg

That’s done it. No more warnings.

Only partly. I’m still trying to get the av flags removed. And my provider forced me to change the name of my website folder, and since my site is extremely olde school, I wasted an entire day replacing all the link URLs.

Can anyone tell me if this specific virus can automatically move from my desktop to my website files without me even logging into them? Contrawise, could this virus have been introduced to my website files on my provider’s server and then migrated down to my desktop? When I update my website, I always change the datestamp on the links page, so unless I forgot, I hadn’t uploaded anything in several months.

This isn’t an academic exercise, so if there’s anyone out there who understands the capabilities of this virus and can let me know what is possible, it would sure help narrow down the list of suspects.

Thanks ahead,

drongo

In all probability it was the web site that was hacked and not your computer

Would that mean someone on the IP side wasn’t doing their job and allowed the virus to infect my website folder, or could someone insert a virus into my provider’s website folder without needing login access?

thanx ahead,

drongo

Yes it is quite easy if the software is unpatched https://blog.avast.com/2012/02/27/dont-shoot-the-messenger/

Avast caught the virus on my desktop immediately, but since I had not visited my website files for months (on my IP’s servers), I had no idea it was on my site until someone said it was being blocked. I am trying to find out whether I was the source or my IP.

Reminder that I’m neither a programmer nor a web designer. I manage my own site which was created almost ten years ago.

What do you mean by “unpatched”. Small words please…