Infection Cleaned but appearing again

[gabrio]

hello there

i am going insane since yesterday with this issue, basically when i visit my website - sorry guys it's a porn website[site removed by moderator] - if that's a problem for you i am sorry, but i can assure that it's 100% clean since I MADE IT and in fact that is what drives me nuts since at this point i am not sure whether its database has been hacked or anything...basically when i visit the site, it loads a little and then i get a warning from Mcafee that an applet has been downloaded and a malicious script (java i guess) has been detected but of course it can't stop it and then it just restarts the computer and on the next restart it's right there and i get the trojan installed and it tells me that my computer is infected and all bla bla bla... anyway the applet is called "maniman".

now when i run Malwarebytes, it gets the infection and cleans it but EVERY TIME i go to my website, i catch it again... now thing is that i had the site checked from friends and they didn't have problems, so i guess that it's a problem of my local machine??

this is the report of the scan after cleaning:

Malwarebytes' Anti-Malware 1.24

Database version: 1030

Windows 5.1.2600 Service Pack 3

8.15.27 07/08/2008

mbam-log-8-7-2008 (08-15-25).txt

Scan type: Quick Scan

Objects scanned: 42649

Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buritos (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\karina.dat (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\karina.dat (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\winivstr.exe (Rogue.Installer) -> No action taken.

C:\Documents and Settings\Gabrio\Local Settings\Temporary Internet Files\Content.IE5\I6NDXU2R\Install[1].exe (Rogue.Installer) -> No action taken.

C:\WINDOWS\system32\buritos.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> No action taken.

C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.

C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\buritos.exe (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\Gabrio\Local Settings\Temp\us0105.exe (Trojan.Agent) -> No action taken.

can anybody help me a little bit? this is frustrating as i need to work with this machine

i have been trying some online scans as well

thanks!

Gabrio

Edited August 7, 2008 by JeanInMontana
Links to malicious site with child porn links.

[JeanInMontana]

First get that site offline, before you infect a bunch of other people. It definitely has a malicious java script injected. My Avira goes off just using vURL to dissect the site. It gives an IFrame compromise. JS/Dldr.Iframe.BY Most likely you are reinfecting yourself every time you go there. Take it down now. I can't post the entire code for the site it's too long.

Then follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936

Headers:

This link shows the site HTML dissection and the Javascript location http://vurl.mysteryfcm.co.uk/?url=http://w...&selUAStr=4

Date: Thu, 07 Aug 2008 12:49:29 GMT

Server: Apache

X-Powered-By: PHP/4.4.7

Keep-Alive: timeout=5

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html

Who Is:

*******************************************

WhoIs Information

*******************************************

Registration and WHOIS Service provided by directNIC.com

Intercosmos Media Group, Inc. provides the data in the directNIC.com

Registrar WHOIS database for informational purposes only. The information

may only be used to assist in obtaining information about a domain name's

registration record.

directNIC makes this information available "as is", and does not guarantee

its accuracy.

Registrant:

Team Perfecto

Starrangsringen 2

Stockholm, Stockholm Sweden

SE

736924858x46

Domain Name: GABRIO.COM

Administrative Contact:

Moazzami, Peter peter@teamperfecto.com

Starrangsringen 2

Stockholm, Stockholm Sweden

SE

736924858x46

Technical Contact:

Moazzami, Peter peter@teamperfecto.com

Starrangsringen 2

Stockholm, Stockholm Sweden

SE

736924858x46

Record last updated 04-27-2006 10:04:37 AM

Record expires on 05-19-2009

Record created on 05-19-1999

Domain servers in listed order:

NS.OXEO.COM 66.230.133.40

NS2.OXEO.COM 66.230.174.60

NOTE: THE WHOIS DATABASE IS A CONTACT DATABASE ONLY.

LACK OF A DOMAIN RECORD DOES NOT SIGNIFY DOMAIN AVAILABILITY.

