Three weeks ago:
Fake "anti-virus" scanning screens appeared.

"Windows Antivirus"
"Windows XP-Antivirus 2009"
"Windows XP-Antivirus 2008"

and when they do they hijack any browser I use, i.e. IE6, Opera, Maxton, FFox.
I have to kill the application in order to be free.

This happens only when I go to one of my joomla sites as Admin and only after I've changed something and "apply"'d it.

http://www.efinancialharmony.com/Administrator/

In this case I attempt to change the password for Admin to something else. I hit APPLY and up comes online-vr-scanner.com with "Windows XP-Antivirus 2008".

I spent 2 weeks with Castlecops and ran every thing known to man.

So, I install fresh Joomla 1.5.(latest) or 1.15 in a new subdirectory of my site and get the same results.

I've compared the code installed to uninstalled and can't find a difference that would account for a virus.
I've looked for bad javascript and find none.

I can't tell if I'm infecting my site with my browser or if I'm getting infected by my site.
My original /pp Joomla 1.015 was installed by downloading the gzip file to my Window$ system and then uploaded and then unpacked it and then did the /pp/install. The weak link here is my box.

Now to eliminate that (my box having a virus that some how messes with .gzip, .zip or ftp or who knows what else…) I nuked the public_html/pp directory on the server where I had Joomla 1.015 installed and installed two new Joomla 1.5s in public_html/pps and public_html/hs. Different version, different directories. But both are sub directories off the public_html so..hmmm.. I’ll install it on a different server with a different host.

Anyone going to the site can generate the error. So it’s not just the back end.

My worst fear is that I can infect someone’s browser with a virus by them connecting to my site. Then some how their system infects others. I’m not smart enough to know what I’m talking about.
So, I downloaded to my pc the latest versions of Joomla, 1.0.15 and 1.5.7. I took note of the md5 hash from the Joomla website. I verified my files with md5 and they were identical. I then used my control panel from Bluehost to upload from my pc to the web server, both files to a new directory under public_html. As a sanity check I then downloaded them from the web server to my pc via coreftp and then re-verified the md5 hash.

I then let the electrons rest while I did too. In the morning, using IE6, go to Bluehost's login, enter domain and password going into the control panel on the host I uncompressed the zip file for 1.5.7 into public_html/j157pp. Now, I want to go back to the control panel so I use Opera to bring up http://www.efinancialharmony.com:2082 and I'm taken to kav-online-checker.com/1/?id=20586 and hijacked. (opera hijack.png attached)

Being the sluth I am, kill the Opera application, bring up FireFox, I Google "Bluehost", click on Bluehost and then login to the control panel and am hijacked immediately and with much more color and scarier messages. (fire fox hijack.png attached)

I run CCleaner (most recent). Bring up IE6 and clean out the cookies and cache and change my home page from http://www.google.com to http://www.ask.com my home page. CCleaner again. IE6 navigate to control panel and it's fine. Just installed Joomla 1.5.7 in a new public_html/j157pp.

Now, I'm afraid of using my computer to access the site for fear that somehow I'll transmit the bug.

Help?

today I was hijacked by ONLINE-VR-SCANNER.COM

Domain Name: ONLINE-VR-SCANNER.COM
Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru
Name Server: NS1.ONLINE-VR-SCANNER.COM
Name Server: NS2.ONLINE-VR-SCANNER.COM
Status: ok
Updated Date: 17-sep-2008
Creation Date: 17-sep-2008
Expiration Date: 17-sep-2009

These guys are in Russia.

This is aparently not a new problem.

Any suggestions?

I'm going to another computer now.
Some interesting information seems to point out that this is not a new problem and aparantly some out there know about it.

http://voices.washingtonpost.com/securi ... major.html
http://msmvps.com/blogs/spywaresucks/

What's worse is that it states that once his pc was infected it took him two days to fix it!!

This is the latest one.

