Hi there everyone, yesterday I got stuck with this one; AvastFree started warning me about my site with that Trojan popup.
I made a reverse DNS lookup and other sites of my webhosting provider also had that so I think it’s something in the hosting. But, is it real or just a false positive? I scanned my url ( XXX.fuajedrez.com ) with the sites some guys mentioned before, so here are the results and I look forward to hearing from you about this issue I’m having:
UrlVoid
URL analysis tool Result
Avira Clean site
BitDefender Clean site
Firefox Clean site
G-Data Clean site
Google Safebrowsing Clean site
Malc0de Database Clean site
MalwareDomainList Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site
TrendMicro Unrated site
Websense ThreatSeeker Unrated site
Wepawet Unrated site
Additional informationShow all
Normalized URL: http://www.fuajedrez.com/
URL MD5: 86b01c4eee9c223b7c2d27499eae704d
Content-Type: text/html
UrlVoid - VirusScan
Report 2011-05-15 14:59:27 (GMT 1)
File Name fuajedrez-com
File Size 9123 bytes
File Type Unknown file
MD5 Hash 26f168ad2cb636b67759f5d95d975afe
SHA1 Hash 472721bfd9db1730a828fbed4a9c6bbe35b2e375
Detections: 0 / 6 (0 %)
Status CLEAN
Antivirus Updated Engine Result
AVG 15/05/2011 10.0.0.1190 -
Avira AntiVir 15/05/2011 7.11.7.12 -
ClamAV 15/05/2011 0.97 -
Emsisoft 15/05/2011 5.1.0.2 -
TrendMicro 15/05/2011 9.200.0.1012 -
Zoner 15/05/2011 0.2
VirusTotal
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: index.html
Submission date: 2011-05-15 12:55:18 (UTC)
Current status: finished
Result: 3 /41 (7.3%)
Safety score: -
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.05.15.00 2011.05.14 -
AntiVir 7.11.8.21 2011.05.13 -
Antiy-AVL 2.0.3.7 2011.05.14 -
Avast 4.8.1351.0 2011.05.15 JS:Redirector-CV
Avast5 5.0.677.0 2011.05.15 JS:Redirector-CV
AVG 10.0.0.1190 2011.05.15 -
BitDefender 7.2 2011.05.15 -
CAT-QuickHeal 11.00 2011.05.14 -
ClamAV 0.97.0.0 2011.05.15 -
Commtouch 5.3.2.6 2011.05.14 -
Comodo 8709 2011.05.15 -
DrWeb 5.0.2.03300 2011.05.15 -
eSafe 7.0.17.0 2011.05.15 -
eTrust-Vet 36.1.8326 2011.05.13 -
F-Prot 4.6.2.117 2011.05.14 -
Fortinet 4.2.257.0 2011.05.14 -
GData 22 2011.05.15 JS:Redirector-CV
Ikarus T3.1.1.103.0 2011.05.15 -
Jiangmin 13.0.900 2011.05.14 -
K7AntiVirus 9.103.4648 2011.05.14 -
Kaspersky 9.0.0.837 2011.05.11 -
McAfee 5.400.0.1158 2011.05.15 -
McAfee-GW-Edition 2010.1D 2011.05.14 -
Microsoft 1.6802 2011.05.15 -
NOD32 6123 2011.05.15 -
Norman 6.07.07 2011.05.15 -
nProtect 2011-05-15.01 2011.05.15 -
Panda 10.0.3.5 2011.05.15 -
PCTools 7.0.3.5 2011.05.13 -
Prevx 3.0 2011.05.15 -
Rising 23.57.04.05 2011.05.14 -
Sophos 4.65.0 2011.05.15 -
SUPERAntiSpyware 4.40.0.1006 2011.05.15 -
Symantec 20101.3.2.89 2011.05.15 -
TheHacker 6.7.0.1.197 2011.05.15 -
TrendMicro 9.200.0.1012 2011.05.15 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.15 -
VBA32 3.12.16.0 2011.05.12 -
VIPRE 9286 2011.05.15 -
ViRobot 2011.5.14.4459 2011.05.15 -
VirusBuster 13.6.354.2 2011.05.14 -
Additional informationShow all
MD5 : 26f168ad2cb636b67759f5d95d975afe
SHA1 : 472721bfd9db1730a828fbed4a9c6bbe35b2e375
SHA256: e75089b31e015567edc5cff16411ce45ceac305b78651b54dcb581eedc2f221e
Anubis
http://anubis.iseclab.org/?action=result&task_id=141109c5b30c2aef469356857454b9390
The screenshot:
http://img839.imageshack.us/img839/5667/avastwarntr.jpg
EDIT: After a while with the window opened, VirusTotal showed up 3 infections. I’ll update the quote.
