[Resolved] Please check my logs! I can't access my own website!

Status
Not open for further replies.

lostincode

Posts: 9   +0
Hello everyone,

and congrats for this forum!

There has been an inciddent with my website a couple of days ago (backdoor trojan accessed the server etc..) which has been resolved eventually but I was one of the first people who accessed the "infected" website (accessed the server etc.) and now my pc is infected.

I am denied access specifically only to my own website! Other people who accessed it do NOT have this problem.

I followed all the steps on your UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions and here are the results:

I run a full scan with Avast antivirus and I found (some of them were detected in the backup folder of the website):

TrojanDownloader:Java/Tinconc.A
ELF: PHP
PHP: C99Shell-F [TrJ]
Win 32: KKer-C [Trj]


After doing all these, I am still denied access! Ping from the cmd does not work also. Could you please check my logs and help me?? I greatly appreciate this!!!!

Thank you in advance!
 

Attachments

  • mbam-log-2010-03-24 (11-21-06).txt
    1.6 KB · Views: 1
  • SUPERAntiSpyware Scan Log - 03-24-2010 - 12-11-47.log
    1.4 KB · Views: 1
  • hijackthis.log
    9.6 KB · Views: 1
I'm checking your logs now. While I do it, is there any way the site can be disinfected also? Does it have a firewall?
-----------------------

You have a malware infection named Worm.Allaple
Characteristics of a Worm are: often characterized as a malicious application that will use a host machine to infect other machines. Therefore worms can create enormous damage on networks with multiple computers.

It would be best if you shut the site down for now. Basically, your site will infect anyone who accesses it without security to prevent it.We can work on your computer, but if you try to connect to the site, you will reinfect your system:

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  • Double click on the setup file on the desktop to run
  • If prompted to download and install the Recovery Console, please do so.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • If prompted to update, please allow.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
.
Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Please attach the Combofix report and the Eset log to your next reply.

Are you actually hosting the site yourself? If not, you should advise whoever is of the infection.
 
Hello Bobbye,

the host has been notified and has temporarily closed down the site and my access to everything. I don;t know if this is a stardard procedure though :SS

Here is my ComboFix Log BUT I cannot run ESET NOD32. I managed to run it only but it got stuck in a file in my program files (AcroPro.msi) for more that 10 minutes so I stopped it and I restarted my pc. I try to run it again but I get the message:

Cannot get update. Is proxy configured??

I have disabled the antivirus, firewall and all the malware removal tools but still I cannot get it to run.

What should I do now??

Thank you!

Please wait before you reply!!! I have unistalled ESET and reinstalled it. I am running it right now!!
 

Attachments

  • ComboFix.txt
    21.6 KB · Views: 1
Take you time. I'll be checking the Combofix report.

NOTE: Make a new reply with the Eset log. If you edit the post above, I won't get notice of the reply.

EDIT: Please let me know if you've used a flash drive. One of the entries I see can indicate an infected flash drive.
 
Yes I have used a flash drive to store all the infected files that I deleted from the server.. maybe a stupid thing to do(?) Should I delete them?

The ESET is still running, I estimate it will take a couple hours!
 
The Eset scan is finished. No threats were found and here is the log!

One additional question, dO you think it is "safe" to acess my accounts through my pc or should better not?
 

Attachments

  • log.txt
    902 bytes · Views: 1
You should disinfect the flash drive:

The deletion of this one, D:\Autorun.inf suggest you had a possible FlashDrive infection:
Threat Removal Procedure:

  • [1]. Download Flash_Disinfector and save it to your Desktop.
    [2]. After downloading, double-click on Flash_Disinfector to run it.
    [3]. Just follow the prompts and continue until it begin scanning.
    flash-disinfector.jpg

    [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
    [5]. It will scan removable drives, wait for the scan to finish. Done.

Please run"TFC (Temp File Cleaner)
Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

I am concerned about all the roaming files. The Public file/folder should be hidden. I have to see if I can do that with script. There are groups of dates where all the activity was 'roaming'. You also show application data from uTorrent.

You've got an entry in Combifx that indicates Added by the W32/Nimda-A worm. I'd like you to run a different online scan:
Open
Kaspersky Online Scanner in Internet Explorer


Note: For Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
    [o] Scan Options: Scan Archives> Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    [o] Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Let see if that turns up anything.

Are you using the Registry Cleaner from Uniblue? I highly recommend that you uninstall it. Most of us don't recommend registry cleaners at all!
 
The scan is finished and here is the log. It found 1 trojan.. Thank you for your timely response and patience.

I don't use the registry cleaner, but the process scanner. However, I use the Tune-up utilities registry cleaner. You don't recommend that also?

What should I do now? I tried to ping the website (it is offline but the URL is normally accessible, displaying an suspended message) but the request still times out.
 

Attachments

  • kaspersky_report.txt
    976 bytes · Views: 1
I knew there had to be something! I am concerned about the large number of roaming entries- especially on a couple of dates. Some of these files and folders should be hidden> example: c:\users\Public\Roaming> find this folder and do a right click> Properties> check 'Hidden'> Apply> OK

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :
    KillAll
    :Processes	
    
    :Services
    
    :Reg
    
    :Files  
    C:\Program Files\Acer GameZone\Jewel Quest Solitaire\aJewelQuestSolitaire.exe
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Stay away from your website until it's clean. I'm going to ask for some help about the roaming files and will be back on that in a bit. Go ahead and run OTMoveIt.
 
When I transormed the Roaming folder into hidden after a while, the system just completely frooze!! I had to manually reboot!

I also copied ALL the contents of your attached in my first attempt in OTMoveit and again the application frooze and I rebooted the system. As a result I have now 2 "dimmed" desktop.ini files and a ~WRL001.tmp files on my desktop. :SS


Do you mean that I should copy ONLY the path within the text you attached??

I did that and the log contents are:

Error: Unable to interpret <C:\Program Files\Acer GameZone\Jewel Quest Solitaire\aJewelQuestSolitaire.exe> in the current context!

OTM by OldTimer - Version 3.1.10.1 log created on 03252010_153434
 
I'm giving you the same instructions for OTMoveIt that I give everyone else. Why didn't you give me the log that resulted?

Please don't blame for what is happening. You've been sending and receiving a gazillion 'roaming' files!

WRL001.tmp is a Word file and it's a temp file> delete it.
I also copied ALL the contents of your attached
I didn't attach anything. I left script in a code box for you to copy.
 
Oh, I am sorry but you misunderstood me!! I don't blame you for anything, on the contrary I appreciate your help! I just requested more detailed instructions, stating what is my problem, because I did not understand the instructions too wel, probably because I don't understand what that program does exactly.

Anyway, I got to run the script, (I copied all of it, and not just the file path) it got none responsive for a long time, but I let it run and now I have attached my log.
 

Attachments

  • 03262010_011940.log
    5.3 KB · Views: 1
Before you go any further- did you ever run this? TFC (Temp File Cleaner)

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

You have a couple of dates with a lot of activity and there are temp files and cache files remaining. This should clean some of them out.

I didn't think my instructions were complicated, but if you are having difficulty following them, perhaps you should do the reformat/reinstall. I never recommend that unless nothing else has worked.
 
Yeah, I have already done this. Well, I am going through with re-formatting but I thank you for the help and attention shown.

After re-formating (actually recovering the system with Acer's e-recovery to its original state) is there a chance I will be still infected???

Keep up the good work and thanks again!
 
The system should be clean. BUT if you saved infected files, then put them back on the system, it will reinfect. So be careful.

Sorry we couldn't help more. I'll close this thread but let us know if you need hope in the future.
 
Status
Not open for further replies.
Back