my site is -http//www.gadget-talk.com I have see the source of my site, but i cannot find the malware script like the people said in this forum about this thread before. What should I do to remove the malware? Help me please. When I browse my site, Avast blocked me and showing the site is infected with the “JS:Redirector-MR [Trj]” Trojan. Can you give me step by step wolution what to do?
Hi, pieter_dj, welcome to the forum 
The code is embedded in the last line (very long) of the source code of the page.
Look in the middle of the code for the script.
A search for eval( will reveal the embedded code.
Scott
From Sucuri…
-
Wordpress internal path: /home/bermain/public_html/gadget-talk.com/wp-content/themes/welding/index.php Wordpress version outdated: Upgrade required.
-
Malware found on javascript file:
hxxp://www.gadget-talk.com/404javascript.js (Just an example, there are many more…!!)
Known Spam detected.
Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
Sucuri report malware found here
-http://www.gadget-talk.com/
-http://www.gadget-talk.com/404javascript.js
-http://www.gadget-talk.com/404testpage4525d2fdc
-http://www.gadget-talk.com/about-us/
-http://www.gadget-talk.com/sitemap/
-http://www.gadget-talk.com/contact-us/
-http://www.gadget-talk.com/useful-links/
-http://www.gadget-talk.com/category/apple/
-http://www.gadget-talk.com/category/camera-camcorder/
-http://www.gadget-talk.com/category/cellularphone/
MDetails: We have many articles about this issue on our blog:
http://blog.sucuri.net/category/spam
wepawet
http://wepawet.iseclab.org/view.php?hash=818126a161566b21f078488d90919a66&t=1323548465&type=js
Hi Asyn and Pondus,
Verdict = malicious: http://urlquery.net/report.php?id=11280
See for the second link Pondus gave:
-rcm.amazon.com/e/cm?t=onlineforex06-20&o=1&p=12&l=ur1&category=-amazonwireless&banner=13A670EB10W0N2FZPE02&f=ifr suspicious
[suspicious:2] (ipaddr:72.21.207.5) (iframe) -rcm.amazon.com/e/cm?t=onlineforex06-20&o=1&p=12&l=ur1&category=-amazonwireless&banner=13A670EB10W0N2FZPE02&f=ifr
status: (referer=-www.gadget-talk.com/404javascript.js)saved 2247 bytes 5cdcd519ab333c7e372f364dfa8bb5f38df93348
info: [img] -ecx.images-amazon.com/images/G/01/img10/associates/med-rec/aw-gen-300x250.gif
info: [iframe] -s.amazon-adsystem.com/iu3?d=assoc-amazon.com&rP=
info: [decodingLevel=0] found JavaScript
error: line:3: SyntaxError: missing ) after argument list:
error: line:3: ; function encodeStr(b) { return b && encodeURIComponent(b).replace(/&/g, “&”).replace(/“/g, “"”).replace(/</g, “<”).replace( />/g, “>”); } document.write(”<iframe src=“-http:/s.amazon-adsystem.com/iu3?d=assoc-amazon.com&rP=” + encodeStr( ( error: line:3:
could be the response of this now dead?
polonus
Yes pol, the OP has to clean up his site…! 
why i can’t find the script in the source code of the site? I really don’t know what to do to delete the code. Could you give me a detail step by step explanation how to delete the code? If I go to my hosting, then I go to what file name and where I will find that script so I can delete the code? So what should I do to get rid of this “Dean” issue?
Highlight the embedded code in spg SCOTT’s picture and press delete.
Sucuri will do it for you
…but not for free :-\ http://sucuri.net/signup
No, it isn’t and I also never said so.
I said that he has to clean it, thought I was clear.
Didn’t see the ‘has to’ part. :-[
More information about the malware dump: http://sucuri.net/new-malware-evalfunctionpacked.html
Can’t you give me the steps how to delete that scripts that contain p,a,c,k,e,r from my site? Please give me the detail step like when I go to my hosting, I should go to what folder or file? Because I am using wordpress. How to delete that script from the html code? I am confuse.
Again PHP has initially been compromised. Very interesting read link here: http://25yearsofprogramming.com/php/findmaliciouscode.htm (source author: Steven Whitney)
polonus
Could you remove that script (modify your post) incase it prompts an alert.
Done, thanks David.
That looks like it may be what is adding the code to the pages in the site.
Remove that code (from functions.php), and check all of your pages (html/php/js) files etc. for this eval script.
I have removed the original post, to remove suspect code to avoid avast alerting on its own pages.
should I delete the whole of php code or only the javascript code? Just now I only delete the javascript code. I see it has solved the problem. Oh should I delete the php code also? waht do you think spg SCOTT and DavidR ?
do not post code in the forum as avast may alarm on it
Again please post any script examples as images not live code, which could cause an alert.
It seems that the added code in the functions.php was what added the malicious code to the pages as they were created. I can’t see the code within the page now.
You also need to ensure that your wordpress version is updated:
I am sorry, I don’t know that the code can make avast alert to this forum. I am apologize. I am cuious, how to see the code in the source code. Because when I see the source code of my site, I can’t find that code before I delete that javascript code. I use opera browser. I click menu view and click source, but I can’t find the code before I delete the javascript in functions.php. I am curious how you can find the code spg SCOTT ?