Hello Robertmchenry

Welcome to the Norton Users Discussion Forum

Do you have the latest Java installed on your computer? I would suggest emptying out the java cache and temp files which can be found when you click on the java icon in the control panel. I would suggest deleting all your Java on your computer and then getting a clean fresh install of Java. Java is updated quite often for security reasons.

After you do that, I would do a quick scan with the free version of Malwarebytes and see if that comes up clean. Once your computer is clean, then others can help with getting your website to be clean also.

Download the free version, install and update then run a FULL scan. After the scan completes you should post the logs back to this thread.

You can find Malwarebytes here

http://www.filehippo.com/download_malwarebytes_anti_malware/

It is a safer location to get the program from than malwarebytes themselves because some malware creators have large lists of sites that they block. Please be careful to down load the correct program ----the FREE version of MALWAREBYTES

(Thanks to Delph for providing the alternative site)

Please come back and let us know how you made out. Thanks

This software was recommended on another forum by a person with a similar issue.  He/she recommended the free trial.  It is not software that I am familiar with and the website shows as untested,  Do a bit of research on it.

http://www.gamasec.com/Gamascan.aspx

https://www.gamasec.com/gsf/FreeTrial.aspx: https://www.gamasec.com/gsf/FreeTrial.aspx

---

PC_confused wrote:

 floplot - If the poster is considering removing and reinstalling Java, they might want to scan their system for old versions of Java, that might not have been removed when installing newer versions.  I used the uninstall feature, to remove Java, and after running a free Online Software Inspector, it found there were still 5 old versions of Java on my PC.  I had to manually delete those old folders.  Then I downloaded and installed the latest version. 

---

It is worth looking at the post, regarding version removal, from SendOfJive here

http://community.norton.com/t5/Norton-Internet-Security-Norton/Four-new-Trojans-found-today/m-p/2303...

Hello PC_confused

 I would suggest deleting all your Java on your computer

That is what I meant when I said to delete all your Java on your computer. All includes any older versions which may still be lurking around.. But thanks for stating it more clearly than I did.

GoDaddy, Bluehost, Network Solutions and many other hosting providers just went through a vicious round of website hackings on their shared servers, but if your's goes back to December, it may be that the "back-door" was never removed from your site.

Many websites are infected by stolen FTP login credentials (username and password). These are stolen by viruses on PCs that are used for FTP access to the website.

Often times people use free FTP software. A program like FileZilla is real popular with website owners. It's free and it's easy. However, when you look "under the hood", you'll see that comes with a price. If you have FileZilla on a Windows XP PC, look in: C:\Documents and Settings\(user)\Application Data\FileZilla\sitemanager.xml (the user might be administrator or whatever user was used to install the software).

Inside that file you'll see the FTP address, FTP username and FTP password - all in plain text. When a PC gets a virus/trojan, one of the first things it does it look for that file. Keep in mind that FileZilla isn't the only program that stores this information in plain text, but it is one of the most popular so I used it here as a point of reference.

When the virus finds this file, it reads it and sends the contents to a server. When the server gets this information, it logs into the website, downloads some files, infects them and then uploads back to the website. Often times we've seen where the server will monitor the website for the infection. If it's removed, the server will try to login again with the same credentials and re-infect the website.

The virus that steals this information also "sniffs" the FTP traffic and since FTP transmits all data - including username and password in plain text, it's easy for the virus to see and steal the information that way as well. I have a video on YouTube that shows how easy it is to see the FTP username and password: http://www.youtube.com/watch?v=oYI1kssrrbc

When the server uploads the infected files to the website, many times it will also upload some backdoors that allow the website to be re-infected after the FTP passwords have been changed. These backdoors are frequently .php files and usually include the string eval(base64_decode(...

Most of the time we find these in the images folders and frequently it's called: gifimg.php. We have a blog post about this: http://www.wewatchyourwebsite.com/wordpress/?p=278

Another infectious file we find frequently is: mailcheck.php. We usually find this one in the root of the website.

If you have a Wordpress, Joomla, Drupal, or other such blog or CMS based website, finding the malscripts might be a little more challenging, but if you download your entire website to your PC you can use a tool like grepWin (it's free), to remove the malscripts once you identify them.

As far as identifying the malscripts, hackers will usually place the code in common places. For instance, we usually find it in one of the following places:

1. Before the opening html tag (yes this works)
2. Before the closing head tag
3. Between the closing head tag and the opening body tag
4. Immediately after the opening body tag
5. Between the closing body tag and the closing html tag
6. After the closing html tag. Sometimes many blank lines separate the closing html tag and the malscript

In .js files, it's usually found as the last line or lines and may include document.write as the first part of the malscript.

In .php files we usually find the malscript in an echo statement or just in script tags.

When you find the malscript you will probably find it in many other files for your website as well. That's why using grepWin will help you find and remove the malscript. You may have trouble using regex lines, but it's worth the educational effort in my opinion. If you find the malscript and need help with the regex line, post back here and I'll help you out.

Also, use grepWin to scan all files for the string: eval(base64_decode. You can use this regex to find files that include that string: eval\(base64_decode\( 

Notice, all you have to do is escape the parantheses.

Let me know if this helps.

Thank you.

Fantastic post WeWatch.  Thanks for providing so much good information. It is greatly appreciated to hear from someone knowledgeable in the ways of websites.