Hi, i’m the owner of the site hxxp:// www. createandshare. es
We are a news blog/portal, we have not suffer any problem with spam or malware since we started, and haven’t installed any new plugins of late.

Today I was told by my website’s users that my site was blocked by Avast. I checked it out myself and got the following message:

Infection Details

URL: hxxp:// www. createandshare. es/|%3E{gzip}
Process: file://C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Infection: html:Script-inf

I have done some searches and find out there are some poeple having the same problem.

(http://forum.avast.com/index.php?topic=81524.0)

Please let me know what is going on and what can we do to get it fixed?

Thank you in advance.

Best regards.

seems infected, see attached screenshot

malware info: http://sucuri.net/malware/malware-entry-mwjs67473

VirusTotal - URL scan
http://www.virustotal.com/url-scan/report.html?id=2e9c5c43172b8476ca11aca0f1caa8aa-1313436561

VirusTotal - HTML scan
http://www.virustotal.com/file-scan/report.html?id=6a7bed15ca50472e0b97821dad87c462f88aaaf75b536f973be7cda877c87130-1313443772

I’ve checked the site out with virustotal.com, and this is what I got.

http://www.virustotal.com/url-scan/report.html?id=2e9c5c43172b8476ca11aca0f1caa8aa-1313435171

It seems only avast detects a problem.

How can we solve it?
How did it happen?

It was probably hacked…

The sucuri scanner say: Wordpress version outdated: Upgrade required.

Protect your interwebs with Sucuri http://sucuri.net/signup

Information for Website Owners http://stopbadware.org/home/webmasters
Tips for Cleaning & Securing Your Website http://stopbadware.org/home/security

some more info

this is the url in the iframe: superpuperdomain2.com

Update to the Superpuperdomain2.com malware
http://blog.sucuri.net/2011/08/update-to-the-superpuperdomain2-com-malware.html

WordPress Sites Hacked with Superpuperdomain2.com
http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain2-com.html

Wepawet
http://wepawet.iseclab.org/view.php?hash=2e9c5c43172b8476ca11aca0f1caa8aa&t=1313444515&type=js

Well first the site redirects to the createandshare.net version of your site and this is also picked up, image1.

http://www.virustotal.com/file-scan/report.html?id=f607197a0605151f322b9c64c2fdab532bc05e9bb760201f3225fcaac1c9458f-1313444374

Check those pages and others for the presence of a script tag after the closing HTML tag, if you didn’t put it there then your site has been hacked.