1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please look at!

Discussion in 'Web Design & Development' started by CzarinaOz, Jan 21, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. CzarinaOz

    CzarinaOz Thread Starter

    Joined:
    Jun 12, 2007
    Messages:
    65
    My host server says my website has a virus - all the scans show it as clean - but there IS some strange code when veiwing Source - it is only there after I have uploaded to the server and seen through a browser - no editor can see it.
    I have made a html inside c/panel and the result is NO scum-html so I assume it is being attached from my computer.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:29:23 PM, on 1/21/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ASTSRV.EXE
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
    C:\Program Files\NETGEAR\WPNT121\WPNT121.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\MagicDisc\MagicDisc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloads\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Documents and Settings\Mommy\Application Data\FlashGetBHO\FlashGetBHO3.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
    O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: CurseClientStartup.ccip
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: NETGEAR WPNT121 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPNT121\WPNT121.exe
    O8 - Extra context menu item: Download All By FlashGet3 - C:\Documents and Settings\Mommy\Application Data\FlashGetBHO\GetAllUrl.htm
    O8 - Extra context menu item: Download By FlashGet3 - C:\Documents and Settings\Mommy\Application Data\FlashGetBHO\GetUrl.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://software.kuaiche.com
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290711387953
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
    O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
    O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
    O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
    O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

    --
    End of file - 8221 bytes
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I need to see a link to that site please.....

    Post it here in a reply, I will check it for you and I can remove it if there is a problem with any malware.
     
  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
  4. CzarinaOz

    CzarinaOz Thread Starter

    Joined:
    Jun 12, 2007
    Messages:
    65
    I had removed the site. I uploaded it again so you can see the source code. Also, Dreamweaver said this: "The file "/index_html_files/562.png" was skipped because the old remote file could not be deleted." - after it uploaded the site. I have no idea what a "remote file" means - there were NO files on the server for it to have to "delete" since I trashed every single file that was on it.
    Again: I am not sure if the codes are the "virus" my host says is in my site or not... but the scans show it as clean, and this funky code is all I can think of right now.
     
  5. CzarinaOz

    CzarinaOz Thread Starter

    Joined:
    Jun 12, 2007
    Messages:
    65
  6. CzarinaOz

    CzarinaOz Thread Starter

    Joined:
    Jun 12, 2007
    Messages:
    65
    I found that http://software.kuaiche.com/ is to allow flashget to give a suggestion page, much like iTunes does?

    Has anyone gone to the website I am having troubles with and veiwed the source html?
    my host said the virus was in menu.sj - but didn't say what virus or how they knew or exactly where it was..
     
  7. CzarinaOz

    CzarinaOz Thread Starter

    Joined:
    Jun 12, 2007
    Messages:
    65
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I have been very busy and am just now getting some time to be here so I will check things and reply with help if I can.

    EDIT: I have checked the link which opens to the Parent Directory which is empty, no alerts on either link. I am also using Avast.

    http://www.gioiellidicresci.com/sterlingetc.html <<< This does not go anywhere nor disply a webpage.... I get "The webpage cannot be found" 404 error for that link. Check your typing for a mistake.

    I do not see any menu.sj coded in either site code. ((Isn't that supposed to be a JavaScript, or .js file??))

    If you removed all the files then there is nothing I can look at. The site does not contain that .HTML page now.


    Forum software does not permit HTML code to be uploaded as an attachment, either.

    I think either there IS some bad code when you upload your files to the site......or, Avast is detecting a false positive, which does happen.

    If Virus Total comes up with nada, I think you have the answer already.
     
  9. CzarinaOz

    CzarinaOz Thread Starter

    Joined:
    Jun 12, 2007
    Messages:
    65
    Sorry, I removed the entire site today.
    I mis-typed "menu.js" not .sj (which would make it a Jesuit)
    I am scanning my drives all day with everything I can think of, then I will attempt another upload of my site to the server...
    The only thing that bothers me (besides seeing the strange codes when viewing the Source) is that cPanel says I have a virus, and Facebook says I have a virus.
    Anyway, I will post when my site is back up tomorrow evening.
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Read the report found in the "Details" at this page.

    http://www.unmaskparasites.com/security-report/

    Unmask Parasites is a website checking tool that can show if malware has been or is being hosted.

    It says in the last 90 days, the site http://software.kuaiche.com/ HAS hosted malware that did infect some servers so probably if your sight had linked to the infected site it was showing up in your scan. Or, your site could have been infected also, I don't know.
     
  11. CzarinaOz

    CzarinaOz Thread Starter

    Joined:
    Jun 12, 2007
    Messages:
    65
    I went to the site above and it found all the "Hidden" urls. My computer is clean according to Norton, Avast, Superantispyware, Malware, Trend Micro...
    How is this getting into my pages? Is it coming from cPanel?
    If I can't see it, how do I edit it out?
    Zone Alarm says my site is a possible threat. I will leave the site up until tomorrow so you can check it out - maybe tell me what I can do to fix.. then I will delete the files from the server again.
     
  12. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    http://www.UnmaskParasites.com/security-report/?page=www.gioiellidicresci.com/sterlingetc.html

    That link should show you the report and it details all the 193 hidden spam URL's

    If you actually go to one of those sites.....each one is hosting infected downloadable files, such as keygens, cracks, etc

    They are hard to see but are there!

    There are additional tests you can try

    I really don't know how it gets onto your site, but if the webhost allows it, or possibly sponsors ads, then that is where it comes from.....ask them.

    I get no activity from Avast when I go to your site, regardless of the spam URL's that are hidden.

    I have looked at the Source code and I see the script of spam links starts at about line 228

    It's a Javascript. It is probably some form of exploit. You don't see anything looking at your site because the exploit affects those who come to the site and are vulnerable to a Java exploit, at least that is what I think is going on, I am not an expert at determining whether a site may be infected, or the host server might be..... I may have someone look at this thread who may be able to help you further.



    Probably coming from the servers you host with.

    Download this http://oldtimer.geekstogo.com/TFC.exe

    Save the file to a folder or the Desktop as you prefer....double click to start it.



    and run it> deletes temporary files, cleans Flash and Java caches, etc. Temporary Internet Files, cookies, too.

    And it works for all user accounts run from an administrator level account.

    Use caution--- I don't know how your computer is set up, make sure you have the valid web files safe someplace, not just in the Java cache.

    Of course this will not affect anything if the exploit is coming from some where else or the servers but at least it may help your computer.......
     
  13. CzarinaOz

    CzarinaOz Thread Starter

    Joined:
    Jun 12, 2007
    Messages:
    65
    Today when uploading my site again, I canceled it after a few file had been completed and then started another upload - Dreamweaver told me that a file I was uploading that was already on my server had been "Changed..." (somwhere other than on my computer) and if I wanted to over-write it. So it is official that my files are being changed after I upload to my host server (maybe on cPanel?)
    ...or can it still be a program hidden inside my pages until after they are online?
     
  14. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    I think you are on the right approach. You have to ask the webhost to check the server....

    I have someone who will check this probably tomorrow as they are in the UK and they may have more help for you.
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    That is on the website & extremely unlikley to be anything on your computer
    get in touch with your host immediately & shut down the site until it is fixed

    if your host wn't fix it then move hosts

    I do suggest a move anyway as that host is running out of date hosting software ( apache & PHP) with known vulnerabilities that can be used to let attckers on


    Moved to web development
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/976145

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice