How to remove Virus/trojan JS:Redirector-KT[Trj]

Viruses and worms
1

Hello,
I do have a real problem with this virus/trojan JS:Redirector-KT[Trj].
How can I remove/clean my files: 1x in index.php and 1x in home.php?
Using/choosing the repair function of Avast is of no need - error message
from Avast saying: “impossible to remove”??

Thanks in advance for your help!

2

only legit files that have been injected with malvare code can be cleaned…

Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

JS:redirector usually comes from infected websites…so i guess the file(s) are located in your browser temp/cache ?

can you post the full path to files detected

have you tried moving the files to chest ?
does avast detect this again and again or is it just one time ?
how was they detected…did you do a scan…what type ?

3

Hi Pondus,
Thanks for your reply.
My problem is: this virus is in MY index.php
IN my website with thes result of Google having
placed a warning message concerning my website;
you can go and have a look trying to visit
wxw.vive-la-sante.com BUT DO NOT enter in my site -
of course!

Looking forward reading from you!

4

Please edit the link you posted…remove www so the link is not clickable :wink:

VirusTotal - URLscan
http://www.virustotal.com/url-scan/report.html?id=cd58a5a1e810a9c23637d2470a16e8a5-1319907903

VirusTotal - HTMLscan
http://www.virustotal.com/file-scan/report.html?id=274639ac2f1bcc56331308aa126d1ff34b094ca89b148670b081a0c496976b31-1319915106

See attached SucuriScreenShot

Sucuri malware info:
http://sucuri.net/malware/malware-entry-mwjs159

Wepawet
http://wepawet.iseclab.org/view.php?hash=ccfb5384e4be821e40214e7b163a1a62&t=1319915749&type=js

5

Avast is not the only concern that you have.

The firefox safe browsing feature blocks it also, which probably also uses the Google database also…

See VirusTotal scan results on your index page and 12/43 detect it as infected.

There are many script tags on that page, some with off-site script locations, you need to check all of these to ensure that they are legit script tags and not inserted ones.

There is a large obfuscated script tag at the end of the page (all on a single line), outside the closing HTML tag which is a standards no, no and suspect. See image3, where the script tag contents are broken of the single line, this is almost certainly where your problem lies. This may well be on other pages also, so you will need to check your site.

6

Sadly … I get a message about blocking, but all the same page opens. Should be corrected.

7

Not sure what you mean. This site is infected…!!

8

I mean that the page must be completely blocked, but she did open, it can be seen in the picture.

Should be blocked like this …

9

Ok, now I get it. :wink:

10

what browser did it open in ?

11

I’m sorry … I know the language is bad, take http://translate.google.ru.
Perhaps as it is not so translates.

12

Google Chrome
16.0.912.4

13

I wonder … tested on many browsers, Internet Explorer 9, Mozilla Firefox 7, Opera 11.52 … normally blocked.

But on Google Chrome and SRWare Iron (chromium) is not a valid block.