PHP:Includer-E [Trj] alert by avast

Hi, does anyone know anything about PHP:Includer-E [Trj] ? I get this message when I try to open my website.

PHP:Includer-E [Trj]
i think it is a redirector.....

if you post your website url then we can check it…

Thank you for your answer Pondus!
I got the site Offline since I got the virus alert from Avast, so as not to have problems with Google. But I think I can set it online again for a short time for you to check it. You see, I couldn’t find any information about “Includer-E [Trj]” and I don’t Know were to start from. I would appreciate if you gave me a time period in which I can set the site Online so as you to be able to check it.
Thanks again!

If you do it now…i will check after lunsj :wink:

Here is the url
www.athlocosmos.gr

can you attach a screenshot of the avast message

Sucuri http://sitecheck.sucuri.net/results/www.athlocosmos.gr

quttera say suspicious http://quttera.com/detailed_report/www.athlocosmos.gr
suspicious here - /plugins/content/jw_ts/jw_ts/includes/js/behaviour.min.js

urlquery http://urlquery.net/report.php?id=8901984

zulu http://zulu.zscaler.com/submission/show/619bb2b34fd96af11545c4c2bede9814-1390214079

I know Pondus asked for the link, however, can you break it?

Aka: www should be wXw. That way it can’t be misclicked. Polonus has been asked to check it out

First thing is I get a server redirect: Code: 503, Content cannot be read!
htxp://www.athlocosmos.gr/
500 timeout
Content-Length: 30
Content-Type: text/plain
clean
htxp://www.athlocosmos.gr/test404page.js
500 timeout
Content-Length: 30
Content-Type: text/plain
clean
Probably the site is being cleansed.
At the source of the attack could be php/5.2.17 CMS: joomla! - open source content management
Update: Web application version:
Joomla Version: 2.5.7
Joomla Version 2.5.x - 3.0.x for: htxp://www.athlocosmos.gr/media/system/js/caption.js
Joomla Version 2.5.x for: htxp://www.athlocosmos.gr/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
See: http://jsunpack.jeek.org/?report=f2a6948578cd464c9fa3a7b1b6a2903c4e43005e

polonus

The funny thing is that I did several online tests, the majority of which show that the site is clean. I checked all the files and found no problem. Only with Avast I get the message attached below. I do not want to risk to get blacklisted by Google. If I find no solution soon, then I will prefer to lose one third of the contents and retrieve the rest from an older backup which is secure, instead keeping the site Offline for some time more.

Translation of the attached message:
“avast! Web Shield has blocked a harmful webpage or file.
Object:
Infection:
Process:
More details…>>”

if you think this is wrong…

You can upload files and report issues to avast here : http://www.avast.com/contact-form.php (select subject according to Your case)

Got to the inlog page and it is no longer flagged by avast!
-www.athlocosmos.gr

Εκτός λειτουργίας για τεχνικούς λόγους.
Παρακαλώ, προσπαθήστε αργότερα.

See: http://zulu.zscaler.com/submission/show/619bb2b34fd96af11545c4c2bede9814-1390227881

polonus

Thank you very much PONDUS. I really appreciate your help

Polonus, I put the site Offline again. That is why you get this message, which means “The site is down for technical reasons. Please try again later”. I can set it online again if you would like to check it.

Hi kosmakis,

Get rid of that malware if it landed on your computer first like description given here:
http://blog.teesupport.com/get-rid-of-phpincluder-e-trj-from-my-computer/
Scan your ebsite PHP code here: http://evuln.com/tools/php-security/
and let me know the results:

polonus

Hi Polonus,

Thank you for your advice!
After I have made a scan of “template.php” file, (results in the attachment), avast! shows every now and then the pop up window, which informs that it has blocked a threat (see the attachment). What do I have to do next? I’m afraid there is still a lot of work, and as I realize, the problem probably comes from the link, which have been attached to logo image of the company which the template came from. As I use several modules from the same company, it is likely to have the same problems with other templates, including joomla templates.

Thank you again!
Kosmakis

Hi kosmakis,

Sucuri could offer cleansing, contact: http://sucuri.net/signup (not free)
or ask support here: http://forum.joomla.org/ (free)

polonus

Hi Polonus,

I’ll follow your advice hoping to find a solution.

Thank you very much!