Is this site infected?

Hi! I just went to this website: electromagnetismo.com and Avast blocked it warning it’s infected, has a trojan:
http://www.avast.com/en-us/lp-pr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_pre_80_0&utm_medium=prg_systray&utm_content=.%2Fpaid%2Fen-us%2Fvirus-alert-default&p_vir=JS:HideMe-B%20[Trj]&p_prc=C:\Program%20Files%20(x86)\Google\Chrome\Application\chrome.exe&p_obj=http://electrobiomagnetismo.com/|{gzip}&p_var=.%2Fpaid%2Fen-us%2Fvirus-alert-default&p_elm=7&p_lex=571&p_lid=en-us&p_lng=en&p_lqa=0&p_lqe=0&p_lst=0&p_lsu=24&p_pro=3&p_bld=chr2&p_vep=8&p_ves=0&p_vbd=1497&p_hid=83e23412-3b3c-4359-beab-fc6269950939

Infection Details
URL: //electrobiomagnetismo.com/|{gzip}
Process: C:\Program Files (x86)\Google\Chrome\App…
Infection: JS:HideMe-B [Trj]

I went to Virus total and it says is clean… https://www.virustotal.com/en/url/93d7993f12cde379192a16a901d14e63af0a0275a00e4c53ebdc22beff3024b7/analysis/1379518994/

Is it or not? If someone could confirm this, I will really appreciate it.
Many thanks!

Infection Details URL: //electrobiomagnetismo.com/|{gzip} Process: C:\Program Files (x86)\Google\Chrome\App... Infection: [b]JS:HideMe-B[/b] [Trj]
seems to be infected with HideMe spam http://blog.sucuri.net/2012/11/website-malware-spam-injections-hideme-kickeme.html http://blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html

Sucuri report: http://sitecheck.sucuri.net/results/electrobiomagnetismo.com

and virustotal does not scan websites for malware, it check agains known block lists…

Thank you so much Pondus for your fast reply!
Many blessings… :slight_smile:

your welcome…

and it seems the spam on that site is about Cash Loans …

VirusTotal
https://www.virustotal.com/nb/file/8b88e9031c39dc4773d99841c1b8306fb672e41ccbd01ea898eefa9511ff724a/analysis/1379520626/

Thanks Pondus! one more question and forgive my lack of knowledge in this matters :-[ : I initially went to that site through a link someone sent me, and Avast did not block this one:
//electrobiomagnetismo.com/wp-content/uploads/2012/05/BIO_DOC_PARES_BIOMAGNETICOS.pdf

is this one also infected or is it OK? I say it because it’s information I will like to keep and saved the link to it.
Thanks again!

yes Sucuri report:
http://sitecheck.sucuri.net/results/electrobiomagnetismo.com/wp-content/uploads/2012/05/bio_doc_pares_biomagneticos.pdf

since avast and Sucuri are the only to detect, i am not sure the spam is malicious … so other vendors may choose not to detect it ?.. or they use URL block that will not show in a VT scan

there may be more info here later…so check back

This external link is also blacklisted by Sucuri’s: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fgmpg.org%2Fxfn%2F11
The spam is scam spam, spam-attack-campaign, see for the external link flagged: http://urlfind.org/?site=onlinepaydayloans4pf.com
→ for the spam attack variant: http://www.mywot.com/en/forum/29548-spam-injections-hideme-kickeme
so the site was hacked:
for an read-up on such a hack → http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
Why?
Web application version:
WordPress version: WordPress 3.4.1
Wordpress version from source: 3.4.1
Wordpress Version 3.3 or 3.4 based on: htxp://electrobiomagnetismo.com//wp-includes/js/autosave.js
WordPress theme: htxp://electrobiomagnetismo.com/wp-content/themes/theme1357/
Wordpress internal path: /home/content/30/8150030/html/electrobiomagnetismo/wp-content/themes/theme1357/index.php
WordPress version outdated: Upgrade required. (according to recent Sucuri scan data)

polonus

Thanks Pondus and Polonus! since I went to that one first, and I did not get it blocked by Avast, I may be infected,as I did get it block by Avast when I went to the main page afterwards, Should I run AdwCleaner? or maybe something else specifically for those types of infections?

See instructions given here on cleansing code from website: http://forum.avast.com/index.php?topic=131579.msg972795#msg972795

polonus

Thanks Polonus! I just want to find out if my computer has the malware, it’s not my website, it’s someone elses…
I run the ADWCleaner and a couple of things came up on registry and googlechrome ( I attached the results)
I also run Flash Scan and Fast Scan in Malwarebytes and it came clean.
Should this do it or is there anything else I should do?
Thanksagain!
PS: it won’t accept my adwcleaner result, it says :Your file is too large. The maximum attachment size allowed is 512 KB. … weird…as there were only a couple of things it found…

PS: it won't accept my adwcleaner result, it says :Your file is too large. The maximum attachment size allowed is 512 KB. ... weird...as there were only a couple of things it found...
AdwCleaner log is usually not this big ..... unless it found lots of stuff

Seems Norman lab agree with avast … they added detection for it as Injector.FGNI

Hi Pondus,

That added detection is this Trojan-Ransom.Win32.Foreign.fgni?

polonus

idont think that is the same…

So this is a blackhat SEO-spam campaign and in a sense even an av firm was not completely free of this, see: http://technicalinfodotnet.blogspot.com/2010/03/sophos-stop-spamming-me-and-end-your.html
Also nice to read about the use of so-called doorway pages in SEO spam: http://websearch.about.com/od/seononos/a/doorways.htm
link article author = Wendy Boswell. The use of SEO spam to get better pageranking in this sense is unethical.

polonus