Http: script-inf virus

Viruses and worms
1

Ok so I’ve been going to the site “www.emo-friends.com/” (yes im emo…not the point…) for about 2 years now… and about 1-2months ago the site started doing that… i know the site isnt dangerous since ive been visiting for so long.

I just wanted to ask if there is a way to fix avast from doing this. Simply because i hate turning it off every time i visit that site.

2

Every 3.6 seconds a website is infected
http://www.scmagazineus.com/every-36-seconds-a-website-is-infected/article/140414/

This page seems to be
http://www.UnmaskParasites.com/security-report/?page=www.emo-friends.com

But there is a bad link hxxp://gov.tg.co.kr/_compile/site_login_action.php
http://www.google.com/safebrowsing/diagnostic?site=http%3A//gov.tg.co.kr/_compile/site_login_action.php

3

Hi Mettalknight & Pondus,

The bad link re-direct(s)/ed to a trojan, and now appears to lead to a 404 (but that could be a malcreant trick),

polonus

4

bump so what does this mean polonus? will i not be able to ever access this site withought turning off avast >.<

5

It means that the owner of emo-friends.com has to fix the site as it has been hacked.

Make Emo friends!
http://www.43things.com/things/view/991513/make-emo-friends <== site is safe

6

lol k thanks… hopefully the owner will realize eventually

7

my site bring up the same virus warning - my host has checked and cant find any virus - so how do i “fix” my site so this doesnt happen?
mafanjai.bcmagazine.net

8

Welcome to the forums, simonhk :slight_smile:

Unmask Parasites finds your site as suspicious. See the link below.

http://www.UnmaskParasites.com/security-report/?page=mafanjai.bcmagazine.net

Also see the link below from Google Safe Browsing.

http://www.google.com/safebrowsing/diagnostic?site=mafanjai.bcmagazine.net

9

yep, you’ve been hacked.

Look for a script tag that leads to hxxp://glenysinternationalcuisine.com/glenys/.wysiwygPro_edit_index_html.php; get rid of that script tag (you can find the script I’m talking about immediately after the tag).
I’ll take glenysinternationalcuisine for a run, because it’s absolutely loaded with obfuscated JavaScript.

EDIT: That “gleny” script contains a hidden IFRAME, which leads to hxxp://glenysinternationalcuisine.com/glenys/.wysiwygPro_edit_index_html.php?s=WA7A0Im2&id=

which contains all kinds of obfuscated JS, which contains an exploit, or perhaps multiple exploits, against Acrobat PDF Reader.

10

this one (http://reosuccessformula.com/6weeks) comes up infected but http://www.unmaskparasites.com/ does not see anything. It reports clean. So who is correct? False positive or what?

JCE

11

Google SafeBrowsing
http://www.google.com/safebrowsing/diagnostic?site=reosuccessformula.com/6weeks

Of the 1 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-20, and the last time suspicious content was found on this site was on 2009-11-13.
Malicious software includes 2 scripting exploit(s).

Malicious software is hosted on 1 domain(s), including excellium.ca/.

This site was hosted on 1 network(s) including AS21844 (THEPLANET).

12

Right Pondus,

This is OK at first glance, because of a 401 Unauthorized message, but getting to the real info, here it is:
What is the present status of reosuccessformula dot com?

Of one page being tested 1 page has been downloading and installing malicious software without user’s De Last time suspicious code was found was on 2009-11-13.
Malicious software includes 2 scripting exploits.

malicious software being hosted on one domain, e.g. excellium.ca/.

This site was hosted on 1 network including AS21844 (THEPLANET),

polonus