As I understand it, it’s best not to paste the actual link to the actual site to keep it from being clickable, so here it is in a code block:
http://www.wickens.ws
Any help here? I created a portal for myself and friends, and now Avast thinks there’s malware on the site, and all sub-domains.
My webhost WAS hacked, but it looks as if they only created a folder full of spam websites, cgi-scripts, and changed the htaccess file. I believe I’ve resolved the problem (old version of Wordpress installed with everything set to 777), but would like to have my site reconsidered/rechecked. There are several other subdomains that are used by a bunch of other people, so it’s not just affecting me.
- Registry Values Modified:
Key Name New Value
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0
Ha. I guess let me rephrase, I could only seem to find a folder of files and my htaccess changed. Nothing more appeared to be affected.
As for the report you linked showing me that it was modifying registry files. i’m not sure that is correct. In trying to figure out what was going wrong, i did a report on google.com and it say that there site is changing dozens of more registry entries than mine. Does that mean they are hacked too?
I’m not sure if this is finding false positives or what. I’ve never used the scanner website before.
- Registry Values Modified:
Key Name New Value
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings info ProxyEnable 0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Desktop C:\Documents and Settings\All Users\Desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Documents C:\Documents and Settings\All Users\Documents
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Start Menu C:\Documents and Settings\All Users\Start Menu
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders CommonMusic C:\Documents and Settings\All Users\Documents\My Music
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders CommonPictures C:\Documents and Settings\All Users\Documents\My Pictures
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders CommonVideo C:\Documents and Settings\All Users\Documents\My Videos
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths info Directory C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths info Paths 4
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Main info FullScreen no
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Main info Window_Placement 0x2c0000000200000003000000ffffffffffffffffffffffffffffffff2c00
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Toolbar info Locked 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser info ITBarLayout 0x110000004c00000000000000340000001f00000052000000010000002007
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser info {01E04581-4EEE-11D0-BFE9-00AA005B4383} 0x8145e001ee4ed011bfe900aa005b4383100000000000000001e032f40100
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser info {0E5CBF21-D15F-11D0-8301-00AA005B4383} 0x21bf5c0e5fd1d011830100aa005b438322001c0008000000060000000100
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVers\Explorer\MenuOrder\Favorites\Links Order 0x08000000020000007c000000010000000100000070000000000000006200
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links Order 0x08000000020000007c000000010000000100000070000000000000006200
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094da8-30a0-11dd-817b-806d6172696f}\ BaseClass Drive
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094daa-30a0-11dd-817b-806d6172696f}\ BaseClass Drive
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\Administrator\Cookies
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Desktop C:\Documents and Settings\Administrator\Desktop
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Favorites C:\Documents and Settings\Administrator\Favorites
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\Documents and Settings\Administrator\Local Settings\History
I’d like to resolve it, but I don’t understand the difference between the report that is showing for my site, and the one i posted for google. If I could figure out the differences (or how to read the report better), then I’d have a better chance of solving the problem.
Or if you can tell me what it’s doing wrong that would be even better. If my site is still serving up malware or whatnot I definitely don’t want it out there.
Well, like… go, wipe Wordpress, install the latest version (properly, not world-writeable), restore DB from backup which was done before it was infected?
i deleted wordpress yesterday when i started getting the warning. I didn’t need it anymore on the server anyway and haven’t reinstalled it. I was going to start a blog a long time ago, but wound up abandoning that project. So really there’s not much left on the server.
I guess the question is, does Avast do a real-time check on the website, or does it do a database lookup of known malware sites? And if it is getting it from a database, how often do they rescan sites? Or how do I get them to recheck it?
The site is still blocked because of Mal-URL there: htxp://taylor.wickens.ws/
Sucuri scan does not give any hick-ups:
Running on: Apache/2.2.11
System info: (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
Powered by: PHP/5.2.9
List of links found
mortgage/mortgage.html
htxp://taylor.wickens.ws/weather/fullWeather.php?id=38017
List of javascripts included
…/scriptaculous/prototype.js
…/scriptaculous/scriptaculous.js
The unmasked parasites report has verdict “suspicious” and 162 hidden external links found.
iFrame scan:
(Level: 0) Url checked:
httx://www.wickens.ws
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
htxp://www.wickens.ws/…/scriptaculous/prototype.js
Blank page / could not connect
No ad codes identified
(Level: 1) Url checked: (script source)
htxp://www.wickens.ws/…/scriptaculous/scriptaculous.js
Blank page / could not connect
No ad codes identified
M86 scan gives an all green now…
Malware could have originated much like this: hxtp://sharecash.org/scriptaculous/src/scriptaculous.js
Thanks Polonus. I’ve removed the …/ in front of the scriptaculous scripts listed below. So hopefully that shouldn’t be a problem with it anymore. I tried running my site on the Sucuri website, but I couldn’t seem to find anywhere to paste it. Must be a paying member?
And doktor, Scriptaculous/Prototype are famous javascript libraries in the web programming world. It’s alot like JQuery if you’ve heard of it. http://script.aculo.us/