Trojan horse script

[MartyStevens]

Hi,

The site I'm referring to is: dadaal.com

Recently noticed upon clicking on any particular job, my antivirus "Kasparsky" popped up and alert that reads:

DENIED: HEUR:Trojan.Script.Iframer

The browser I use is firefox.

Lastly I've attached the SecurityTools plugin reports for review if useful.

Any help or suggestions would be very welcome.

Thank You.

[fujipadam]

hmm try refreshing cached and see if you get the same error. If you dont then your cache folder was compromised. BUT I dont see the error in Avira or Avast antivirus

[MartyStevens]

Hello,

thanks for the reply. I am still getting the Trojan alert from Kasperksy.

Same reaction when I used a different PC with Kaspersky.

No reaction with a PC using Norton.

Which begs the question, is it a false positive? If not, then I'm infecting PC's and that is ...well bad for business.

I contacted my host and they suggested the following (read below). I wanted to ask Adam, if by implementing their advice, could their be negative repercussions? For e.g. would this create errors, as I'm likely going to completely download the site.

Here is where I need your advice:
It seems I'm going to completely download the contents of the "public html" folder, then scan it for viruses. The questions is:

Is it a bad to completely delete what was on the contents of  "public html" folder, in order to uplodad the previously backed-up and scanned version of it.
Recommendations from my host:
 
Our suggestion would be for you to download a copy of your web site to your computer and run your antivirus on the web site files to find and remove the virus. Once that is done you can then reload your web site to your web space and remove the existing copy of your web site, hopefully this will resolve the virus issue.

Here are the steps you will want to take:

1) Connect to your web space via FTP
2) Download a copy of your web site to your computer
3) It may be best to keep two copies of your web site on your computer, one for cleaning and the other as a backup
4) Run the antivirus on one of your copies and remove the infections using your antivirus
5) The remove all the web site files from your web space with us under public_html and reload your web site

[Adam]

I just checked your site, and it looks infected indeed. It looks some javascript was injected in to your site. The script is at the bottom of the page, and starts with the following signiture:

Code:

<!-- C/C v0591 -->

To fix, you will need to restore your php files from a backup. You should also change your FTP password, and look for any venerabilities on your system / network. Always access your FTP using Secure FTP (SFTP)


I also want to give everyone on this forum a warning: Please do not use your every-day computer to visit infected sites or sites that have been suspected of an infection. You can get infected just by opening the above mentioned site if your system is venerable.

What I recommend is to boot Linux (or other OS) in an Virtual machine, and then use the virtual machine to browse the site. That way your computer will not get infected, and if the Virtual Machine gets infected, then you can just restore it to a previous state.

This one works quite nice:

http://www.virtualbox.org/