'Malware' false positive on Wordpress?

I’m webmaster of a site which is apparently giving Avast some Malware blocks for my brother and other users… my Avira antivirus sees nothing, and AVG and McAfee’s online site checkers say it’s clear. It might be something to do with the NextGen slideshow plugin for Wordpress, or the Ajax code it uses? Any ideas on how to fix this?

Any ideas on how to fix this?
We need to know what site so we can check..... And what does avast say.....attach screenshot

The warning links to:

http://www.avast.com/en-ca/lp-pr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_pav_90_3&utm_medium=prg_systray&utm_content=.%2Fpaid%2Fen-ca%2Fvirus-alert-default&p_vir=URL:Mal&p_prc=C:\Program%20Files%20(x86)\Google\Chrome\Application\chrome.exe&p_obj=http://www.livinggreenbarrie.com/&p_var=.%2Fpaid%2Fen-ca%2Fvirus-alert-default&p_elm=7&p_lex=29&p_lid=en-ca&p_lng=en&p_lqa=1&p_lqe=1&p_lst=3&p_lsu=12&p_pro=1&p_bld=empty&p_vep=9&p_ves=0&p_vbd=2013&p_hid=c3d4e66a-4601-4c7d-a9fd-c495f4d43a19&p_ram=3996&p_cpu=7.4

Looks like a redirect on the page
Host name could not be resolved

Well the livinggreen.info domain is a permanent redirect to livinggreenbarrie.com, which is correct and safe. Here is something I’ve found now though: through maldb.com’s test.
However, now I can’t access the wordpress controls to take that plugin out and see if it’s the problem, even with Avast disabled.

http://www.livinggreenbarrie.com/wp-content/plugins/fv-community-news/fvcn-includes/js/fvcn-js.js?ver=3.8.1
200 OK
Content-Length: 3100
Content-Type: application/javascript
malicious

(function($, options) {

$(document).ready(function() {
if ($(‘.fvcn-post-form’).length) {
var fvcnFormAjax = new FvCommunityNewsFormAjax();
}
});

var FvCommunityNewsFormAjax = function()
{
this.createLoader();
var o = this;

$.ajaxSetup ({
cache: false
});

$(‘.fvcn-post-form-new-post’).ajaxForm({
url: options.ajaxurl,
data: {

… 2581 bytes are skipped …
;');
};

FvCommunityNewsFormAjax.prototype.clearAllMessages = function()
{
$(‘.fvcn-error’).html(‘’);
};

FvCommunityNewsFormAjax.prototype.displayMessage = function(field, message)
{
$(‘.’ + field.replace(/_/g, ‘-’) + ’ > .fvcn-error’).html(‘

  • ’ + message + ‘
’);
};

})(jQuery, FvCommunityNewsJavascript);

Antivirus reports:

EmsisoftAndroid.Adware.Adwo.A (B)

Sucuri Sitecheck sees nothing wrong with it either. This is quite confusing.

If I turn off Avast shields to go into the Wordpress to disable that plugin, I just get a screen like this: http://imgur.com/Qg1Gd65

Oops ignore this post… was trying to get that thumbnail up.

Unfortunately you will have to wait for one of the coding experts to come online as I have little knowledge of this type of infection

There is also a hidden IFrame

I see a lot of issues flagged here: http://dnscheck.pingdom.com/?domain=%2Fwww.livinggreenbarrie.com&timestamp=1394892622&view=1 in the form of DNSwarnings and actual errors.
I see no iFrame flags, neither with Quttera’s.
This however could have been the main reason for an eventual general IP block: http://sameid.net/ip/192.185.73.103/ as it is being flagged as URL;Mal.
See: https://www.virustotal.com/nl/ip-address/192.185.73.103/information/
BitDefender domain information
This URL domain/host was seen to host badware at some point in time.
A warning * here: Web application version:
WordPress version: WordPress 3.8.1
Wordpress version from source: 3.8.1
Wordpress Version 3.8 based on: htxp://www.livinggreenbarrie dot com/wp-includes/js/autosave.js
WordPress directory: htxp://www.livinggreenbarrie dot com/wp-content
WordPress theme: htxp://www.livinggreenbarrie dot com/wp-content/themes/simplish-lgb/
Wordpress internal path: /home/admin705/public_html/wp-content/themes/simplish-lgb/index.php * (undifined index Simplexive Simple)

Code hick-up here: wXw.livinggreenbarrie dot com/wp-content/plugins/fv-community-news/fvcn-includes/js/fvcn-js.js?ver=3.8.1 benign
[nothing detected] (script) wXw.livinggreenbarrie dot com/wp-content/plugins/fv-community-news/fvcn-includes/js/fvcn-js.js?ver=3.8.1
status: (referer=wXw.livinggreenbarrie dot com/)saved 3100 bytes 39155f44a4696ec4cc579b08f04aa4ed6c413c13
info: [decodingLevel=0] found JavaScript
suspicious:
Going to the IP I get http://192.185.73.103/404.html 404 page not found error.
For some other sites on IP I get "Error establishing a database connection"here: htxp://getmentalhealthy.com/
or account suspended: htxp://articlegrip.com/cgi-sys/suspendedpage.cgi

According to me you can file a report and ask for an exclusion for your domain here: www.avast.com/contact-form
then it is up to avast team to exclude your site from their URL:Mal blocking.

polonus

I have removed the fv_community_news plugin (wasn’t being used anyways) and have submitted False Positive reports to BitDefender and Avast blacklisting, hopefully that’ll be that.

Hi JaytheOstrich,

Hope you are good to go now. We have to wait for an avast team member to lift the block of your domain.
I am just the odd forum volunteer with some specific scanning skills :smiley: ,
but they are known to act quickly when things are fine, even within a next update of engine’s virus defs.

To you, your brother and the visitors of your site - have a good Sunday

polonus

Hello,
there was hijack: ruyzl-tube.livinggreenbarrie.com. Have you fixed it?

Milos

Well, no, as I have no idea how you found that, if it exists or how to erase it from cpanel. I need further information please, so I can get this fixed and un-blacklisted!
JaytheOstrich

Hello.
it looks that settings is OK (everything is resolved to you IP), so we will unblock the domain in next stream update, but we suggest to suggest to change all passwords and update all systems.

Milos

Any idea when that is? How often do you update that?