Compromised password

My website was recently hacked and malicious code uploaded. My ISP directed me here to have me scan and look into the two PCs I use to access that site. i will post my home PC which i did last night but was too tired to make this thread, however... none of these scans gave me a ding last night, nevertheless, will post them later. For now however is my work computer which my boss also sometimes uses and it seems to me its the likely culprit. I dont have a specific user issue, I just know I was compromised and now I want to be sure what i should do and what we're looking at if thats ok. I appreciate this and anyones time.

One Note: Rouge Killer quarantined our Press driver software : DEX_CXC1PV2.EXE

This is a program that installed as part of the RIP software the press comes with. Has it been compromised or is it mis-firing? Also, it gave me NO choice in the quarantine or how to handle it if I wanted to make an exception. Now its just in a folder on the desktop. What do I do?

All logs as follows attached

 

FYI... I deleted my entire public_html folder and changed all passwords and reinstalled fresh not from backups. This was okay, i was just tooling around SilverStripe. The ISP told me that 90% of the time its malware, 10% they guessed the password. It wasnt anything obvious, it contained a common word and numbers... I have since switched to three or four common words, a phrase, and not one relevant to me in any way. The malicious code was uploaded by an IP out of Frankfurt. I back traced it after the ISP sent me the log.

 

It occurs to me now that I have not logged into the sites cpanel, the account they had to use, for quote some time. i had used FTP via Filezilla and had the password setup in the program in the site manager so...

Perhaps it is unlikely they obtained this info via these means, though it seemed i got hits on this computer as can be seen in these logs.

 

Welcome to MajorGeeks, urville

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 31 <== Outdated

__

It makes it harder for us to diagnose claims like this when the tools were run out of order.

MGtools

Code:

Mon 07/09/2012 
08:37 AM

Running processes:
C:\Users\Ian Flores\AppData\Roaming\Color_Server_Client_Tools\JRE\JRE1.5\bin\DEX_CXC1PV2.EXE

RogueKiller (should have been first)

Code:

Mode: Scan -- Date: 07/09/2012 09:02:14

In order for me to properly help you with this, follow these instructions:

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Question, do you know what this file is for?

• C:\Users\Ian Flores\Desktop\FGwqNIsfAEKNxgf0nSe2NA2.jpg

 

Sorry! Somehoe I missed that reading through the thread... dang sorry.
I did run rogue first but then, reran it because wehn i reread i got confused and though it said something else. i just screwed it up on accident.

The MGTools log is in there... or do you specifically want another one?


Yes, that file was a pulled image from a website.

 

No problem.

Yes