Malware on my website?!

Hello, something is wrong on my website. Visitors complain of detection by anti-virus infection. For example here:
http://www.areavis.com/m/humor/view/Zwierzęta-zasypiają-z-maskotkami-Galeria

Full scan from my server nothing found.

On Google diagnostic page I found this: http://www.google.com/safebrowsing/diagnostic?site=www.areavis.com

This site was hosted on 1 network, including AS23352 (SERVERCENTRAL)

Why my website is hosted on AS23352 (SERVERCENTRAL) and how to fix this? Please help

I check it also on: http://quttera.com/detailed_report/www.areavis.com

and I see this information:

/inc/js/functions.js

Interesting.  When I got to view code I get this:

File name: /inc/js/functions.js

[[html+='<html><head></head><body><formid="'+sWindowId+'"method="'+sMethod+'"action="'+sWindowUrl+'">';if(aVarNames%26%26aVarValues%26%26(aVarNames.length==aVarValues.length)){for(vari=0;i<aVarNames.length;i++){html+='<inputtype=\"hidden\"name="'+aVarNames[i]+'"value="'+aVarValues[i]+'"/>';}}html+='</body></html></form><scripttype="text/javascript">document.getElementById("'+sWindowId+'").submit()</script></body></html>';newWindow.document.write(html);returnnewWindow;}functionsetCheckbox(the_form){varelts=document.forms[the_form].getElementsByTagName('input');varelts_cnt=elts.length;varallUnchecked=true;for(vari=0;i<elts_cnt;i++)if(elts[i].checked)allUnchecked=false;for(vari=0;i<elts_cnt;i++)if(elts[i].type=="submit")elts[i].disabled=allUnchecked;}var]]

 Thank you for check. But what I should do now?

[[html+='<html><head></head><body><formid="'+sWindowId+'"method="'+sMethod+'"action="'+sWindowUrl+'">';if(aVarNames%26%26aVarValues%26%26(aVarNames.length==aVarValues.length)){for(vari=0;i<aVarNames.length;i++){html+='<inputtype=\"hidden\"name="'+aVarNames[i]+'"value="'+aVarValues[i]+'"/>';}}html+='</body></html></form><scripttype="text/javascript">document.getElementById("'+sWindowId+'").submit()</script></body></html>';newWindow.document.write(html);returnnewWindow;}functionsetCheckbox(the_form){varelts=document.forms[the_form].getElementsByTagName('input');varelts_cnt=elts.length;varallUnchecked=true;for(vari=0;i<elts_cnt;i++)if(elts[i].checked)allUnchecked=false;for(vari=0;i<elts_cnt;i++)if(elts[i].type=="submit")elts[i].disabled=allUnchecked;}var]]

maybe it's XP issue or older browser.

I checked it and i don't get any security mgs in IE, FF, O, Chrome

what if you delete the image ... do you still get a security detection??

Have you or anyone else made any changes in the functions.js file?

 I do not even know which this picture. Just people complain that after entering a gallery get a warning about the infection.
What worries me also what is Google Page diagnostic:
http://www.google.com/safebrowsing/diagnostic?site=www.areavis.com

there is information:

This site was hosted on 1 network, including AS23352 (SERVERCENTRAL)

http://www.google.com/safebrowsing/diagnostic?site=AS:23352

There are spam links...maybe this is the reason?

 No, nobody did change. What could be wrong with this file?

I know if you have members that are seeing warnings that it is not a good thing.

Google has listed your site as OK.

You could upload the functions.js file from the zip archive and replace your current functions.js if you have not made any changes in it.

 This is strange because the scan on the server also found nothing. Most scans web page also found nothing. Only at quttera.com found something suspicious file functions.js

I switched the file to the original. However, I can not check if the problem is gone, because once I scanned my website and the second time I can not do that. Can anyone enter the quttera.com and enter the address of my website www.areavis.com to check it out?

Scan results the same.  Do you have js compression turned on?  I am wondering if it is tripping their scanner.  I would just ignore it except for the warnings that you say some of your members are seeing.

-

 Thanks for check. I turn on js compression now.

I am confused; did you have js compression on or off when running the scans?  My thought was that js compression could be causing the scanner to return a false positive.  Of course I don't know why it would trip on just the functions.js file.

 When the scans were running js file compression was OFF. Now I changed to ON.

I scanned my site with quttera.com and had no problems.

Perhaps your host has server side compression or mod_deflate is active and enabled in your .htaccess file.

Next time a member reports a problem with your site, find out what they are using for antivirus software. False positives are quite common with free antivirus scanners like Avast and AVG.

You also have a problem in your sites header templates. You have multiple head tags. You need to take more care when modifying these files to add your code for google fonts, google site verification and other plugins you add. You did something wrong in those files resulting in a damaged head section.

 For me only found something in file functions.js but I uploaded original and now I don`t know if all I have no threats on mywebsite. I don`t want to receive from visitors information about virus threats.

As I read before I found something also here: http://www.google.com/safebrowsing/diagnostic?site=www.areavis.com and information: This site was hosted on 1 network(s) including AS23352 (SERVERCENTRAL).

But my server support tell me to just ignore this.

My support check this and compression and mod_deflate is disabled. I`m using AVG and nothing wrong with not detected on my website. But on another computer I have Avast and any threat detected ... but I thought it was a mistake on their part because this often happens and I ignored it. But then many visitors complained of infections ... so I suppose that Avast is a major problem ... I have already written to them in this matter.

