my web infected with JS:HideMe-B [Trj]

Viruses and worms
1

Hi,

I have a website ( nellosbar.com ) and appear infected for : JS:HideMe-B [Trj]

I have downloaded the files by FTP and checked and there is no virus, can you help me to solve it?

I don’t know if I have to notice Avast or exactly what I may do.

Thanks.

2

Your website is infected with a javascript malware :
http://zulu.zscaler.com/submission/show/01ec970a558cee01eababaa57754d004-1383759234
http://sitecheck.sucuri.net/results/nellosbar.com
http://urlquery.net/report.php?id=7474877

Likely because a old version of Joomla is used.
Update Joomla to the latest version (3.x) and check again.

3

AVG reports malware: http://www.avgthreatlabs.com/website-safety-reports/domain/nellosbar.com/
http://www.avgthreatlabs.com/virus-and-malware-information/info/blackhat-seo/

Clean on Virustotal: https://www.virustotal.com/de/url/7b25a43b372f471a2cf99cecaa33ac6e85e0c4b08029bfeee34f002876c796a6/analysis/1383759567/
Quettra reports potentially suspicious files: http://www.quttera.com/detailed_report/nellosbar.com

4

I’m checking that upgrading version will be complicated for me, because I’m not programmer.

There is a way to solve this problem and delete the virus?

Thanks.

5

Here is a screenshot of the Javascript malware on your site in the source code.

6

And how I can delete it?? :s

7

Do you have a HTML File of the webpage?

If so do you have and software like Microsoft FrontPage?

You could open it there and delete the code inside the file.

I have saved the code to an Text File and Avast detects it as threat.

8

I have dreamweaver, but how can I know which is the file infected, how can I localize this file??

Thanks!!

9

Look at the second link I posted.

If you don’t know how to update Joomla, ask your webhost.

10

I dont know anything about Dreamweaver.

But in the Menus you can select the Source code View, Then you can go to the search function
in the menus and scan for the code which is seen in this link:

http://sitecheck.sucuri.net/results/nellosbar.com

Just copy and paste it into the search box.

11

See: Joomla Version 1.5.18 - 1.5.26 for: htxp://nellosbar.com/media/system/js/caption.js
Joomla Version 1.5.18 to 1.5.26 for: htxp://nellosbar.com/language/en-GB/en-GB.ini
Malware at hand: http://labs.sucuri.net/db/malware/malware-entry-mwspamseo
See code matches for connect dot facebook dot net/en_GB/all.js’;d.getElementsByTagName(‘head’)[0].appendChild(js);}(document));

via http://jsunpack.jeek.org/?report=d2680d38405ab803dfd65e6053a9fb109b354ea5 (Open in browser with NS and RP extensions active and in a VM/sandbox, for security researchers only)
It is on info: [decodingLevel=0] found JavaScript
error: undefined variable Cufon
error: undefined function Cufon.replace
error: line:8: SyntaxError: missing = in XML attribute:
error: line:8:
error: line:8: …^
file: 79888368431993a29081ae7a45a2cf56bc94f12f: 10510 bytes

Decoded Files
7988/8368431993a29081ae7a45a2cf56bc94f12f from nellosbar.com/ (10510 bytes, 431 hidden) →
SEO Spam from htxp://semenaxhowto.com/ & htxp://aboutvigrx.com/ & hxtp://volumepillshelper

polonus