JS:Pdfka-gen@bhv[expl] Virus on My Website

I have a website that is coming up with an Avast message. The site is hxxp://www.traveltripz.com

The infection details state that it is the JS:/Pdfka-gen@bhv[expl] virus.

I checked all the usual sites like Sucuri, Nortons etc to see if the site scanned okay and they aren’t showing any problems so I can’t tell where the virus might be sitting on the site and my hosting company can’t see anything obvious.

I thought it may be just a false positive but someone emailed us to say their computer was infected because of our website so something is wrong.

Anyone have any ideas?

Heloo,is avast reporting a virus on any file download? :slight_smile:

I have downloaded all the files from that website to my computer and have done a scan with Avast. Was that what you meant?

The scan found nothing.

when was the virus detected and blocked? while visiting the site? :-X

Hello,
your site was hacked. In the middle of code is added redirecting script. This atack is focuse on IE users.
Redirection leads to protection.myar.in/in.cgi…

See: http://wepawet.iseclab.org/view.php?hash=e7906688feeba59d289a393db483f058&t=1328723083&type=js
Under network activity:
and -http://jsunpack.jeek.org/dec/go?report=b2d8b9fc8525ee4ca9a48bda730c067b73742d76
(visit last mentioned link only if security savvy, with ample script protection and in a VM)
Found suspicious here: http://urlquery.net/report.php?id=19890
And check on this in the code:
-www.traveltripz.com/wp-content/plugins/contact-form-7/jquery.form.js?ver=2.52 suspicious
[suspicious:2] (ipaddr:69.89.31.71) (script)- www.traveltripz.com/wp-content/plugins/contact-form-7/jquery.form.js?ver=2.52
status: (referer=-www.traveltripz.com/)saved 28396 bytes 4bebf95bb3fbc02edfb3daae3a194ad8dd1fcc2d
info: [iframe] -www.traveltripz.com/wp-content/plugins/contact-form-7/
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
suspicious:
Why you make requests for: GET /0876/10778476-6.gif HTTP/1.1
Host: www.yceml.net

polonus

Yes whilst visiting the site the Avast message popped up.

Where in the code is the script? Are you able to provide more detail as to what file I need to look in? If I can find it I can delete it.

Thanks for your help.

So should I be looking at each of those pages on the wepawet report to see if there is any suspicious code?

As for contact form 7, I will disable it to see if that makes a difference.

I have run the Exploit Scanner plugin on my blog. It comes up with a report and on that report it shows the following code for a couple of the plugins.

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?

I have seen this during my search on the net as a virus but can that sort of code also be legitimate?

Hi Paula2013,

That is Dean Edwards packer indeed. It can be used for protective obfuscation and for that reason has also fallen prey to malcreants to be abused and injected into. Read about one of these malware variants here: http://www.stopthehacker.com/tag/dean-edwards-packaer/ (linksource Jaal, LLC).
This is what avast flags,

polonus

I still have no idea how to get rid of this virus. Can anyone help?

Norman lab confirms infection

traveltripz.com.htm : Processed - JS/Agent.ACU
I still have no idea how to get rid of this virus. Can anyone help?
Try sucuri http://sucuri.net/signup

What is “Norman Lab”?

Norman http://www.norman.com/en-us

I have the same virus on my website :frowning: do you find the solution Paula2013 ?

Virus redirect to this page : http://344be0a917e241ef0141371301150509103518729bc0bc57955bc0e72eac39b.clintoncoombs.com/sort.php
Someone can do anything ?