system
1
Pondus
2
Infection Details
URL: //electrobiomagnetismo.com/|{gzip}
Process: C:\Program Files (x86)\Google\Chrome\App...
Infection: [b]JS:HideMe-B[/b] [Trj]
seems to be infected with HideMe spam
http://blog.sucuri.net/2012/11/website-malware-spam-injections-hideme-kickeme.html
http://blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html
Sucuri report: http://sitecheck.sucuri.net/results/electrobiomagnetismo.com
and virustotal does not scan websites for malware, it check agains known block lists…
system
3
Thank you so much Pondus for your fast reply!
Many blessings… 
Pondus
4
system
5
Thanks Pondus! one more question and forgive my lack of knowledge in this matters :-[ : I initially went to that site through a link someone sent me, and Avast did not block this one:
//electrobiomagnetismo.com/wp-content/uploads/2012/05/BIO_DOC_PARES_BIOMAGNETICOS.pdf
is this one also infected or is it OK? I say it because it’s information I will like to keep and saved the link to it.
Thanks again!
Pondus
6
yes Sucuri report:
http://sitecheck.sucuri.net/results/electrobiomagnetismo.com/wp-content/uploads/2012/05/bio_doc_pares_biomagneticos.pdf
since avast and Sucuri are the only to detect, i am not sure the spam is malicious … so other vendors may choose not to detect it ?.. or they use URL block that will not show in a VT scan
there may be more info here later…so check back
polonus
7
This external link is also blacklisted by Sucuri’s: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fgmpg.org%2Fxfn%2F11
The spam is scam spam, spam-attack-campaign, see for the external link flagged: http://urlfind.org/?site=onlinepaydayloans4pf.com
→ for the spam attack variant: http://www.mywot.com/en/forum/29548-spam-injections-hideme-kickeme
so the site was hacked:
for an read-up on such a hack → http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
Why?
Web application version:
WordPress version: WordPress 3.4.1
Wordpress version from source: 3.4.1
Wordpress Version 3.3 or 3.4 based on: htxp://electrobiomagnetismo.com//wp-includes/js/autosave.js
WordPress theme: htxp://electrobiomagnetismo.com/wp-content/themes/theme1357/
Wordpress internal path: /home/content/30/8150030/html/electrobiomagnetismo/wp-content/themes/theme1357/index.php
WordPress version outdated: Upgrade required. (according to recent Sucuri scan data)
polonus
system
8
Thanks Pondus and Polonus! since I went to that one first, and I did not get it blocked by Avast, I may be infected,as I did get it block by Avast when I went to the main page afterwards, Should I run AdwCleaner? or maybe something else specifically for those types of infections?
polonus
9
See instructions given here on cleansing code from website: http://forum.avast.com/index.php?topic=131579.msg972795#msg972795
polonus
system
10
Thanks Polonus! I just want to find out if my computer has the malware, it’s not my website, it’s someone elses…
I run the ADWCleaner and a couple of things came up on registry and googlechrome ( I attached the results)
I also run Flash Scan and Fast Scan in Malwarebytes and it came clean.
Should this do it or is there anything else I should do?
Thanksagain!
PS: it won’t accept my adwcleaner result, it says :Your file is too large. The maximum attachment size allowed is 512 KB. … weird…as there were only a couple of things it found…
Pondus
11
PS: it won't accept my adwcleaner result, it says :Your file is too large. The maximum attachment size allowed is 512 KB. ... weird...as there were only a couple of things it found...
AdwCleaner log is usually not this big ..... unless it found lots of stuff
Seems Norman lab agree with avast … they added detection for it as Injector.FGNI
polonus
12
Hi Pondus,
That added detection is this Trojan-Ransom.Win32.Foreign.fgni?
polonus
Pondus
13
idont think that is the same…
polonus
14
So this is a blackhat SEO-spam campaign and in a sense even an av firm was not completely free of this, see: http://technicalinfodotnet.blogspot.com/2010/03/sophos-stop-spamming-me-and-end-your.html
Also nice to read about the use of so-called doorway pages in SEO spam: http://websearch.about.com/od/seononos/a/doorways.htm
link article author = Wendy Boswell. The use of SEO spam to get better pageranking in this sense is unethical.
polonus