[Resolved] I have a trojan on my blog ?

[ludovic]

Hi,

Someone tell me his "windows defender" has
found agin a trojan on my blog :

hxxp://domination-web.com

1/ Do you find one too ?
2/ If yes, what can I do ?
3/ Which soft do you use to scan blog ?
4/ Where can I fin this kind of soft ?

Thanks in advance. Regards.

Ludovic

[polonus]

Hi ludovic,

Make that link non click through like hxtp
Your websoftware has an issue here: Wordpress internal path: -/home/ludovicg/public_html/domination-web/wp-content/themes/OptimizePress/index.php

pol

[ludovic]

Hi,

hxtp ? what's that ?
What should I do ?

Regards

Ludovic

[polonus]

You should change the address of your blog like this hxtp://domination-web.com/ or as
-http://domination-web.com/  so users here cannot click the link any longer until proven as clean,
for malware connection points: http://www.malware-control.com/statics-pages/85bc7afe34f2618665b7d11ce5024bed.php
found benign here: http://wepawet.iseclab.org/view.php?hash=c402a78b8533cd52ae7267654eb9c75b&t=1316430838&type=js
but code there EVALS sure look suspicious....
and here: http://urlquery.net/report.php?id=2635
Also consider this report because of links that go there: http://www.google.com/safebrowsing/diagnostic?site=ajax.googleapis.com
DrWeb's URL Check results:
Checking: -http://domination-web.com/wp-content/plugins/wp-ajax-edit-comments/js/wp-ajax-edit-comments.js?ver=2.3
File size: 21.77 KB
File MD5: c80e338eee637bc1f1fd566068392491

-http://domination-web.com/wp-content/plugins/wp-ajax-edit-comments/js/wp-ajax-edit-comments.js?ver=2.3 - Ok

Checking: -http://domination-web.com/wp-content/plugins/commentluv/js/commentluv.js?ver=3.2.1
File size: 11.56 KB
File MD5: 5e6882ce87a961683ecaa702a185b566

-http://domination-web.com/wp-content/plugins/commentluv/js/commentluv.js?ver=3.2.1 - Ok

Checking: -http://domination-web.com/wp-includes/js/l10n.js?ver=20101110
File size: 308 bytes
File MD5: d64dc5dca841a048946621b935e540a3

-http://domination-web.com/wp-includes/js/l10n.js?ver=20101110 - Ok

Checking: -http://domination-web.com/wp-content/plugins/sharebar/js/sharebar.js?ver=3.2.1
File size: 1802 bytes
File MD5: 7783924f98186953663f85a3949b03e7

-http://domination-web.com/wp-content/plugins/sharebar/js/sharebar.js?ver=3.2.1 - Ok

Checking: -http://domination-web.com/wp-content/themes/OptimizePress/js/combinebottom.js
File size: 552.97 KB
File MD5: 6b4d4823946e5d481bddaa080e410ac5

-http://domination-web.com/wp-content/themes/OptimizePress/js/combinebottom.js - Ok

Checking: -http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js?ver=1.3.2
File size: 55.91 KB
File MD5: bb381e2d19d8eace86b34d20759491a5

-http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js?ver=1.3.2 - Ok

Checking: -http://ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js?ver=3.2.1
File size: 10220 bytes
File MD5: 892a543f3abb54e8ec1ada55be3b0649

-http://ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js?ver=3.2.1 - Ok

Checking: -http://domination-web.com/wp-content/themes/OptimizePress/js/qtobject.js
File size: 2354 bytes
File MD5: a31031ac961b5950db68c86f12f41e0e

Trojan could be detected in qtobject.js and possibly FP because of the packer
-http://domination-web.com/wp-content/themes/OptimizePress/js/qtobject.js packed by JSPACK
>-http://domination-web.com/wp-content/themes/OptimizePress/js/qtobject.js - archive HTML
>->-http://domination-web.com/wp-content/themes/OptimizePress/js/qtobject.js/Script.0 - Ok
>-http://domination-web.com/wp-content/themes/OptimizePress/js/qtobject.js - Ok

Checking: -http://domination-web.com/wp-content/themes/OptimizePress/js/cufon-yui.js
File size: 38.53 KB
File MD5: 062a265ce7b1e6873c2c6a8123678c5f

-http://domination-web.com/wp-content/themes/OptimizePress/js/cufon-yui.js - Ok

Checking: -http://domination-web.com/wp-includes/js/wp-ajax-response.js?ver=3.2.1
File size: 2152 bytes
File MD5: 1da637535cdded009a8dde077e234430

-http://domination-web.com/wp-includes/js/wp-ajax-response.js?ver=3.2.1 - Ok

Checking: -http://domination-web.com/wp-content/themes/OptimizePress/js/js_cookie.js?ver=1.0
File size: 613 bytes
File MD5: b965ca791c1f5a7f96a218159c7e724f

-http://domination-web.com/wp-content/themes/OptimizePress/js/js_cookie.js?ver=1.0 - Ok

Checking: -http://domination-web.com/wp-content/uploads/jw-player-plugin-for-wordpress/player/jwplayer.js?ver=3.2.1
File size: 108.87 KB
File MD5: efbfd86acfb55228851e98575fdd1cab

-http://domination-web.com/wp-content/uploads/jw-player-plugin-for-wordpress/player/jwplayer.js?ver=3.2.1 - Ok

Checking: -http://domination-web.com/wp-content/plugins/wp-ajax-edit-comments/js/jquery.colorbox-min.js?ver=3.2.1
File size: 8140 bytes
File MD5: 512d0536cbc763681ea937ea50d2fdd5

-http://domination-web.com/wp-content/plugins/wp-ajax-edit-comments/js/jquery.colorbox-min.js?ver=3.2.1 packed by JSPACK
>-http://domination-web.com/wp-content/plugins/wp-ajax-edit-comments/js/jquery.colorbox-min.js?ver=3.2.1 - archive HTML
>>-http://domination-web.com/wp-content/plugins/wp-ajax-edit-comments/js/jquery.colorbox-min.js?ver=3.2.1/Script.0 - Ok
>-http://domination-web.com/wp-content/plugins/wp-ajax-edit-comments/js/jquery.colorbox-min.js?ver=3.2.1 - Ok

Checking: -http://domination-web.com/
Engine version: 5.0.2.3300
Total virus-finding records: 2612260
File size: 41.82 KB
File MD5: cd6464affcb83d709b31dee092bce638

-http://domination-web.com/ - archive HTML
>-http://domination-web.com//Script.0 - Ok
>-http://domination-web.com//Script.1 - Ok
>-http://domination-web.com//Script.2 - Ok
>-http://domination-web.com//Script.3 - Ok
>-http://domination-web.com//Script.4 - Ok
>-http://domination-web.com//Script.5 - Ok
-http://domination-web.com/ - Ok

polonus

[ludovic]

Hi Polonus,

Thanks for the reports but... I don't
understand lot of things.   

What should I do to make my blog clean ?

Ludovic

[polonus]

Hi ludovic,

Give the windows defender log what and where was found,

polonus

[ludovic]

I don't have it. Someone
just told me his windows
defender detected a trojan.

But he didn't give me
a report.

[ludovic]

What do you suggest I do ?

[Pondus]

Talk with microsoft   http://www.microsoft.com/security/portal/

[polonus]

Hi Pondus,

There are three examples described on the malware this "could" be by Sophos Detailed Analysis, see: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~JSPack-A/detailed-analysis.aspx  SOPHOS-Protection available since:   04 Aug 2011 01:53:13 (GMT);
and I assume this because we find traces on the page mentioned: OptimizePress/js/qtobject.js packed by JSPACK....and there is an “assignment to undeclared variable QTObject” there,QuickTime issue, and this is like a "CoolWebSearch parasite variant" that is being flagged by MS I guess, but a Windows Defender scan expert must be fully aware and should be able to give further details on the malcode/adware flagged. My analysis so far is only based on what I see there,

polonus

[ludovic]

Hi,

I am really sorry but I don't know exactly
what to do. Can you help me to solve my
problem (with simple words) ?

Regards

Lud@vic

[ludovic]

Hi,

I have just made an update of my wordpress
theme OpimizePress.

Can you scan my domination another time.
May be the pb is resolved ?

Thanks.

Regards
Ludovic

[Pondus]

I uploaded the info to Norman lab yesterday and they say it is CLEAN

At 2011-9-21 6:40:6, ygu wrote:
Hi
It is not infected.
Thanks for Submission
Yash


Files:
domination-web.com.htm : Not added

[ludovic]

Great news !!!   

Thanks for your help