Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Illicit Scripts Appending to Web Files (also gifimg.php)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Illicit Scripts Appending to Web Files (also gifimg.php)

Unread postby 93octane » October 27th, 2009, 4:04 pm

Something is running on my machine that is appending scripts to several file types including htm, html, js, asp and aspx. It is also dropping a file named "gifimg.php" in all my /images directories with a "base64_decode" string.

So far it has happened three times this month. It does not affect every file (of those types) on my machine.

Thank you very much for looking into this for me!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:59 PM, on 10/27/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
g:\Program Files\FileZilla Server\FileZilla Server.exe
C:\WINNT\system32\hidserv.exe
G:\Program Files\LeadsDriver Service\LeadParser.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\logon.scr
C:\WINNT\MICROS~1.NET\FRAMEW~1\V11~1.432\aspnet_wp.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\FileZilla Server\FileZilla Server Interface.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
G:\Program Files\FileZilla Server\FileZilla Server Interface.exe
G:\Program Files\HomeSite 5\HomeSite5.Exe
C:\WINNT\explorer.exe
G:\Programs.lib\HijackThis\HijackThis.exe
G:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Program Files\Mozilla Firefox\firefox.exe
C:\WinZip\winzip32.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "g:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-21-1133392371-230126130-188114923-1004\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'ASPNET')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{8415F3DE-78CB-4AD4-95D9-91A41F1CD636}: NameServer = 64.39.2.170,64.39.2.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A861A21-F26B-4230-8235-82A6B590CB23}: NameServer = 64.39.2.170,64.39.2.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{8415F3DE-78CB-4AD4-95D9-91A41F1CD636}: NameServer = 64.39.2.170,64.39.2.138
O17 - HKLM\System\CS2\Services\Tcpip\..\{8415F3DE-78CB-4AD4-95D9-91A41F1CD636}: NameServer = 64.39.2.170,64.39.2.138
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - g:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Lead Parser - Unknown owner - G:\Program Files\LeadsDriver Service\LeadParser.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 4282 bytes
93octane
Active Member
 
Posts: 3
Joined: October 27th, 2009, 2:33 pm
Top
Advertisement
Register to Remove

Re: Illicit Scripts Appending to Web Files (also gifimg.php)

Unread postby Dakeyras » October 30th, 2009, 7:09 pm

Hi. :)

Is this computer used for business use and or personal use only?
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Top

Re: Illicit Scripts Appending to Web Files (also gifimg.php)

Unread postby 93octane » October 30th, 2009, 10:48 pm

Yes, this computer is used for business use and/or personal use only. Thanks for helping. :)
93octane
Active Member
 
Posts: 3
Joined: October 27th, 2009, 2:33 pm
Top

Re: Illicit Scripts Appending to Web Files (also gifimg.php)

Unread postby NonSuch » October 31st, 2009, 11:17 pm

The Malware Removal room is provided in order to help those in need of assistance with their personal computers. This service is free and it is provided by forum volunteers. We do not provide assistance in cleaning corporate computers, or personal computers that are used for business purposes.

As this issue involves either a company owned machine or a machine that is used for business purposes, it falls outside the scope of this forum. Therefore, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 122 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index