Index.html keeps getting infected

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by newboy, May 5, 2008.

  1. newboy

    newboy Private E-2

    My website homepage shows a malware infection to visitors, I have run every spyware, anti virus known to man, the problem seems to be from a hidden file that I can't find. Here is the hijack this log. This is really annoying as I keep replacing the index.html on the ftp and it repairs it briefly.If anyone can help that would be great.
     

    Attached Files:

    Last edited by a moderator: May 5, 2008
    newboy, May 5, 2008
    #1
  2. newboy

    newboy Private E-2

    I have tried every spyware remover and anti virus software under the sun and just when i think i have solved the problem by clearing the temp cache and deleeting everything discovered by the spyware programmes and replace the infected index.html on the ftp location the malware is detected again by visitors a day later, can anyone help??
     
    newboy, May 5, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    That version of HijackThis has not been used for about 4 years. We don't need you to run HijackThis anyway. What we need you to run is the below. Please also show us a snapshot of what your visitors are seeing. It is quite possible that you have an infection that has found its way into your web design. If this is the case, you will have to manually go thru every single html file and remove the code that was added since it will not be found by any scanners.

    Make sure that your PC is set to Normal Startup mode as requested in the READ ME (i.e., you must not be using MSconfig to control any startups ).


    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, May 5, 2008
    #3
  4. newboy

    newboy Private E-2

    right i have run all the software mentioned, there is only one html file on the ftp, which is the index.html, all the other files are graphics. The virus appears as this on alerts in ANTIVIR when I visit my home page

    C:\Documents and Settings\Home\local settings\Temporary Internet Files\content.IE5\JUSC4H82\go[1].htm

    and subsequently

    C:\Documents and Settings\Home\local settings\Temporary Internet Files\content.IE5\JUSC4H82\MYWEBSITE[1].htm

    I then check the ftp and the only html file, the index.html file is infected with according to Antivi supsicious code HEUR/Exploit.HTML

    I don't Run IE5??? The folder it states doesn't exist.
     
    newboy, May 5, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Could just be false positives. See these:
    http://forums.cnet.com/5208-6035_102-0.html?forumID=32&threadID=257643&messageID=2547221

    http://crashjam.blogspot.com/2007/10/heurexploithtml.html

    http://www.avira.com/en/threats/section/fulldetails/id_vir/3686/heur_exploit.html

    Unless you attach the logs requested in the READ & RUN ME, I cannot tell you whether you have any other malware that could be causing problems.


    But again I do have to repeat that infections that occur inside of an HTML file typically get spread to all HTML pages of the web designed and the way to remove them is by editing out the offending lines (even if it is only one file which should then be much easier).


    Yes it does. It just may be hidden from your view if you did not follow the instructions for viewing hidden and system files and folders in the READ ME.
     
    chaslang, May 5, 2008
    #5
  6. newboy

    newboy Private E-2

    thanks for the replies, i don't believe this to be a false positive as the site never had this problem before. The problem appears to have cleared, again. I will wait until tomorrow to see if it returns ...again? Could this be a server issue?
     
    newboy, May 5, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's possible, but I cannot say that for sure.
     
    chaslang, May 5, 2008
    #7
  8. newboy

    newboy Private E-2

    well the malware has returned overnight?
     
    newboy, May 6, 2008
    #8
  9. newboy

    newboy Private E-2

    It appears that this is an Iframe injection :cry
     
    newboy, May 6, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, May 6, 2008
    #10
  11. newboy

    newboy Private E-2

    to anyone who encounters this annoying problem the solution was to run all the utilities offered here in the RUN ME guide, excellent work there lads and then to change the FTP password and then insert this script into the header of the page which will stop any iframe insertions happening again. Many thanks Chaslang :cool:p


    <script type="text/javascript">
    function disableDocWrite () {
    document.oldDocumentWrite = document.write;
    document.write = function () {};
    }
    function enableDocWrite () {
    document.write = document.oldDocumentWrite;
    }
    disableDocWrite();
    </script>
     
    newboy, May 7, 2008
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. I'm happy to hear you got this worked out.

    If you are not having any other malware problems, it is time to do our final steps:
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, May 7, 2008
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds