Urgent - How to get rid of JS virus on website?

I guess most people still don't know when they're affected with this one -- Only avast will tell them they have it at all and it doesn't remove them. Maybe that's why it's getting passed around so much.

Serious - ANYONE at all being redirected funny with no indications of what is going on is probably infected with a redirect.

So how did you spot that you had this virus? I'm relying on my website hosters to keep my website clear - but I am not that clear on how things like SQL injection work! Can you suggest a resource to educate me on this?

Hey, Sal!

Two things:

a.) Avast is well known for false positive, which is actually good in my opinion.
My question is HOW have you figured it out?

b.) Yesterday I had to contact "live chat" at Hostgator.com and I have received a MALWARE alarm from Avast too.. It was related to a javascript (.js)...

So, the best way to deal with, is to contact directly AVAST support team and ask them if this is a real concern or not. And no, the service provider DOES NOT assure a virus / malware free operation of your site, unless specified in their contract with you.

Success!

@ Sal, @Indiana:

Please give me an URL sample, if possible.
Thank you!

This is not a false positive - we've found the codes on the database -- have no clues how they got there yet. Looking into how to get them off and if it's safe to just delete them, etc.

I am assuming at this point of time that the Host had a security breach and will be contacting them as soon as I get word back from Indy if he was able to get info from an expert pal of ours about what to do and possibly how it got there.

Avast is the only device detecting this redirect because the algorithms are not that of virus, they are just java code - but malicious invasions nonetheless.

The URL is in my sig "get a life" - it is the forums and Photo gallery - will trigger the Virus alert - which, as I said, is really there -we found the code. Indy tried to mail the code to me and Avast went crazy on the email. I do not know the actual code - it can't be written in whole without triggering the process so don't write it in here even if you find it without breaking it up on not completing the code.

When we know more, Indy or I will be back in the thread and tell you what we find. I am suspecting this was the same source as the wdmaud virus that is such a pain in the butt to find and ditch - also one audio.sys that is the same vein - they are redirects and wdmaud is actually a keylogger. (Russian source) They get on your computer and allow the loggers to be downloaded. And are very high threat and very low detection.

If you haven't scanned with avast, these are the famed viruses that are attacking millions right now - If you find the wdmaud or audio - I know how to remove those, the JS redirects, I will find out - trust me on that one.

Found out that it is mimicking yahoo counter and that's how it gets past the virus detectors. These guys aren't messing just with websites - they are going after servers.

Indy - put the code in here but write it hxxp so it doesn't activate - let people see what might be sitting on their websites.

Mike beat me to the punch! But that should definitely work!

Just out of curiosity - does anyone have an opinion as to whether Kapersky anti-virus is better or worse than Avast?

I used Kapersky's online scanner and free 30-day trial to fix a major problem on my computer a few weeks ago. I was almost to the point of having to reformat when I tried their software and it did the trick. My problem wasn't on my server, but they do have an extensive knowledgebase on the site that deals with website viruses, maybe that would be helpful.

Anyway, I'm trying to decide whether or not to keep my Kapersky service when my trial is up. If Avast is as good or better, I'd much rather have a free service!!

Just got the note from John, Indy. Never been so glad to hear from a man in my life. I'm thinking if he disappears again I might have to go to NC and marry him so he can't get away on us again.

From my research - this is what I found - and this is as deep as I understand what was told to me.

This thing attacks or attaches to I-Frames, source pages, etc. If you have anything on your system that involves permissions set at 777 you are vunerable - it will come straight through them. Possibly why the address of at least one of the redirects is 777 something?

There are several versions of this thing going on - and they come back. I had the wdmaud and had to delete it manually - twice now. These are the virsuses that are attacking millions right now and only one or two applications are picking it up at all.

Sometimes it pretends it's a yahoo counter. If you have a code for yahoo counter and you didn't put it there, you have found your culprit. Also check I-frames and source codes.

Tschlotter - I assume the answer to your question would involve whether your Kapersky detects this virus when you get it or not.

I had a similar problem with one our sites Compare Schools Australia - Australian Schools Directory & Rankings but it only seems to be AVG that picks up that it is a virus (even though with its IE enhancer it detects the site as a tick and safe).

I hope Sal you had no returns to your site but I am unsure like many in this thread have suggested whether mine is an issue or not.

CJ

LOL, Indy - Women used to want doctors - now Internet Engineers and mechanics.

And I just carry your mops for you and keep the crowds happy.
Everything I know I owe to you and John. And I have only begun to tap into that well. It's such a darned deep one.

.........signed Helpless, but not Hopelss, in WA.

I was told by either my host or avast, don't remember which as I've been researching endlessly on this, that anything set with 777 permissions is vulnerable.

You are right, Indy - it is highly likely it is a MYSQL attack.

John is not saying anything until he is done with fixing this and is taking measures to disallow it to regain entry - but I won't know the bottom line on it until he is done. At this point all he has said is it is very interesting watching the "evolution"? Sounds scary at the very least. If this virus is as bad as it seems to be and as difficult to get rid of as it is now appearing to be, the answer might come out in report form in an WSO instead of in the forum. After all the work he is doing on it, he'd be deserving for finding the solution - a LOT of sites are getting hit with this one.