my website shown as a virus on avast :(

Hey guys,

Avast is telling me that my girlfriends website is infected with a trojan horse… and I know for sure that its not (thats my girlfriends website, shes musician…)

I double checked with VirusTotal and its saying that its clean…

Here is a link to VirusTotal results: hXXp://virustotal(DOT)com/url-scan/report.html?id=d014bed8950b7e1329dfe54d0a5c3d2d-1297909952

hXXp://chandaleigh(DOT)com

Any ideas? Or a way to take it down from the “infected” list?

Thanks!

Just to let you know, websites get hacked and infected all the time, so just because your girlfriend is a musician and wouldn’t host malware or viruses intentionally, it doesn’t mean that someone couldn’t exploit a vulnerability in some way and put a virus on it.

That being said, I browsed all over the site and didn’t receive any warnings from avast. oh wait, I’m on my linux box. :-[

um, well, where does the avast warning come up? The home page or one of the links on the page?

novirusthanks.org’s online scanner also says there are no viruses.

Exactly, I cant find anything that leads me to a virus…

I saw that its a virus from a friends computer, as I am running Ubuntu and it doesnt show anything to me.

It was on main page.

Thank you,
Tony.

Well, I’m sorry that I can’t help you much further. I only know how to submit FP’s when they’re already in the chest.

I guess you could send an email to virus AT avast.com and tell them in the subject that it’s a false positive, along with the URL in the body of the message, but I feel that might be the wrong thing to do.

It’s getting quite late and I don’t have the energy or the time to search around and find a thread that has False Positive URL submissions in it, but you could search around if you haven’t tried yet.

I don’t know if the current version of avast will let you submit a webshield warning as a false positive or not, but I think it used to.

*also, just an update, I jumped on my xp laptop and visited the site. The main page doesn’t throw any warnings and I’m using the 6.0.945 beta with 110216-1 definitions. So, your friends computer might just have an older version or virus definition file loaded on it. Either that, or they’ve already fixed the FP.

Hope that helps!

You can report a FP here: http://www.avast.com/contact-form.php?loadStyles
asyn

Hello, I visted your website and Avast Blocks a Trojan Horse (see pic)

@t0ny0

as you see on the pic Coolmario88cp posted, the URL is not the same as your grilfrinds website URL
so there seems to be a redirect…as avast say HTML:RedirME-inf

Wepawet - malicious
http://wepawet.cs.ucsb.edu/view.php?hash=a55b9b6294a0cf0d01f541cc580515a3&t=1297950048&type=js
and if you scroll down to URL here, you will find the URL from the avast pop-up

Screenshot from Sucuri scanner…so it looks as avast is correct…again :wink:

Yep, avast is often correct, or better it is correct ‘nine times out of ten’… :wink:
asyn

Thanks for helping me remember! I knew it was somewhere, just couldn’t think of where.

NP, scythe. :slight_smile:
asyn

Looks cleaned now, as a new Sucuri scan came up clean…

Alright,

Thank you guys for the quick responses.

So what I need to do is to look in the html for the following link “tb.widecompany(dot)com/in.cgi?2|>” and remove it, and after that submit my website to the avast link that Asyn gave me?

Sorry, I just never had that kind of a problem, so I prefer to ask before I do something stupid :stuck_out_tongue:

Thank you,

Tony.

Indeed the site seems no longer flagged. Has the script injection been cleansed or is it just because it cannot redirect to htxp://ae.awaue.com/7 any longer? Mentioned domain does not exist or is inaccessible according to Netirk,
Sucuri gives following info on this injected script malware:

Newest versions of this attack are using 188dot72dot194dot172: * htxp://w3.fairygoodideas.com/in.cgi?2 *

Infection: It infects all posts inside the database (wp_posts). Only wordpress sites are infected.


Source for quotes:
http://sucuri.net/malware/malware-entry-mwrks3 * [addresses munged by me for obvious reasons, pol]
For a cleansing suggestion go to this link:
http://www.serverschool.com/shared-hosting/how-to-remove-trojan-js-redirector-cq-from-your-wordpress-site/

polonus

If it’s gone (which is what has been reported so far) then you should be clean. However, if you, your girlfriend, or the webmaster didn’t put that link on the site, then it was probably put there by a hacker somehow.

I’d change any passwords that anyone has for the website (or FTP accounts or whatever you use to upload/make changes, etc.).

You should also make sure that any scripting languages or databases are patched and upgraded too. If there’s an exploit available because you’re using outdated software on the server, then chances are it will just get hacked again.

Thank you everyone for your help.

I will get on it as soon as I get the account information. We haven’t added any links to the website, so its time for me to just change out the passwords and make sure that this wont happen again.

Thanks again, yall have been very helpful :slight_smile:

Tips for Cleaning & Securing Your Website http://stopbadware.org/home/security
Sucuri http://sucuri.net/signup