Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

a virus


  • Please log in to reply
10 replies to this topic

#1 marniestar

marniestar

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:36 AM

Posted 06 February 2009 - 04:38 PM

Hi i have been getting attacked nearly everyday by a virus i have a website and am loseing money because when people come to it it says threat detected im so sick off this i have had it removed so many times why? there is no money to be made by this i think it comes from russia could you look at it please!!!

&lt;script>[SCRIPT REMOVED TO PROTECT OTHERS]</script>
what is this im so desperate to know!!!!!! please help me thanks marniestar

{Mod Edit:Moved from XP to AII for better assisstance~~boopme}

Edited by KoanYorel, 09 February 2009 - 08:42 PM.
to remove malicious script


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 AM

Posted 06 February 2009 - 05:25 PM

Hello.

Best if you disconnect from the web and do not use the internet too much unless you need to download tools. If you have another clean machine, it would be best if you can use a CD Burner software and some CD's to download the tools and transfer it onto this computer. Also, do you get any message when you go to that webpage or is it only others?

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with both logs once it's done.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 marniestar

marniestar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:36 AM

Posted 07 February 2009 - 04:04 PM

Thanks for the help have you seen this sort off virus before? ru means from russia and is only attacking my webpage???? i have had it removed and changed my passwords i think they were reading my emails is this possible

thanks Marnie

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 AM

Posted 07 February 2009 - 04:22 PM

Hello.

Not too sure if I am understanding you correctly.

Thanks for the help have you seen this sort off virus before? ru means from russia and is only attacking my webpage???? i have had it removed and changed my passwords i think they were reading my emails is this possible

No, I'm not sure what this infection is because there is no site or page I could see and you are saying you loose money because others visit your site and they get a warning message, which I don't quite understand how that works. I do not know if it's from Russia or some place else.

Do you still require help?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 marniestar

marniestar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:36 AM

Posted 08 February 2009 - 06:49 PM

thanks i dont even understand whats happening so cannot explain bit thick when it comes to computers!!!!

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 AM

Posted 09 February 2009 - 05:18 PM

Hello.

That's okay. I understand what you mean now with the help of a BC Advisor, Platypus.

That script you showed appears to be exploited, that means someone has been putting it on to your site or it's just you yourself from the computer you are currently at is compromised or infected. Therefore, when your friends/people go to that site their AV gets alarmed and flag your site and saying it's "infected" and leaves because that site is probably infected that you currently have.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Platypus

Platypus

  • Global Moderator
  • 15,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:36 AM

Posted 09 February 2009 - 08:47 PM

Hello Marnie. Please continue following extremeboy's instructions to find out if your computer has any infection that could have been the source of the script. Your own system or any other system you've used to access your website using FTP or the hosting service's administration tools could have been the vector for your website infection.

Changing your passwords was important and wise. If your computer proves to not have any infection that could have been the source, and the script or anything similar appears again on your website, you should consult with the website hosting service regarding security from their side.

I've made a request for a Moderator to delete or modify the script in your post, so that we're not making malicious code public. Cheers and good luck.
Top 5 things that never get done:

1.

#8 marniestar

marniestar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:36 AM

Posted 10 February 2009 - 03:05 AM

Thankyou both changed passwords changed website hosting to a company in pakistan they seem to be helping my rankings, but this virus has already lost me money!!! no one goes back to a site when they get a threat detected hope this makes a difference seems to be working better now its been removed why do these idiots target people like me???? thanks again marnie

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 AM

Posted 10 February 2009 - 03:42 PM

Your welcome. I wonder why I didn't tell you to change your passwords...probably forgot when I was in the middle of something else. Glad you changed it though, that was very important. Malware writes or others don't target anyone "specifically". They can target anyone they want, doesn't matter where you live or how you personality is like. It's not something we can control.

Just wondering, do you still want to check if you have anything that is still on your computer that we should remove?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 marniestar

marniestar
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:36 AM

Posted 10 February 2009 - 04:40 PM

Yes pleasssse if you dont mind it not on this computer its on another one, did you manage to find out where it came from i thought ru meant russia thanks again marnie

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:36 AM

Posted 10 February 2009 - 05:23 PM

Nope. I don't mind at all.

Please perform the scans I asked in Post #2 of this topic.

Thanks. Post the logs once it's complete.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users