WhoIs server: whois.directnic.com

*******************************************

Net-block Information

*******************************************

OrgName: ISPrime, Inc.

OrgID: IPRM

Address: 300 Boulevard East

Address: Suite 100

City: Weehawken

StateProv: NJ

PostalCode: 07086-6702

Country: US

ReferralServer: rwhois://rwhois.isprime.net:4321/

NetRange: 76.9.0.0 - 76.9.31.255

CIDR: 76.9.0.0/19

OriginAS: AS23393

NetName: ISPRIME-ARIN-3

NetHandle: NET-76-9-0-0-1

Parent: NET-76-0-0-0-0

NetType: Direct Allocation

NameServer: NS.ISPRIME.COM

NameServer: NS2.ISPRIME.COM

Comment: Please send abuse complaints to <abuse@isprime.com>

RegDate: 2007-02-08

Updated: 2007-09-13

RAbuseHandle: ISPRI1-ARIN

RAbuseName: ISPrime Abuse

RAbusePhone: +1-212-812-9028

RAbuseEmail: abuse@isprime.com

RNOCHandle: ISPRI-ARIN

RNOCName: ISPrime NOC

RNOCPhone: +1-212-812-9028

RNOCEmail: noc@isprime.com

RTechHandle: ITS7-ARIN

RTechName: ISPrime Technical Support

RTechPhone: +1-212-812-9028

RTechEmail: support@isprime.com

OrgAbuseHandle: ISPRI1-ARIN

OrgAbuseName: ISPrime Abuse

OrgAbusePhone: +1-212-812-9028

OrgAbuseEmail: abuse@isprime.com

OrgNOCHandle: ISPRI-ARIN

OrgNOCName: ISPrime NOC

OrgNOCPhone: +1-212-812-9028

OrgNOCEmail: noc@isprime.com

OrgTechHandle: ITS7-ARIN

OrgTechName: ISPrime Technical Support

OrgTechPhone: +1-212-812-9028

OrgTechEmail: support@isprime.com

# ARIN WHOIS database, last updated 2008-08-06 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

[gabrio]

well i ran lots of checks and the code is clean, then i have upgraded my computer to IE7 and the problem disappeared, i had the site's scripts checked and they are clean, in fact i got the malicious code showing in the code, BUT only when loading the site and then checking the TEMP files... if i check the code i have here oin my hdd (that i load onto the server) it's 100% clean, so what i want to say is that i am almost 99% sure that it was a flaw of IE6 which was triggered with my website for some resaon, but the site itself is clean or they must have hacked the script but that's not the case most likely since after running IE7 now i am fine.

i found out that there was a script in the code but ONLY when i was still infected, let me paste this.... i ONLY seen this when i was infected...

so tech people on this? on the website there is one script that rotates the thumbs (smart thumbs) and one script that manages traffic (Arrow trader lite III)

Edited August 7, 2008 by JeanInMontana
Remove quote

[gabrio]

this thing i have outlined does NOT Exist now when i check the "source" with IE7.

[gabrio]

and for the note i just did a HJT and i found these, so i still had some minor stuff, deleted now:

O20 - AppInit_DLLs: karina.dat

O20 - Winlogon Notify: wvUkHWMG - wvUkHWMG.dll (file missing)

i remember this KARINA.DAT from the previous cleaning.... jeesus

[JeanInMontana]

Obviously the "previous cleaning" didn't clean. Snippits of a HJT log are useless, follow the instructions in the link I posted and we will see if your clean.

[MysteryFCM]

Your site is still infected.

If you need help cleaning the actual server (replacing the file with a clean copy obviously didn't work), let me know and we'll go to a private forum.

[gabrio]

just sent you a PM.

[gabrio]

site has been cleaned guys, check it out ;-)

[JeanInMontana]

The child porn is gone too? And how did you clean it? Is your PC still infected? Because you didn't have that clean either.