Thanks, found the code and removed it.

The same message keeps popping up for www.pawstown.org:

http://www.avast.com/en-us/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_80_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-us%2Fvirus-alert-default&p_vir=JS:HideMe-B%20[Trj]&p_prc=C:\Program%20Files\Mozilla%20Firefox\firefox.exe&p_obj=http://www.pawstown.org/&p_var=.%2Ffa%2Fen-us%2Fvirus-alert-champion&p_elm=7&p_lex=317&p_lid=en-us&p_lng=en&p_lqa=0&p_lqe=0&p_lst=0&p_lsu=24&p_pro=0&p_vep=8&p_ves=0&p_vbd=1489&p_hid=dd443ccb-8e24-4f2d-9e3d-5d894a140088

Infection Details URL: hxtp://www.pawstown.org/ Process: C:\Program Files\Mozilla Firefox\firefox... Infection: JS:HideMe-B [Trj]

Plugged the link into OnlineLink Scan, they claim the site is safe:

http://onlinelinkscan.com/results/pawstown-org/

Well here we find something else: http://sitecheck.sucuri.net/results/www.pawstown.org/

polonus

that site contain lots of v i a g r a spam.

Hi my site shows the same thing. I just searched and I didn’t find any of the reported script. Can you please scan and if you find it let me know where it is? My url is wxw.dfgwear.com
Thanks.

Hello,
search for “hideme” in the html source code.

Milos

In order to do as Milos suggests, use this service to go through the code: http://aw-snap.info/file-viewer/
Fileviewer is an online tool for siteowners and webmasters alike.
When there are remaining questions, report back here on the forum,

polonus

I’m running a Joomla site and I didn’t find it.

Hello,
see http://forum.avast.com/index.php?topic=131579.msg972447#msg972447
Do you have same variant (JS:HideMe-B [Trj] or there is different letter instead of “B”)?

Milos

Mine shows an I. I just tried using the link that Polonus said and it still blocked me. I just scanned on virus total and it was a clean scan. Here are the results. https://www.virustotal.com/en/url/3f373af653aed2c145a1736d0044660a90d054fabbc0e7f037fce3b38dc69f24/analysis/1379392651/ Could it be possible that this is a false positive?

Hello,
Avast complains about using certain extensions (such as “sharethis”), which use bad practice (hidden links). Either disable them, or delete the code that hides the links (function dnnViewState() { var a=0,m,v,t,z,x=new Array(‘9091968376’…)

More info can be found here: http://forum.joomla.org/viewtopic.php?t=795946

Milos

For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected,

polonus

I know this thread is a little older, but I am getting several warnings from JS:HideMe-J [Trj] with Avast for my personal website, as well.

Here is the link to my website… www.talkintheshadows.com

Can someone please help me?

hi ShadowLady,

http://sitecheck.sucuri.net/results/www.talkintheshadows.com/
http://urlquery.net/report.php?id=6424328
http://zulu.zscaler.com/submission/show/9043705ff95671493f87cbe11a0d73c8-1381177406

is a start.

Additional code hick-up:
talkintheshadows dot com/wp-content/plugins/wp-monalisa/script.js?ver=9999 benign
[nothing detected] (script) talkintheshadows dot com/wp-content/plugins/wp-monalisa/script.js?ver=9999
status: (referer=talkintheshadows dot com/)saved 5790 bytes d07d89ae1939ebae6820c391d192493eabf1ca05
info: [img] talkintheshadows dot com/wp-content/plugins/wp-monalisa/
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined function jQuery
suspicious:

polonus

As earlier up in the thread, this site has not been cleansed yet. For this infection the avast! Shield detection is valid and avast detection is unique in this sense.
The scanner of choice to detect these infections is Sucuri’s for htxp://www.dfgwear.com/ → http://sitecheck.sucuri.net/results/www.dfgwear.com/
(checked a few minutes ago) other scanners alas miss this: http://urlquery.net/queued.php?id=45317449 as they haven’t got the right instrumentation to detect this form of SEO Spam insertion. The vulnerable wevsite software to blame (because the version was not being updated in time) is Joomla:
Web application details:
Application: Joomla! - Open Source Content Management - http://www.joomla.org

Web application version:
Joomla Version: 2.5.9
Joomla Version 2.5.x - 3.0.x for: htxp://www.dfgwear.com//media/system/js/caption.js

polonus

url was unblocked
was fixed in VPS update 131014-0.

Pls, i’m managing www.kapaniaris-hotel.gr (Joomla version 1.5.25) and it haves the same problem. Trying to access it and the pop up warning is coming up for JS:HideME-J[Trj].
I wasn’t able to find any of suspicious “hide” code at my files. I have undestood that it is my homepage that it is infected, since when i put directly in my broswer some other page of the website, there is no problem at all. Also, i tried through http://aw-snap.info/file-viewer, but the pop up message comes up again before managing to have a report…
Pls, if somebody can help me, i would really appreciate it.
Thanks

Sucuri report. http://sitecheck.sucuri.net/results/www.kapaniaris-hotel.gr

hello

http://i.imgur.com/Bx3ujQX.png

There is a line such as that must be removed
reset or modify the code

http://i.imgur.com/LVtIrGn.png