I have a website that got hacked recently. It took us weeks to get it cleaned up. I still have one file that avast says contains a trojan. I had my host server scan the file and all other files on my site and they say they are all clean. So is it avat thats wrong or are they wrong. The file i have an issue with is for front page express 2003 and the file name is _vti_inf.html. any suggestions ?
You could submit the file via email to avast lab
virus@avast.com zipper and password, please.
Check the file VirusTotal - Multi engine on-line virus scanner Maximum file size: 64 MB
https://www.virustotal.com/en/
and report the findings here in the topic.
Submitting files from the Virus Chest to avast! virus Lab
When visiting this URL - hxtp://www.409shop.com.hk/mic.htm Avast blocks the page and reports ‘HTML:Iframe-ZG [trj]’
This seems to be a false positive. When I do an online URL scan using virustotal.com, none of the 36 scanners report an exploit.
I suggest Avast have a look at this and confirm there really IS an exploit, or incorporate a change in the next definition update.
Please ‘modify’ your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.
Avast isn’t the only one to consider it infected:
http://sitecheck.sucuri.net/results/www.409shop.com.hk/mic.htm
http://www.urlvoid.com/scan/409shop.com.hk/
There is a hidden iframe after the closing html tag which in itself is suspicious, this iframe links to a site that is considered malicious by avast.
I’m also getting the HTML:Iframe-ZG [Trj] popup on my site
http://sitecheck.sucuri.net/results/www.ksasintjozef.be
The code from the corfuparadise has been removed by me from all the pages that were infected. But still i get popups
Well a re-scan of the securi.net link you provided is still indicating the site is still infected, see attached image.
EDIT: Also see http://urlquery.net/report.php?id=2146441.
well, i realy don’t understand it anymore. Only sucuri.net and avast give a positive result. Every other way says the site is clean. Nobody can help me to get rid of the “problem”?
Sucuri shows the files where these ‘hidden’ iframes tags are to be found, you have to either remove those pages relating to 404 and or find and remove the iframe tags.
The fact that this iframe tag is outside the closing HTML tag is also suspicious in its own right.
The first thing to ask yourself is, is that iframe tag legit, e.g. you created it and the location it is connecting to is correct (corfuparadise.gr).
there is NO iframe in the html. I removed it manually last week. Strangely sucuri still finds it.
I can’t account for it still being detected, but if you are using any content management software check its templates as it may be being inserted.
Are these two files that are being flagged by sucuri essential as I can’t see why a javascript file would be required to handle a 404 error/issue. 404 errors can either be dealt with by default or the use of a custom 404 page and that doesn’t require javascript.
quttera
http://quttera.com/detailed_report/www.ksasintjozef.be
zulu analyser
http://zulu.zscaler.com/submission/show/9293cbcff3be00c917201c236c418c01-1366977999
Hi Pleuris,
Of course they wouldn’t provide you the iframe directly in the html. Then removing the malware would be somewhat easy, no?
DavidR is indeed correct. The 404 files still return the hidden iframe.
The report itself: http://www.UnmaskParasites.com/security-report/?page=www.ksasintjozef.be/404
Confirmed Malicious. See attached.
~!Donovan
Also see: http://sitecheck.sucuri.net/results/www.ksasintjozef.be
Here it is not detected or it must have been already cleansed: http://evuln.com/tools/malware-scanner/www.ksasintjozef.be/
But here 16 suspicious files are being listed: http://quttera.com/detailed_report/www.ksasintjozef.be
varous suspicious external elements flagged here: http://zulu.zscaler.com/submission/show/9293cbcff3be00c917201c236c418c01-1366979689
About cleansing counter.php malcode, read: http://blog.sucuri.net/2012/07/website-malware-removal-counter-php.html
polonus
Hi Polonus,
I do not think that evuln scanned a 404 page because this kind of iframe should’ve been detected. I tried to query the url with /404 but evuln itself returned a 404.
All links that were marked suspicious on Quttera lead to the 404 page, which is why they were detected.
~!Donovan
Hi !Donovan,
Makes sense, the more as Quttera is a realtime scanner, also http://evuln.com/tools/malware-scanner/corfuparadise.gr/
Damian
I’m happy you are helping me to solve the problem. But to be honest, you might as well talk chinese.
I can’t seem to locate the 404 page on the server. When I start www.ksasintjozef.be I get a different popup from avast
In case you were wondering, it’s the first time I’m trying to solve virus/malware on a site 
Sucuri will help you…for a fee http://sucuri.net/signup
If you would, please post the contents of your .htaccess file in your next reply. It is located at the root folder of your website and is a hidden file.
Thanks,
~!Donovan
This is it:
php_value upload_max_filesize 20M
php_value post_max_size 20M
php_flag max_execution_time 500
php_flag max_input_time 500
Based on the information you provide, the default 404 files should be used.
Are you sure that you are unable to find a filename containing “404” anywhere on your server? Not even 404.php or 404.shtml?