13 replies to this topic

[Jigal van Hemert]

Over the past weeks I received many reports from people getting popups about "Total Security" only when they visit my website.

I have experienced the same in IE (also only when visiting my own site) and in Firefox I see http 503 errors in Firebug.
This doesn't happen constantly, but kind of in waves. Some days the problems are pretty bad, then there is no problem for days.

The hosting provider keeps telling me that my PC must be infected or that the wrong people have gotten my FTP password by key loggers. I scanned the PC with McAfee (provided by my ISP), PC Tools Spyware Doctor, Malware Anti-Malwarebytes, Spybot Search & Destroy, Hitman Pro, NAV32, but nothing was found, except a few cookies from webstats tools.

I downloaded all file from the webstite to a directory on my harddisk and used all those tools to scan those files. They were reported to be clean.
I read all the text files (.shtml, .pl, .php, etc.) for strange code which I have not written myself, I used WinMerge to compare the directory with the working directory on my PC, but no differences were found.

I'm running out of ideas, but the popups keep appearing with many people. The hosting provider says the server is clean and has no viruses.

Any ideas how to get rid of these nasty popups??

Regards, Jigal.

Attached Files

•  Outlook.jpg   17.53K   4 downloads

[Jigal van Hemert]

Thank you for your answer!

No, I don't have ads on my site. I'm afraid I can't shut down anything like that to make it go away.

Thanks for the idea though.

Regards, Jigal.

[Jigal van Hemert]

A visitor told me it is blocked by a Sophos and reported as Mal/FakeAvJs-A . It was loaded from http://yourpc-scanner2.com/scan1/?pid=180s...T0xMjUuMUMMPAdN
I have no references to that address (or anything remotely similar) anywhere in my files.

It seems that my website is spreading this and I don't know what to do about it

Regards, Jigal.

[Jigal van Hemert]

Hi lyndonpace,

Website is at hxxp://www.bordercollies.nl/

Problem is that the popups do not show up consistently. Sometimes you get a couple and at other days you don't see a single popup (yes, this makes it hard to solve, but if I can modify, run, install, etc. anything to help find the source please let me know).
I only use FF to visit my own site and only see white pages/missing images from time to time; when using Firebug the missing files are reported as http 503 errors.

Thanks in advance for any suggestion that may help me get rid of the annoying popups!

Regards, Jigal.

[AdvancedSetup]

Hello and welcome to Malwarebytes

I can't really help you with your Server but I'll take a look at your system and see if we can find anything that might be there.

Please download and run the following scanners and post back the logs.


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...





Then run this one as well please.

[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]





RootRepeal - Rootkit Detector
[indent]

Close ALL applications and as many items in the task tray that will stop and exit.

• Please download the following tool: RootRepeal - Rootkit Detector
  
• Direct download link is here: RootRepeal.rar
  
• If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  
• Extract the program file to a new folder such as C:\RootRepeal
  
• Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the same location where you ran it from, such as C:\RootRepeal
  
• Save it as your_name_rootrepeal.txt - where your_name is your forum name
  
• This makes it more easy to track who the log belongs to.
  
• Then open that log and select all and copy/paste it back on your next reply please.
  
• Quit the RootRepeal program.

[/indent]

[AdvancedSetup]

Well I went to your site and clicked on all types of links and looked at source code and I was not prompted to install anything and did not trigger my tools.

This new infection is on a lot of systems so maybe these users are already infected and nothing to really do with your site.

[Jigal van Hemert]

AdvanceSetup,

Thank you for your reply. I will run the tests when I'm at home tonight.

The fact that I have seen the popups and AV/malware tools notifications about threads that they've stopped myself *only* when I visit my own site. I've seen it on three systems running different versions of Windows (XP, Vista and 7) with different malware tools and the fact that visitors have also reported that it happened *only* when they visit my site, made me conclude that there must be something wrong with the website.

If only there were decent tools for IE to analyze the server response + content while serving so I can figure out if the web server is really producing the scripts for the popups...

Just to be on the safe side I will run these tools too :-)

Regards, Jigal.

[Jigal van Hemert]

Report
--------

ComboFix didn't want to run in normal mode, so I started in Safe Mode. Attached is the log file.

While in Safe Mode I also ran DDS. Attached the two log files.

Still in Safe Mode I started RootRepeal.
It ran for a while and spent a long time in C:\Windows\winsxs\Manifests\
When it reached the file C:\Windows\winsxs\msil_caspol.resources_b03f5f7f11d50a3a_6.0.6000..... (I couldn't write down the rest of the name) it aborted.
Until that moment it found a series of files which were locked to the Windows API and these msil_* files/directories were 'hidden to the Windows API'.
I ran RootRepeal again without files option and attached you'll find the report.

What can I do with the files in the directory C:\Qoobox\ which ComboFix created??

Thanks in advance for your time and energy!

Regards, Jigal.

Attached Files

•  ComboFix.txt   19.63K   9 downloads
•  DDS.txt   14.76K   9 downloads
•  Attach.txt   3.86K   14 downloads
•  Jigal_van_Hemert_rootrepeal.txt   2.66K   14 downloads

[AdvancedSetup]

Well you appear to have something hidden running on the box that should not be there. Please run the following.

STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Driver::
IVUZUIUSZ
File::
c:\users\GEBRUI~1\AppData\Local\Temp\IVUZUIUSZ.exe
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02
Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

[Jigal van Hemert]

I ran the requested programs.
Attached are the resulting log files...

Thanks for your help!

Regards, Jigal.

Attached Files

•  ComboFix2.txt   19.84K   10 downloads
•  mbam_log_2009_10_15__00_01_30_.txt   948bytes   19 downloads

[Jigal van Hemert]

And forgot to upload one of the files :-(

Attached Files

•  hijackthis.zip   3.14K   10 downloads

[AdvancedSetup]

Okay the logs look pretty good now. You might want to run the following.


Download the following, right click and choose Run As Admin
http://oldtimer.geekstogo.com/OTC.exe

Back up your registry with ERUNT

• Download ERUNT from here and save it to your desktop.
  
• Double click erunt-setup.exe to install the program
  
• Follow the prompts, and then uncheck Create NTREGOPT desktop icon at the Additional Tasks screen.
  
• At the next screen, uncheck Show documentation and check Launch ERUNT
  
• If ERUNT doesnt start by itself, launch it from the desktop shortcut.
  
• At the configuration screen, make sure all 3 checkboxes are checked
  
• Click Ok to run the backup process
  Note:
  The backups can be restored from here:
  C:\windows\ERDNT\<todays date>\ERDNT.exe

Then run the following.

http://support.microsoft.com/kb/299357

[Jigal van Hemert]

Hi Ron,

OTC ran with no problem.

ERUNT reported two corrupted parts of the registry. I regularly have reports from PC Tools Anti-Spyware that it can't make Restore Point when removing cookies. After a reboot the problem is solved.

Anyway, I did another HJT scan and it didn't show anything strange anymore.

At the moment the situation with the popups is quiet, also on other computers which were not checked. I will report back the moment I hear anything about the popups or see them myself.

Thanks for your support!

Regards, Jigal.

[AdvancedSetup]

Great, glad to hear all is going well. You might want to run a full disk check on the drive as that is not normal to have issues with the hives.
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?