In _header.html can be something wrong? I have this code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">   

    <title>__page_header__</title>
    <base href="<bx_url_root />" />   
    __page_description__
    __page_keywords__
    <meta http-equiv="Content-Style-Type" content="text/css" />
    <bx_include_css />
    <bx_include_js />
    __dol_images__
    __dol_lang__
    __dol_options__
    <script type="text/javascript" language="javascript">
        var site_url = '<bx_url_root />';
        var aUserInfoTimers = new Array();
        $(document).ready( function() {
            $( 'div.RSSAggrCont' ).dolRSSFeed();
        } );
    </script>
    __extra_js__
    <bx_injection:injection_head />
    <script type="text/javascript">
        var oBxUserStatus = new BxUserStatus();
        oBxUserStatus.userStatusInit('<bx_url_root />', __is_profile_page__);
    </script>
</head>
__flush_header__
<body <bx_injection:injection_body /> class="bx-def-font">
    <bx_injection:injection_header />
    <div id="notification_window" class="notifi_window"></div>
    <div id="FloatDesc" style="position:absolute;display:none;z-index:100;"></div>
   
    <link href='http://fonts.googleapis.com/css?family=Exo&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Open+Sans&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Oxygen&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href="http://fonts.googleapis.com/css?family=Oswald:700|Droid+Serif:400,700italic" rel="stylesheet" type="text/css" />
<link href='http://fonts.googleapis.com/css?family=Play&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Roboto+Slab&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Ropa+Sans&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Russo+One&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Sanchez&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Scada&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Share&subset=latin,latin-ext' rel='stylesheet' type='text/css'>

<head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=__page_charset__" /> <meta name="google-site-verification" content="xxx" />

<meta name="msvalidate.01" content="xxx" />
</meta>

<script type="text/javascript" src="<bx_url_root />plugins/fancybox/jquery.fancybox.pack.js"></script>
<link rel="stylesheet" href="<bx_url_root />plugins/fancybox/jquery.fancybox.css" type="text/css" />
<script type="text/javascript" language="javascript">
$(document).on('click', '.single_image', function() {
  // remove the class to ensure this will only run once
  $(this).removeClass('single_image');
  // now attach fancybox and click to open it
  $(this).fancybox().click();
  // prevent default action
  return false;
});
</script>

oooh wee - you have a closing </head> before an open <head>. Like Deano said - you gotta pay attention to changes you make to your files. I would start by uploading fresh copies of _header.html and _sub_header.html (make backups of what you have though). THen, once you have everything like it should be, you can add your extra code (but ask for help in adding it so you know you add it to the correct places).

 Thank you. I'll fix it. But this code is already about three months ... and virus threats are only from about 5 days ...it could be the reason for this?

I catch today on other computer with avast this screenshot:

when I go to your site - I do not get any messages about malware. So, maybe you have something on your computer that is malware, or could it possibly be something with your country of origin? Just curious - do you get the same error messages when you go to demo.boonex.com?

 Thanks for check. I`m using AVG and nothing detected. On Avast also...but here something detected: http://www.unmaskparasites.com/security-report/

I find in php_admin scam link and delete it in site_stats_PagesStatistics. Now nothing detected here: http://quttera.com/detailed_report/www.areavis.com

Hello again, one suspicious file I was able to remove. But there is something else ... please check: http://www.UnmaskParasites.com/security-report/?page=www.areavis.com

My hosting support has already done two very long and accurate scans. Nothing on the server was not detected. They told me that it is hidden in my script and can not help me. Please if anyone can help me with this information about infection?

_atrk_opts={atrk_acct:"",domain:"areavis.com",dynamic:true};(function(){var as=document.createEleme...

There is a danger with freeware to report errors & some will even claim if you upgrade to the paid subscription version they will fix your problems for you automatically. I would be very wary of using freeware on security features, malware, anti virus, etc. That's not to say you don't have problems, others have identified errors in your header for starters. I would do as advised & restore default files & get advice here in new threads for any changes you want to make if you are unsure. Members here have checked your site & cannot duplicate the malware warnings, they can't be forced so start by fixing the errors you've been notified about.

I had many customers saying that they were getting virus warnings from our site... We had been blacklisted by some virus companies.... and the reason - One of the modules i purchased from the market - removed the module and everything went back to normal and got whitelisted in about a week or so.....

Hello again. Unfortunately, passed over current month, and the problem still exists. I do not know what to do. This reduces the credibility of my website. I get information from visitors to my website that is connected with Trojan threat. On the web browser "Opera" my website in general will not open because the message of danger. What can I do? Scan Server has no effect because it is 100% clean.

Many tests also shows that my website is clean. Except Yandex. Results here >>

I wrote to them in this matter and received this response:

A infinite loop is detected at your web server. Its scheme goes as follows:

www.areavis.com (302) - →
ehfhtjk5ekmdoh5ipfhzvxi.modagiyimtv.com/index.php?b=a3ZjeXRiej16am1wb21hZWkmdGltZT0xNjA1MTUwNjUwMTI4OTQ2OTIzNSZzcmM9MTQxJnN1cmw9d3d3LmFyZWF2aXMuY29tJnNwb3J0PTgwJmtleT0xRDk0ODZDNiZzdXJpPS8=
(302) → www.areavis.com (302) → ...