I need help - js:redirector-uq trojan

I need help. Avast is stopping me from getting to hxtp://www.tdmcomics.com. I have search to for js:redirector-uq trojan to no avail. I don’t know what do. This started off and on about 1 month ago. I don’t think I have done anything that would let this happen, but I don’t know. I’m not sure what to look for. :frowning:

Ladyjr.

Please make that URL address inactive. Change www for wxw. We do not want anyone inadvertently clicking that direction.

According to Sucuri site is indeed infected so Avast! will not give you access:

http://sitecheck.sucuri.net/results/www.tdmcomics.com/

Have you scanned your comp with Avast! ? Did it find anything ?

Hi ladyjr,

zulu zscaler web site checker has this to say: http://zulu.zscaler.com/submission/show/10b4a6d1f676ca0e2a0acd927623d315-1337758880

Not often I see a 100/100 score. Please make the link non-clickable. At least Avast! is notifying you.

Thanks iroc9555 & mchain for those checkers. Thanks for changing the link - sorry about that. Iroc9555, yes all of my computers at home are protected with avast and scanned clean. That is why I didn’t understand what was going on. I’m going to need help in cleaning this up. I know how to put a WP site up - not so much about the code. This site is an add-on domain to another one of mine (wxw.ladyjr.com), and doing more research last night I found out that it too has problems. It has something called chickenkillers. The crazy thing is that the “paid superduper” virus protector at work doesn’t even blink and I can access tdmcomics with no problem! Go figger!

I am truly at a loss on a) how to clean all of this up, and b) what to do to keep it clean. Should I contact Hostgator about this?

I find tdmcomics to be very suspicious indeed. The first GET returns one line of algorithized javascript. Very, as it uses try, catch, for, and the split method. So obfuscated, I was unable to decrypt by hand. :-[

However, I have external resources that can do the job for me. :wink:
http://wepawet.iseclab.org/view.php?hash=a690352b7b5e7b9b9474171253045b21&t=1337784357&type=js
http://urlquery.net/report.php?id=58649

And with this, I find that the website is indeed VERY malicious.

The iframe from the 2waky domain leads to a BlackHole site. The BlackHole site is only accessible only if you get there from the redirect, otherwise, resulting in a timeout, as seen here: http://urlquery.net/report.php?id=58658. Firefox reports attacked site. Even MSE alerts. :stuck_out_tongue: See attached #2


As for your site,

The script is in the [b]<body>[/b] tag. You should see [b]<script>try{q=[/b] etc... Remove starting from [b]<script>[/b] and end at [b]</script>[/b]. ;)

Hi !Donovan,

And the Blackhole malcode is not the only threat there, see: htxp://sitecheck.sucuri.net/results/www.tdmcomics.com
Suspicious conditional redirect to: htxp://broadway.bee.pl/
100/100 malicious: htxp://zulu.zscaler.com/submission/show/d18e729eefd4c8ed1524910bcf5ac663-1337785940
See description here: hxtp://sucuri.net/malware/malware-entry-mwht291 Webpage being redirected to spam

polonus

Thanks for the help. But, where are you finding this code? I don’t know what you are looking at. !Donovan - you said it is in the body tag - the body tag of what? Please forgive me for asking these questions, but I am not familiar with the code and I’m going to need baby steps to get thru this.

sucuri can help you with this…they also monitor the web site for infections and remove it if infected again
but…they dont do it for free. http://sucuri.net/signup

Hi ladyjr,

If you are having trouble finding the tag, you can always do the search method. Press F3 and type try{q= which would bring you to the malware to remove.

The tag is inside of the html file; in this case, your homepage (index).

<> :slight_smile: Thanks Donovan. I couldn’t find it at first because this domain is an add-on domain to my primary domain (ladyjr.com). Once I started looking in the root directory for that domain, I found the file you were pointing to.

Pondus, thanks for the suggestion. Unfortunately, I’m going to have to do this the old-fashioned way for now: free. Maybe in the future (once I start making money) I will be able to sign up.

That being said, is there anything I can do to prevent this type of hacking or at least catch it if it does happen?

Keep your software up to date.
Change your password.
Make sure your site is secure.

There are more but these are the ones I find important. :wink:

I am still working on this in baby steps. I’m just finding it hard to locate the files that have the bad code in them.

Any additional suggestions on making the site secure? I thought they were secure. I have always kept the software up to date and have changed the passwords.

See: http://www.visiondesign.com/2009/09/keeping-your-pc-and-your-website-free-from-viruses/
And: http://midriffhelpingsolution.com/9-wordpress-security-tips-to-protect-your-website-from-harm/

And For your code: http://coding.smashingmagazine.com/2008/11/12/12-principles-for-keeping-your-code-clean/
And if you’re too lazy to do that, then check the pink link in my sig. :wink:

Thanks Donovan! I’m getting there step by step. And nope - I’m not too lazy, but I’m going to check your pink link anyway. :slight_smile: One last question for tonight - how do you find out what file the urlQuery and Wepawet reports are pointing to?

The “Redirects” section in the Wepawet and the “Host” section for urlQuery if that is what you mean?

Sorry - I wasn’t clear. I’m talking about the “Deobfuscation results” section in the Wepawet and the “JavaScript” and “HTTP Transactions” sections for urlQuery. I don’t know what file(s) they are referring to.

And thanks for all your help. This area is all new to me.

Ok, here’s an update on my issues with my site(s). I manually reloaded the latest version of wordpress, overwriting the files there. This got rid of most of the problems. Then it finally clicked - I had been looking for the actual code, not the crap code hidden in the eval that wasn’t supposed to be there. Now, I’ve got to hit each php file and make sure it’s clean.

Thank you to everyone who offered help to this lost soul. I will check here and post back once I have gotten thru this. I’m sure I’ll have some additional questions before it is all over.

Hi ladyjr,

Do you still need help? ???

Hi Donovan,

Nope - all has been cleared up. :smiley: After doing some research, I found a script on Sucuri that I could load into my root directory to clean up everything. I did that, and now all is clean. I have changed my security and will be keeping a sharp eye on everything. Thank you (and all the others) for all the help and pointers that you gave me. I have learned a lot and I am already helping someone at work with this information so she can avoid the problems I experienced. I will be visiting back here from time to time, hoping to give help back to some other lost soul.