[Richiiee]

Sorry if this isn't the right place to post this, I wasn't sure if this was more of a malware problem or a web problem.

Google Chrome says malware is detected on my website whenever I try to go to a certain link. It's weird because it came out of no where. It was fine about a week ago, and I haven't updated my website since then. I'm not sure if it's actually been infected somehow or if it's a glitch with Google Chrome. I tried using CCleaner to clean out everything but it still says there's malware and that I should proceed under my own risk. I use Webpage Maker to update my website and put it online. The website is Edit:link removed , and I get the malware message when I try to click on the Personal Portfolio or Corporate Portfolio links, but the homepage and the About Me pages are fine. What should I do? Thanks.

Edited by dsenette, 13 May 2010 - 07:47 AM.

[Advertisements]

Richiiee-

I just checked out the link using Chrome- it looked clean to me. I suggest taking a look at the Malware and Spyware Cleaning Guide. This will help you disinfect the majority of malicious software from your system. If that doesn't solve your problem, post a new thread in the Virus, Spyware and Trojan Removal Forum.

If you are still having problems after being given a clean bill of health from the malware expert, then please return to this thread and we will pursue other options to help you solve your current problem(s).

Sweet av, by the way

[FNP]

Richiiee-

I just checked out the link using Chrome- it looked clean to me. I suggest taking a look at the Malware and Spyware Cleaning Guide. This will help you disinfect the majority of malicious software from your system. If that doesn't solve your problem, post a new thread in the Virus, Spyware and Trojan Removal Forum.

If you are still having problems after being given a clean bill of health from the malware expert, then please return to this thread and we will pursue other options to help you solve your current problem(s).

Sweet av, by the way

[Johanna]

It's not clean.


Trojan is Win32/Hiloti.gen!D
Resources:
process:
pid:728

process:
pid:2380

process:
pid:3320

regkey:
HKCU@S-1-5-21-3139282774-3364285784-4112529749-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\Wyucutowu

regkey:
HKCU@S-1-5-21-3139282774-3364285784-4112529749-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\Osajifi

runkey:
HKCU@S-1-5-21-3139282774-3364285784-4112529749-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\Wyucutowu

runkey:
HKCU@S-1-5-21-3139282774-3364285784-4112529749-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\Osajifi

file:
C:\Users\Johanna\AppData\Local\qlecfc.dll

file:
C:\Users\Johanna\AppData\Local\oxogesag.dll

I don't have permission to remove the bad link from the OP.
Johanna

Edited by Johanna, 12 May 2010 - 06:30 PM.

[FNP]

Well, take my foot and shove it in my mouth. It is. The first time I went to the URL, and it was fine. Clicking on link sent my avast! into shouting-at-me-mode.

[Richiiee]

So, what's next? If I make a thread about being infected, that will only help me clean my computer, won't it? I don't want anybody else who goes to my website to get infected with it so I want to find out how to clean my website too. (Already tried deleting every single file off my FTP account and re-uploading them by the way).

Edited by Richiiee, 15 May 2010 - 05:40 PM.

[Johanna]

Well if you downloaded and deleted the files off the server, then uploaded the same files, of course the problem exists still if it's in your files. You need to check your files or any third party material your site is using. If everything seems ordinary, you need to contact your webhost. The problem may exist on their level.
Johanna

[xmephistox]

Is this fixed?

The problem sometimes originates from a trojan on your PC, that will use your ftp login to upload modified and infected files.
Usually they add encoded/encrypted javascript that connects to the malware sites infecting your visitors.
It is just one line usually loading an external javascript.
The only way to get rid of this is to get your PC clean first.
You also better change your ftp password ASAP because that has been compromised.
And if your ftp program has the option to password protect the logins/site manager then better do so.
After your PC is clean, and certified to be clean, you should go through all your site's file and remove the javascript manually.
Pretty tedious. Just be careful that you do this while offline if you want to check the pages in a browser.
The javascript itself is harmless, I mean it is not a trojan or anything.
It just downloads trojans from other sources. If you're offline it can't.
So you can just remove it.
Just look for any javascript you didn't add yourself and delete it.
Just reuploading your files is not gonna solve it, you have to check each and every one of them.

It might be a good idea to talk to your host and ask if they have been hacked recently, that's another way in which this spreads.

I didn't see your site so I have no idea what it is, html, php or whatever. If you're running Wordpress or any other CMS get the latest update before reinstalling.

And be careful with what advertising services you use, a lot gets spread via those via javascript or via flash.
Some of them promise a lot and deliver even more!

Edited by xmephistox, 07 June 2010 - 11:54 PM.