HTML:RedirME-inf [Trj] Alert on Mypace page

Opening my page on Myspace:

hxxp://www.myspace.com/nimhpage

using FIREFOX (NOT INTERNET EXPLORER) Avast alert me with the following message:

CAVALLO DI TROIA BLOCCATO
La protezione web di Avast! ha bloccato un sito o un file dannoso.
Dettagli dell’infezione
URL: “hxxp://agrifarma.com/p/as?68987”
Processo: "C:\Programmi\FirefoxPortable\App\firefox.exe
Infezione: “HTML:RedirME-inf [Trj]”

It’s a false Virus Alert?
And I dont’ undertsand why opening my page on Myspace there’s a redirection to this strange URL “http://agrifarma.com/p/as?68987” (I didn’t put any kind of redirection code on my page!)

Some suggest to solve this problem?

Giuseppe

(I didn't put any kind of redirection code on my page!)
No.....that is usually The work of bad Guys

Anyway, The URL sees to be a dead malware URL

Zulu analyser
http://zulu.zscaler.com/submission/show/a603fb81b982724b4910b3b2050ecbd3-1336123300

Security
http://sitecheck.sucuri.net/results/http://agrifarma.com/

But i dont get anything on your url…that does not mean the redirect is not there, as avast is usually correct on this

Hi giuver,

This detection is correct. Suspicious coding I saw was on line 171. Decoding the Base64 turns out an eval which then gives us a random “as?”.

Search “Array.parse(MySpace.Util.Base64Decode(” without quotes. When you find the line that the exploit is on, delete the whole line. Then your issue should be solved.

Many thanks Donovan,

Using Explorer now I can see the source code of the page, and I can see the suspicious string you mentioned.

<This detection is correct. Suspicious coding I saw was on line 171.
<Decoding the Base64 turns out an eval which then gives us a random “as?”.
<Search “Array.parse(MySpace.Util.Base64Decode(” without quotes.
<When you find the line that the exploit is on, delete the whole line.
<Then your issue should be solved.

But how can I remove it? I need to use a MySpace editor?
I made my page just using the “standard” procedures and modules provided by MySpace…

Or in some way it’s possible to know exactly what content I inserted (a specific photo, the Bio, the Info…) now contain this suspicious code?
Knowing it maybe I can delete the specific content and re-insert it in “clean” way on my page…

Thanks,

Giuseppe

Judging by the way the source is written, I assume it is in the “Profiles”.

<article class="module module2 columnModule1 even htmlBoxModule draggable" id="module42" data-target="7" data-mt="9" data-area="Profiles">
<div class="wrapper">
<header><h3 class="moduleHead"><style>#module42{display:none;}</style></h3></header>
<section class="content moduleBody">
<p class=`>[malicious content removed]<p`></p></section></div>

Thanks Donovan…

Unfortunately I cannot access to this part of code of the Profile…
It’s generated by MySpace, and I cannot edit it…
I can directly edit and add or remove html only inside some module (Info, Latest Releases, Video…) but Myspace don’t give me access in any way to oher contents and to the code of the rest of the page…
The module containing the suspicious code don’t appear on my page… it seem invisible… not displayable, and unaccessible for me in any way for editing…
And maybe also specific MySpace editors cannot do it…

I’m glad if someone can suggest me a way to access to this part of code to remove the suspicious statements.

That is true, as the exploit attempts to load an image that isn’t there. When your browser receives the error, it loads the javascript, the link to the malicious site.

I do not use MySpace and don’t know how you edit in MySpace.

Maybe this will help?: http://www.myspace.com/help
If not, you can try and contact MySpace themselves: http://www.myspace.com/help/safety/parents/contact