Tech Support banner

Status
Not open for further replies.
1 - 2 of 2 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter #1
Problem: I upload to websites from work, home, and satellite office. I installed Filezilla FTP program to upload to all three locations about 3 months ago. Mid-June, my websites started indicating they were virus-infected when opening them up through a browser. At work I have McAffee Anti-Virus and at home I use AVAST. The AVAST is telling me I have a Trojan HTML:IFrame-HY [Trj]. From what I have read with the Filezilla problem, the iframe injects into the index pages of a website. On my index.html page, it creates a frame or space that causes my page to appear jumbled. On the index.php pages of my company site, it causes a PHP error message (I have a php calendar and a php quiz).

I tried uploading over these (through my file manager online) and the errors came back. I went online through my webhost and opened the files up through the file manager, deleted the code and pasted in what I thought was good code for the php pages. I did see injected code on this page before I deleted it and made a copy of it. This seems to have worked for the php index pages but my index.html page is still throwing virus warnings – I can’t see any injected code in that page.

For what I understand about the Filezilla, it doesn’t protect the FTP passwords. I have another small website I work from home on and I deleted all of the files through the file manager online and uploaded what I believed to be cleaned files after changing my FTP passwords. When I previewed it in the browser, the virus warning did not come up, but now a few days later it does.

Another issue is that I carry an external hard drive between work and home so I can work on the company website from home. I probably have been spreading everything around with this external hard drive. I understand you only wanted the GMER to run the scan from the C drive and not external drives. I have scanned my computer, run the program from malwarebytes.org and hijackthis on my home computer. I did the same at work – but have not did anything with the hijackthis logs.

I followed the instructions of backing up my important files, running DDS and GMER rootkit. I had a lot of problems with running the GMER. I ran it two times, both times I walked away from it and came back and the program had closed (I did shut down my AVAST while I was performing these scans). Of these times, it would start, and after 15 minutes a message said it stopped… so I continued it again. The last time I was there to see it finish, but my mouse locked up and I had to save with keyboard shortcuts and restart my computer. I am doubting the legitimate contents of the gmer file, because it is giving a different scan contents from what I observed from my other scans. This time it is only showing Adobe Photoshop elements. That was a trial program I downloaded probably 5 months ago. I have read with the Filezilla problem also complaining about Adobe reader getting hijacked and a virus controlling those updates.

I don’t know how I should approach cleaning what I have with my webhost. My Dreamweaver crashed at home and I spent hours on the phone with Adobe. Dreamweaver would not allow me to open my company website file. I told them I had virus problems – they said maybe someone was trying to hack my site. I am in conversation with my webhost, but my trouble ticket mysteriously disappeared and I am starting over again. I am trying to determine if I have a clean computer and external hard drive.

CONTENTS OF DDS

DDS (Ver_09-06-26.01) - NTFSx86
Run by Renee at 6:34:23.79 on Sun 07/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1136 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090710-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Lexmark 4800 Series\lxdemon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lexmark 4800 Series\lxdeamon.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hercules\DualPix Exchange\Camservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdeserv.exe
C:\WINDOWS\system32\lxdecoms.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Documents and Settings\Renee\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp home\wsbho2k0.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [lxdemon.exe] "c:\program files\lexmark 4800 series\lxdemon.exe"
mRun: [lxdeamon] "c:\program files\lexmark 4800 series\lxdeamon.exe"
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [CamserviceDP] c:\program files\hercules\dualpix exchange\Camservice.exe /startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: download.com
Trusted Zone: linkshare.com\www
Trusted Zone: linksynergy.com\www
Trusted Zone: newagtalk.com\www
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\renee\applic~1\mozilla\firefox\profiles\is11sqln.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wildblue.net/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\wildblue.js - pref("network.proxy.type", 2);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-1 114768]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 163840]
R2 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-12-10 24636]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-1 138680]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [2009-1-11 99248]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-8-5 84992]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-1 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-1 352920]
R3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [2008-8-5 94208]
S1 290cfd8;290cfd8;c:\windows\system32\drivers\290cfd8.sys [2009-6-5 0]

=============== Created Last 30 ================

2009-07-11 15:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2009-07-02 12:12 <DIR> --d----- c:\program files\Ipswitch
2009-06-29 21:42 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-29 21:42 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-29 21:42 <DIR> --d----- c:\program files\iPod
2009-06-29 21:42 <DIR> --d----- c:\program files\iTunes
2009-06-29 21:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-29 21:41 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-29 21:41 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-29 11:17 <DIR> --d----- c:\docume~1\renee\applic~1\Malwarebytes
2009-06-29 11:17 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 11:17 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-29 11:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-29 09:38 <DIR> --d----- c:\program files\Bonjour
2009-06-29 09:24 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-06-29 09:24 <DIR> --d----- c:\program files\MSECACHE
2009-06-28 15:01 664 a------- c:\windows\system32\d3d9caps.dat
2009-06-20 06:11 <DIR> --d----- c:\program files\RegistryFix7
2009-06-15 22:43 <DIR> --d----- c:\docume~1\renee\applic~1\Uniblue
2009-06-15 20:29 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-06-18 11:05 0 a------- c:\windows\system32\drivers\290cfd8.sys
2009-04-16 18:39 65,390,714,960 a------- c:\windows\system32\WIN.TMP
2009-04-16 17:31 7,094 a------- c:\windows\system32\EDMKGRP.EXE
2008-11-24 20:01 30 a------- c:\documents and settings\renee\jagex_runescape_preferences.dat
2006-05-03 04:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 05:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 07:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2009-02-11 22:31 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-02-11 22:31 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-02-11 22:31 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 6:34:43.76 ===============
 

Attachments

1 - 2 of 2 Posts
Status
Not open for further replies.
Top