Please look at!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

CzarinaOz

Thread Starter
Joined
Jun 12, 2007
Messages
65
My host server says my website has a virus - all the scans show it as clean - but there IS some strange code when veiwing Source - it is only there after I have uploaded to the server and seen through a browser - no editor can see it.
I have made a html inside c/panel and the result is NO scum-html so I assume it is being attached from my computer.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:29:23 PM, on 1/21/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\NETGEAR\WPNT121\WPNT121.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Documents and Settings\Mommy\Application Data\FlashGetBHO\FlashGetBHO3.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: CurseClientStartup.ccip
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WPNT121 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPNT121\WPNT121.exe
O8 - Extra context menu item: Download All By FlashGet3 - C:\Documents and Settings\Mommy\Application Data\FlashGetBHO\GetAllUrl.htm
O8 - Extra context menu item: Download By FlashGet3 - C:\Documents and Settings\Mommy\Application Data\FlashGetBHO\GetUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://software.kuaiche.com
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290711387953
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 8221 bytes
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, I need to see a link to that site please.....

Post it here in a reply, I will check it for you and I can remove it if there is a problem with any malware.
 

CzarinaOz

Thread Starter
Joined
Jun 12, 2007
Messages
65
I had removed the site. I uploaded it again so you can see the source code. Also, Dreamweaver said this: "The file "/index_html_files/562.png" was skipped because the old remote file could not be deleted." - after it uploaded the site. I have no idea what a "remote file" means - there were NO files on the server for it to have to "delete" since I trashed every single file that was on it.
Again: I am not sure if the codes are the "virus" my host says is in my site or not... but the scans show it as clean, and this funky code is all I can think of right now.
 

CzarinaOz

Thread Starter
Joined
Jun 12, 2007
Messages
65
I found that http://software.kuaiche.com/ is to allow flashget to give a suggestion page, much like iTunes does?

Has anyone gone to the website I am having troubles with and veiwed the source html?
my host said the virus was in menu.sj - but didn't say what virus or how they knew or exactly where it was..
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, I have been very busy and am just now getting some time to be here so I will check things and reply with help if I can.

EDIT: I have checked the link which opens to the Parent Directory which is empty, no alerts on either link. I am also using Avast.

http://www.gioiellidicresci.com/sterlingetc.html <<< This does not go anywhere nor disply a webpage.... I get "The webpage cannot be found" 404 error for that link. Check your typing for a mistake.

I do not see any menu.sj coded in either site code. ((Isn't that supposed to be a JavaScript, or .js file??))

If you removed all the files then there is nothing I can look at. The site does not contain that .HTML page now.


Forum software does not permit HTML code to be uploaded as an attachment, either.

I think either there IS some bad code when you upload your files to the site......or, Avast is detecting a false positive, which does happen.

If Virus Total comes up with nada, I think you have the answer already.
 

CzarinaOz

Thread Starter
Joined
Jun 12, 2007
Messages
65
Sorry, I removed the entire site today.
I mis-typed "menu.js" not .sj (which would make it a Jesuit)
I am scanning my drives all day with everything I can think of, then I will attempt another upload of my site to the server...
The only thing that bothers me (besides seeing the strange codes when viewing the Source) is that cPanel says I have a virus, and Facebook says I have a virus.
Anyway, I will post when my site is back up tomorrow evening.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Read the report found in the "Details" at this page.

http://www.unmaskparasites.com/security-report/

Unmask Parasites is a website checking tool that can show if malware has been or is being hosted.

It says in the last 90 days, the site http://software.kuaiche.com/ HAS hosted malware that did infect some servers so probably if your sight had linked to the infected site it was showing up in your scan. Or, your site could have been infected also, I don't know.
 

CzarinaOz

Thread Starter
Joined
Jun 12, 2007
Messages
65
I went to the site above and it found all the "Hidden" urls. My computer is clean according to Norton, Avast, Superantispyware, Malware, Trend Micro...
How is this getting into my pages? Is it coming from cPanel?
If I can't see it, how do I edit it out?
Zone Alarm says my site is a possible threat. I will leave the site up until tomorrow so you can check it out - maybe tell me what I can do to fix.. then I will delete the files from the server again.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
http://www.UnmaskParasites.com/security-report/?page=www.gioiellidicresci.com/sterlingetc.html

That link should show you the report and it details all the 193 hidden spam URL's

If you actually go to one of those sites.....each one is hosting infected downloadable files, such as keygens, cracks, etc

They are hard to see but are there!

There are additional tests you can try

I really don't know how it gets onto your site, but if the webhost allows it, or possibly sponsors ads, then that is where it comes from.....ask them.

I get no activity from Avast when I go to your site, regardless of the spam URL's that are hidden.

I have looked at the Source code and I see the script of spam links starts at about line 228

It's a Javascript. It is probably some form of exploit. You don't see anything looking at your site because the exploit affects those who come to the site and are vulnerable to a Java exploit, at least that is what I think is going on, I am not an expert at determining whether a site may be infected, or the host server might be..... I may have someone look at this thread who may be able to help you further.



Probably coming from the servers you host with.

Download this http://oldtimer.geekstogo.com/TFC.exe

Save the file to a folder or the Desktop as you prefer....double click to start it.



and run it> deletes temporary files, cleans Flash and Java caches, etc. Temporary Internet Files, cookies, too.

And it works for all user accounts run from an administrator level account.

Use caution--- I don't know how your computer is set up, make sure you have the valid web files safe someplace, not just in the Java cache.

Of course this will not affect anything if the exploit is coming from some where else or the servers but at least it may help your computer.......
 

CzarinaOz

Thread Starter
Joined
Jun 12, 2007
Messages
65
Today when uploading my site again, I canceled it after a few file had been completed and then started another upload - Dreamweaver told me that a file I was uploading that was already on my server had been "Changed..." (somwhere other than on my computer) and if I wanted to over-write it. So it is official that my files are being changed after I upload to my host server (maybe on cPanel?)
...or can it still be a program hidden inside my pages until after they are online?
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
I think you are on the right approach. You have to ask the webhost to check the server....

I have someone who will check this probably tomorrow as they are in the UK and they may have more help for you.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
That is on the website & extremely unlikley to be anything on your computer
get in touch with your host immediately & shut down the site until it is fixed

if your host wn't fix it then move hosts

I do suggest a move anyway as that host is running out of date hosting software ( apache & PHP) with known vulnerabilities that can be used to let attckers on


Moved to web development
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top