« previous next »
Pages: 1 2 [3]   Go Down

Author Topic: HTML:IFrame-EJ [Trj] Found on my website( It's back!)  (Read 39872 times)

0 Members and 1 Guest are viewing this topic.

MonsterKat

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #30 on: June 03, 2009, 05:03:07 AM »
Alright so here is my update, It makes no sense to me but you guys are smarter so hopefully this helps....

I went on and did everything I was suppost to and used the Request Policy and No Script, I edited the index page and saved it. Then I got off and reset firefox to few the website and the warning on avast came on again.

Now I have come across a new thing,

My mom ( who is Val obviously with val's kids line) has been in talks with a customer via email. Everytime she clicks on the email from the customer, the exact same alert comes up from avast. The email from her has an attachment attached to it BUT it has never been downloaded. The attachment is called stat3199.jpg I don't think the attachment being shown has anything to do with it because it's never been downloaded. This is a trusted customer so I know that she didn't do this. I am very confused as to why when I read an email from her that warning comes up.

The email address she uses is NOT a website server email address it is a yahoo.ca address that she has always used.

Any ideas?

Thanks guys!
Logged

avuser007

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #31 on: June 03, 2009, 08:14:56 AM »
Quote from: MonsterKat on June 03, 2009, 05:03:07 AM
Everytime she clicks on the email from the customer, the exact same alert comes up from avast. The email from her has an attachment attached to it BUT it has never been downloaded.

Avast is probably scanning the attachment via the link to it in the email.  A friend of mine was recently infected with Grumblar via a fake Facebook "you've been frieneded" email.

Simple answer - delete the attachment.  And NO sender is "trusted". Unless you 100% trust the sender isn't infected with trojans on their own PC. Just because you trust the person doesn't mean you can trust their PC. :)
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89033
  • No support PMs thanks
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #32 on: June 03, 2009, 03:29:24 PM »
Not sure what index page you are talking about. If you are editing the control panel index page then that would revert to that served up by the Host. If the Hosts end is infected then it is highly likely that it will continue to infect sites that it hosts.

Quote from: MonsterKat on June 03, 2009, 05:03:07 AM
Now I have come across a new thing,

Everytime she clicks on the email from the customer, the exact same alert comes up from avast. The email from her has an attachment attached to it BUT it has never been downloaded.

I somehow doubt it is 'exactly' the same message as the Internet Mail providers messages differ from those of the web shield, so we really need to know the full error message. Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log.

I also suggest that you create a new topic for this or it will just confuse this topic.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

MonsterKat

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #33 on: June 03, 2009, 06:12:42 PM »
Quote

5/10/2009 11:42:01 AM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file. 
5/10/2009 11:52:19 AM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
5/10/2009 11:52:57 AM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file. 
5/10/2009 11:54:42 AM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
5/10/2009 11:54:51 AM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file. 
5/10/2009 11:55:07 AM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
5/10/2009 11:55:13 AM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file. 
5/10/2009 11:57:29 AM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
5/10/2009 11:57:47 AM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file. 
5/10/2009 12:05:59 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
5/10/2009 12:06:08 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file. 
5/10/2009 12:21:57 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\EADEA65Ad01" file. 
5/10/2009 12:22:05 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://gensap.com/Contact/Default.aspx" file. 
5/10/2009 12:22:19 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.gensap.com/" file. 
5/10/2009 12:22:43 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\BB323658d01" file. 
5/10/2009 12:27:01 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
5/10/2009 12:27:10 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Temporary Internet Files\Content.IE5\PL3V19GI\valskidsline_com[1].htm" file. 
5/10/2009 12:30:22 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
5/10/2009 12:30:39 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file. 
5/10/2009 12:35:17 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
5/10/2009 12:35:17 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file. 
5/10/2009 3:55:46 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/10/2009 4:01:31 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
5/10/2009 4:01:35 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\1F995C4Bd01" file. 
5/10/2009 4:29:30 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/index.php" file. 
5/10/2009 5:08:04 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "http://cpanel2.page14.com/" file. 
5/10/2009 5:08:58 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/10/2009 5:12:48 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/10/2009 5:16:34 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.gensap.com/" file. 
5/10/2009 5:16:39 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Application Data\Mozilla\Firefox\Profiles\c6ugp8fp.default\Cache\EADEA65Ad01" file. 
5/10/2009 5:25:04 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/10/2009 5:25:22 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/10/2009 5:25:27 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "http://cpanel2.page14.com/" file. 
5/10/2009 5:25:51 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/10/2009 5:26:02 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/10/2009 5:27:48 PM   SYSTEM   1360   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/28/2009 4:41:54 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
5/28/2009 4:43:18 PM   SYSTEM   1604   Sign of "HTML:Framer-inf [Trj]" has been found in "hxxp://rnw.kz/index.php\{gzip}" file. 
5/28/2009 4:43:19 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
5/28/2009 4:54:15 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/28/2009 5:02:09 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/28/2009 5:02:17 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/28/2009 5:02:18 PM   SYSTEM   1604   Sign of "HTML:Framer-inf [Trj]" has been found in "hxxp://rnw.kz/index.php\{gzip}" file. 
5/28/2009 5:03:11 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/28/2009 5:03:22 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/28/2009 5:03:30 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/28/2009 5:03:45 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/28/2009 5:03:55 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/28/2009 5:04:24 PM   SYSTEM   1604   Sign of "HTML:Framer-inf [Trj]" has been found in "hxxp://rnw.kz/index.php\{gzip}" file. 
5/28/2009 5:07:03 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
5/28/2009 5:07:10 PM   SYSTEM   1604   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://cpanel2.page14.com/" file. 
6/1/2009 4:58:51 PM   SYSTEM   1652   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
6/2/2009 10:45:34 PM   SYSTEM   1400   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
6/2/2009 10:54:00 PM   SYSTEM   1400   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
6/2/2009 11:25:42 PM   Administrator   2416   Sign of "JS:Pdfka-GH [Expl]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Temporary Internet Files\Content.IE5\PL3V19GI\index[3].htm" file. 
6/2/2009 11:29:41 PM   Administrator   2416   Sign of "HTML:IFrame-EJ [Trj]" has been found in "C:\Documents and Settings\Administrator.MOMS\Local Settings\Temporary Internet Files\Content.IE5\PL3V19GI\valskidsline_com[1].htm" file. 
6/3/2009 11:36:28 AM   SYSTEM   1400   Sign of "HTML:IFrame-EJ [Trj]" has been found in "hxxp://www.valskidsline.com/" file. 
6/3/2009 11:46:42 AM   SYSTEM   1400   Sign of "JS:Redirector-H9 [Trj]" has been found in "hxxp://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/\{gzip}" file. 

