HTML:HideMe-F [Trj]

Everytime that I pull up a website I get a virus warning message. Normally I wouldn’t care and would just simply avoid the website, but this is a website that I manage and know (well assume) that it is virus free. I use ipage with wordpress. I did run it against virustotal.com and sucuri.net but got no hits for viruses.

Object: hxtp://www.carolschaufel.com
Infection: HTML: HideMe-F [Trj]
Process: BROWSER EXECUTABLE

Any suggestions, help, or direction to go would be awesome.

Thanks

https://www.virustotal.com/nb/file/f506e0d9bb98ce0832113113ffb222a0ce43332e8e5bc22c753f4eee2e3ffc18/analysis/1417502717/

avast indicate HideMe spam
http://blog.sucuri.net/2012/11/website-malware-spam-injections-hideme-kickeme.html
http://blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html

avast is the only one to report it, and is in most cases correct, if you think it is wrong, report it here https://support.avast.com/

I also got the same virus warning today on my Wordpress website! Is there an outbreak out there. Any comment and suggestion from Avast please?

and your URL would be?

duo2tek.com Tks

I actually rarely log into the site and the passwords used are quite lengthy so it’s probably on the wordpress side for me.

Hi guys,
check for this code on your respective sites:

carolschaufel.com: .mnz0{position:absolute;clip:rect(468px,auto,auto,481px);}
duo2tek.com: .cxo3{position:absolute;clip:rect(487px,auto,auto,419px);}

What this does is it hides div with class mzn0 (or cxo3), which includes spammy links. Deleting the code above should make the spammy links appear on your website, and also make Avast stop flagging your websites.
Honza

Tks Honzaz for responding. Did what u suggested. The avast alerts continue to exist. I didn’t do anything to this site for some time, but today the avast alerts up pop up from no where. I tried virustotal too but nothing detected. It seems only avast is detecting this, hope avast can through some light on this alert. Tks in advance!

Hello,
if the detection has same name, then the code is still there.

Milos

I looked all over for that code and couldn’t find even things close to it. Any other suggestions.

Look here where it is: https://www.uploady.com/#!/download/GyOMcSO2ymP/_KitV8wx7PPYK2GI

polonus

Well isn’t that cool. That must be a translation via the server. I downloaded all of the code and searched through indexing through all of the code and didn’t find that. I’ll log into a VM with Guest account into the Wordpress directly and see if I can reload the wordpress or do an upgrade to see if that takes care of it. I’m gonna do upgrades on any of the modules that are installed. I’m pretty sure that’ll take care of it. Either way I’ll post my findings/results on here.

The odd and scary thing is that the www address in that image points to a governmental affairs & ethics consulting firm.

The infection seems to be gone. I looked everywhere for every key phrase that I could come up with in that image. I even paged through all the wordpress tables and came up empty. But I didn’t think that I did anything that would bump the infection. I’m glad that it’s gone, but curious as to why. I’m going to change passwords and follow that protocol.

nevermind… like a crazy X… never goes away… lol

vanbe010, go cleanup the alien codes in your functions.php and the problem would be gone. cheers

I got the same answer at wxw.shfcb.ca

Where is the problem ?