JS:ScriptPE trojan coming from my website???

Not sure what is going on. I am not very knowledgeable on about these things.
I have Avast Home Free edition 4.8 My website is hxxp://www.surfsidepotrero.net . I keep a website for our community.
Every time I go to it and close Firefox Avast alerts JS:ScriptPE and I send to chest.

Have I been hacked? (Thanks for the links below I found on this forum.)


I checked here hxxp://www.unmaskparasites.com/security-report/ and it is says:
This page seems to be

hxxp://www.google.com/safebrowsing/diagnostic?site=http://www.surfsidepotrero.net/


Safe Browsing
Diagnostic page for xxx.surfsidepotrero.net

What is the current listing status for xxx.surfsidepotrero.net?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Google has not visited this site within the past 90 days.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, xxx.surfsidepotrero.net did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

Unmask Parasites hxxp://xxx.unmaskparasites.com/security-tools/find-hidden-links/site/?siteUrl=xxx.surfsidepotrero.net]hxxp://www.unmaskparasites.com/security-tools/find-hidden-links/site/?siteUrl=xxx.surfsidepotrero.net
I am thinking that a bunch of stuff posted to my forum is what this is and I removed them. I use the same forum as is used here - simplemachines.


All the links i see I have on my website I think are alright. I checked them all on Google safebrowsing.

Any suggestions. I kinda am panicking. ???

Thank you for any advice!

What is the URL that the alert is on, I didn’t get one on the home page ?

Please ‘modify’ any post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

Hi sherrie777,

This is certainly not as it should be

 ^^"simages^^/s2.gif" width="480" height="83" class="style48" /></a><br /^^
				<span ^^^^class="fontblue_topleft">H&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ^^^^
				O&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ^^^^^^M&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ^^^^^^
				E&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ^^^^^^ P&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ^^^^^^
				A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ^^^^^^^^^G&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ^^^^^^^code broken by me polonus 

Imagehack from Flash-molesters, favicon detected as this trojan…Just don’t go to the site. Avast!'s web shield keeps it from getting onto your computer, so you’re good. Just clear your browser,
cache/temporary files.

Bad IP Dectector services:

IP Address 74.50.21.205 [W] [R]
Hostname dirae.lunarservers.com
Country EU
Proxy Detector -
Status DETECTED MALICIOUS ACTIVITY
http://www.malwareurl.com/search.php?domain=&s=74.50.21.205
redirects to rogue av
Malicious software being hosted at 1 domain, e.g. scanlifeweb.com/ ,

polonus

Sorry, I changed my 1st post and took out links.
I’m a little lost, but I’m trying to keep up.
Polonus - in your code above, that is how I stupidly spaced out the word “HOMEPAGE”. I deleted it.

It’s my website hxxp:surfsidepotrero.net so all that about the IP address…should I call lunarpages where I host my website?

Could it be I had a lot of bad posts on my forum, but I deleted them?
I do have a lot of links on my homepage.

Hi sherrie777,

Yes the site should be cleansed from the malware, the website software patched and updated against exploits, so you should inform the hoster of the site of it being hacked, hacked websites are distributing this redirects. The JS/Exploit-Script detection is a generic detection designed to detect malicious javascript files. Also read here:
http://forum.avast.com/index.php?action=printpage;topic=43970.0
It is an older malware that was revived…

polonus

Thank you Polonus. i just called Lunarpages and he said everything looked fine. I told him all the reports.
He said the shared ip 74.50.21.205 is fine ??? He said that other domain does not affect my domain.
I’m am going to check for mbam now on my PC. He said the alerts I am getting is from my computer.
For example - C:.…Local Settings\Application Data\Mozilla\Firefox\Profiles\ijy4m7op.default\Cache is on my PC. I cleared my cache.
I’m going to keep working and try everything.

edit: The Avast warning to move to chest only occurred on my computer and only on Firefox. Very strange.
I rebuilt the homepage piece by piece. There was only one item that makes the Avast alarm go off. I had a hit counter. I took it off and on and each time the alarm would only go off with the hit counter.
The hit counter was from hxxp://webdevelopmenttutorials.com[/size]

Hi sherrie777,

That link has 1 suspicious inline script found.
Long suspicious script

eval(^^^^unescape("%64%6F%63%75%6^^^^D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D...^^^^^broken by me, polonus
 

the code itself is obfuscated by an internal encryption algorithm, this is a variant of: VBS malware gen and this: hXtp://www.statcounter.com/counter/counter_xhtml.js
has 3 suspicious inline scripts leading to malware all sorts: Malicious software includes 523 trojans, 20 scripting exploits, 8 exploits. This has lead to the infection of another site with malicious javascript outside HTML

^^^^khtcog"ute?^^jvvr+11yyy0yr/uvcvu/rjr0kphq1khtcog1yr(uvcvu0rjr"ykfvj?3^^^^"jgkij...v?3"htcogdqtfgt* 2@'))^^^... broken by me pol ^^^....*

malicious… it would take a file sent from a form and write that file to the current directory, typical action of a downloader,

Good you cleansed that,

polonus

WOW you are good! Wish I could figure out how you did all that! :o

Thanks for everything!