Website shows infected with JS:HideMe-B [Trj]

I have tried to go to the website for a local concert venue and Avast has alerted me that it is infected with JS:HideMe-B [Trj]. I did some searching here and found that I should check a few sites to confirm infection. None of those other sites show it as infected, just Avast. Is this a false positive or are the other sites wrong?

hxxp://centennialterrace.org is the site in question.

http://sitecheck.sucuri.net/results/centennialterrace.org shows clean and not blacklisted.

http://www.UnmaskParasites.com/security-report/?page=centennialterrace.org also listed as safe.

Anyone have any thoughts here?

Thanks,
Chris

Hello Chris,

i looked up some sites either and it looks safe to me.

Here you can the results for many website check sites: http://ScanURL.net/?u=centennialterrace.org#results

For some you have to copy the URL into a box or a field and then click scan.

You can report a false positive over this site here: http://www.avast.com/contact-form.php

Thanks! I will try reporting it and see what happens.

Various malware reported for same IP: http://support.clean-mx.de/clean-mx/viruses.php?as=AS31815&sort=email%20asc&response=alive
indicator obfuscation possible for JCEMediaBox…update to JCE 2.3.2. please or report to twitvid.com/player/

polonus

Hi,

I have experienced the same issue, same error/infection from Avast, relating to this site hxxp://www.graceniagara.ca

These two scans look clean,
http://sitecheck.sucuri.net/results/graceniagara.ca
http://www.unmaskparasites.com/security-report/?page=graceniagara.ca

I have already reported it to Avast (yesterday), I haven’t heard back yet.

Thanks for any help.

PLEASE, help me…My site is CLEAN, but Avast has alerted me that it is infected with JS:HideMe-B [Trj]…

How can i fix it??

I have already reported it to Avast, but nothing yet… :frowning:

Hi all,

JS:HideMe-B is triggered when seeing this piece of code:

<div id='hideMe'>components inside recipe ingredients referred to as lifestyle Daily cia lis pill <a href="hxxp://sotrueradio .org/">Cia lis without prescription, canada</a> </div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>

Of course the exact ad may vary, but this is the template.

From my experience, this is most often appended right after tag.

Honza Zíka
avast viruslab

Thank you for that… I did find that in my site. I removed it.

How do I get access back to the site now since Avast is still blocking it? Is there some “unblock” feature, I can’t find one.

Thanks

When we are talking about ScriptShield, there is no database of URLs. If avast cannot see the signature, it does not raise popup message. Maybe you still have the infected version in browser cache?

When I visit my work’s main page http://yumalibrary.org/public I get the same thing. I searched for the

in the code, but can’t find it. What gives?

When I wget your page (yumalibrary.org/public), I can see it:

<div id='hideMe'><p>The drugs also treat..........................Buy branded vi a gr a</a> .</p></div>
<script type='text/javascript'>
if(document.getElementById('hideMe') != null){
document.getElementById('hideMe').style.visibility = 'hidden';
document.getElementById('hideMe').style.display = 'none';
}
</script>

Keep in mind that this code does not have to be on the server in plain text, but if you use any server-side scripting, such as PHP, it can be inserted via some obfuscation (base64, gzinflate, rot13, …).

Same with my works website.
Kfum-mus.dk

And now we cant enter it. Pls fix this

Hello Daffy,

you can report this as a false positive ofer this form here: http://www.avast.com/contact-form.php

Please follow the instructions given in previous posts.

Thanks,
~!Donovan

Hello,

it is not a false positive. I found this script (JS:HideMe-B [Trj]) on this site:

<div id='hideMe'> <p>Erection failure or Casino en ligne gratuit <a href="http://cafel.fr/">En ligne casino</a>  <p>Erectile dysfunction treatment method has come a Liquid cialis <a href="http://sotrueradio.org/">Cialis with atenolol</a> </div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>

I scanned it on virustotal and here results: https://www.virustotal.com/ru/file/a8c41f5b560db3f278ea1cd63fd9f2fc940d62d35f1d9fd2c8cd76cc4d89578b/analysis/1376756619/

also detected by Sucuri. http://sitecheck.sucuri.net/results/kfum-mus.dk

Malware entry: MW:SPAM:SEO. http://labs.sucuri.net/db/malware/malware-entry-mwspamseo

HideMeBetter – SPAM injection Variant
http://blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html

Get no alerts now on htxp://www.graceniagara.ca/

polonus

I have a website infected as well. I have looked through many files, but can’t find the malicious code. Can someone point me in the right direction on how to find the file that contains the code. I am running a Joomla website.

Hi
I’m getting this message too, not sure how to access code. Our site is xww.kinikikids.com - are you able to assist?

Rob