Hi leosc, welcome to the forum 
I get a 404 error on that js file.
Take a look at the file, and check that there is not any extra script added (generally they are added to the end, not definite though)
Scott
Thank you Scott.
I don’t get the warning only for this file; take a look on the report of the Web Shield, seems like every file is infected, when I know those weren’t (at least on my computer, before uploading them):
http://img196.imageshack.us/img196/5056/allwh.jpg
Just while looking at what is creating the alert, but can I ask what is supposed to be on the site? (i.e what is on the homepage?)
Just an index.html with css & images & legit js running , may I upload a screenshot of the main page or you mean what kind of site is it?
So all those Keygen links are supposed to be there? Thought so… :
Seems the initial script is causing the alert…not exactly sure why…
No, they are not! Where is that code at? How do I clean the site? 
edit: Is it possible that all the sites of my hosting provider, were “injected” with this ?
Reverse Whois: "FUA" owns about 3 other domains
Email Search: is associated with about 557 domains
Registrar History: 1 registrar NS History: 7 changes on 5 unique name servers over 5 years.
IP History: 8 changes on 6 unique name servers over 5 years.
Whois History: 33 records have been archived since 2007-11-03 .
[b]Reverse IP: 129 other sites hosted on this server.[/b]
[b]Registration Service Provided By: INETSUR Network Solutions[/b]
Reverse IP Lookup Results—130 domains hosted on IP address 74.53.249.242
Web Site:
acuarelistasuruguayos.com
alejandrokeller.com
talleressolidarios.org
AND 127 other domains…
You must Log In, Open an Account or Buy a Report to access all 130 results of your search
Try to open one of those, to check if you see the same suspicious code you mentioned above
That is the contents of the whole page…
Scripts and LOADS of links for torrents/keygens and the like…
I made a search on the index.html but I can’t find those codes and links you are showing me.
Where did you find them? Can I clean it somehow? Do you have a clue of how this could happen? Thank you.
That is the contents of the whole page...
Scripts and LOADS of links for torrents/keygens and the like...
system
10
It is the contents of wXw.fuajedrez.com/
I see now what you meant about the index page, I imagine that this page wasn’t supposed to even exist?
system
11
The index.html should exist, and existed, but not with the keygens and all that stuff
system
12
wXw.fuajedrez.com/index.html exists and it appears clean, but wXw.fuajedrez.com/ shows the junk.
DavidR
13
It is the other items that are on the page that have been compromised, I got 10 alerts (image1) basically on the stuff in the image on Reply #2.
They all have identical content, two very long (rows) strings of obfuscated script (image2) and loading various dubious keygen and software sales sites, etc. etc.
I have broken down the two lines to make it easier to see what that content is, image3.
So it looks very like the site has been hacked.
system
14
Where did you get all those *.tmp files? I don’t understand how to proceed to clean the stuff… I downloaded the infected images and css avast reported but when I open for eg. the css i dont find anything wrong inside, I also opened the *.js files and nothing’s wrong with them (I just downloaded the original ones, to replace the bad ones, but I get the same story) … Do I miss something? Thx
DavidR
15
Avast creates these temp files of the content coming down on the http stream so it can scan them in its localhost proxy (it doesn’t use the original file names) if they are clean then they would be passed on to the browser cache and displayed on the browser page. I just harvest them to be able to look inside.
They are essentially what you showed in your image, just renamed in the avast localhost proxy.
I don’t know if you use any form of content management software as that if out of date could be vulnerable to exploit, injecting the code into pages/files.