So there's that, I couldn't upload an attachment as I don't have that option so I hope this will help.

I went on to my hosts control panel, signed in and was editting the index page from there and just saving it. It was a risk just to do that much because my HOST is infected. So evertime I upload, it's just going to get re-infected?

I'm switching hosts for sure as mine clearly isn't going to fix this. If I go to another host am I still going to have issues? I think now I have the infection in my computer, but I'm not all that smart with this..... ( as you can tell)

thanks everyone!
« Last Edit: June 03, 2009, 06:15:40 PM by MonsterKat »
Logged

MonsterKat

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #34 on: June 03, 2009, 06:16:46 PM »
I ran out of room on my last post.

So as you can see, there is been alot of issues.

My hosts home page is infected, my control panel through the host is infected and so is my website and potentionally my computer.

I'm so lost there's no finding me lol.
Logged

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #35 on: June 03, 2009, 07:18:22 PM »
For your own computer, I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

For your website, I suggest cleaning the code, use strong passwords to change the code.
Logged
The best things in life are free.

avuser007

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #36 on: June 03, 2009, 07:26:39 PM »
Quote from: MonsterKat on June 03, 2009, 06:16:46 PM
My hosts home page is infected

You're kidding, what's the URL?  I'll remember not to use that host. :)  Seriously, give us the URL so we can see if the host really is infected or if it's just something on your system.
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89033
  • No support PMs thanks
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #37 on: June 03, 2009, 08:22:53 PM »
Can you not see the first URL in the quoted text, that is his site, it is also at the start of the topic...

Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

avuser007

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #38 on: June 03, 2009, 08:29:17 PM »
Quote from: DavidR on June 03, 2009, 08:22:53 PM
Can you not see the first URL in the quoted text, that is his site, it is also at the start of the topic...

Can you not see I'm after the web host's infected URL, not the valskidsline site?
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89033
  • No support PMs thanks
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #39 on: June 03, 2009, 08:46:11 PM »
The hosts information is also in the topic's first page a whois would also shoe the server it is hosted on.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

MonsterKat

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #40 on: June 04, 2009, 03:40:29 AM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:44 PM, on 6/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\igfxtray.exe
C:\WINDOWS.0\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS.0\system32\lxddcoms.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\ADMINI~1.MOM\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*hxxp://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*hxxp://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*hxxp://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*hxxp:
« Last Edit: June 04, 2009, 04:08:21 AM by MonsterKat »
Logged

MonsterKat

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #41 on: June 04, 2009, 03:42:47 AM »
//www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*hxx//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*hxxp://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = hxxp://google.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWi0.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWi0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWi0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS.0\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS.0\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-21-343818398-813497703-682003330-500\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-343818398-813497703-682003330-500\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe (User '?')
O4 - HKUS\S-1-5-21-343818398-813497703-682003330-500\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-343818398-813497703-682003330-500\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-343818398-813497703-682003330-500\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (User '?')
O4 - S-1-5-21-343818398-813497703-682003330-500 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Bejeweled%20Twist/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224351659484
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: iWinTrusted - iWin Inc. - C:\Program Files\iWin Games\iWinTrusted.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device -   - C:\WINDOWS.0\system32\lxddcoms.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10669 bytes
« Last Edit: June 04, 2009, 04:10:41 AM by MonsterKat »
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #42 on: June 04, 2009, 07:55:57 PM »
Hi MonsterKat,

This does not look right:
http://www.systemlookup.com/CLSID/55196-tbiWin_dll_tbiWi0_dll_tbiWi1_dll.html
Fix this:
O3 - Toolbar: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWi0.dll

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #43 on: June 04, 2009, 09:17:54 PM »
Greetings DavidR (when you're back on line)

I can track down the obfuscated script on the home pages that have been sent into this thread. Thanks again for the tips last night. Trust Old Blighty to come through when they're needed.  :)

I did a bit a practice this morning  (7.07AM here) and my routine for testing sites came through okay. Exactly like you said last night, these ones anyway. Its not what I'll do as specialist but its always good to learn how things are done, get things down pat, so to speak, so I can do my share of following up queries about infections.
« Last Edit: June 04, 2009, 09:37:32 PM by mkis »
Logged
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89033
  • No support PMs thanks
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #44 on: June 04, 2009, 10:27:24 PM »
You're welcome, it doesn't take long to get wise to the tricks they use to hide from view.

Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security
Pages: 1 2 [3]   Go Up
« previous next »