Domain Name: KAV-ONLINE-CHECKER.COM
Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru
Name Server: NS1.KAV-ONLINE-CHECKER.COM
Name Server: NS2.KAV-ONLINE-CHECKER.COM
Status: ok
Updated Date: 19-sep-2008
Creation Date: 19-sep-2008
Expiration Date: 19-sep-2009

REGTIME LTD is Russian

Dear Joe,

Ya, I'm still a hostage.
BlueHost support says it's an infection on my PC.
CastleCops say it's on the host.
Can I really be the only one on this planet with this issue?

May I cry on your shoulder?

----------
Antivirus-fullscan.com (Antivirus 2009) has taken over my life as I knew it.

I cannot access the home page of my website from my computer because AV2009 takes my browser. I have to kill the IE process to get out.
I've been working for weeks trying to rid my system of this while trying to keep work comming in. I'm dead in the water.
---------
OS - WinXP-SP2
BROWSERS - IE6-> IE7, Opera, Maxthon, FireFox all current as of three weeks ago.
ISP - Comcast
HOST - Bluehost
SITES - Joomla 1.5.7 (new installations, nothing of value)
URLS - efinancialharmonu.com/pp1 (pp and pps) (new installations, nothing of value)
Marriage - on the rocks
-------------
Symptoms:

• In the beginning, a month or more ago, I would be working on the back end of Joomla (efinancialharmony.com/pps/administrator) when I would get a popup telling me that I had viruses. Behind the popup there would be a blue window showing something was being downloaded or scanned. I don’t ever recall having clicked on it. To regain control of the browser I have to kill the process.

• I’ve gone through all the procedures that a variety of sites recommend, i.e. Castlecops, Bleeping, etc. and I still am hijacked. I’ve installed many scanners, had scans done, etc. During this time however, the presentation of AV2009 has changed, that is at times it was Win XP Antivirus then Antivirus 2008 then Antivirus 2009. I have screen captures of several and I can send them if it would help. I am attaching the current version as Presentation AV2009.png. I don’t know the changing of the presentation is due to morphing or reinfection or infection by visiting my site or just a series of infections.

• When hijacked, IE7 redirects me from my site to (attached: IE address for AV.png)

hxxp://antivirus-fullscan.com/2009/1/en/freescan.php?id=880147&user=147

• Installing ZoneAlarm has allowed me to see the hundreds of attempts to access my computer from IP addresses around the world hitting on different ports. Attached AZ port scan.png.

• ActiveX controls shows one as:
WscanCtl. Class (Not Verified) CA ActiveX Control webscan.dll

• Now that I’ve tightened up security on XP, accessing my own site causes this privacy alert: Attached file Site Screen with alert.png which shows:

hxxp://87.248.180.90/in.html?s=sg
hxxp://securetds.ws/soft.php?aid=0147&d=6&product=XPA&refer=…..
hxxp://antivirus-fullscan.com/2009/1/en/freescan.php?id=880147&user=147


• I cleaned out everything using CCleaner and Windows ‘cleanmgr’, rebooted and went directly to my site at efinacialharmony.com/pps/administrator, took the hit from the AV2009 and then went in to the Temporary Internet Files and found (file attached: Temp Internet Files.png) showing:

freescan.php?id=88014&user=147 as an HTML document

and

cookie:cacdev@securetds.ws/

• In the log file on my hosted site I found this entry with an IP of 124.13.79.241
(Bluehost hit from AU.png)

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU


• Downloaded program files shows one that has no creation date, no last accessed date, status unknown and a name of {8FFB… (file attached: downloaded program files.png)

• Windows Internet logs:

ACCESS,2007/07/08,01:21:00 -6:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (221.208.208.83:Port 33626).,N/A,N/A

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU


• I just found the Windows Security fire wall and activated it. Not sure why, but it felt good.
• This is the Hijack file currently. I don’t believe I’ve reproduced the problem by going to my website since I last booted. So this should be clean.


------------
Just Google 'efinancialharmony.com' and you'll see my pain.

If you ever had a sense of helping the downtrodden and wanted to help, THIS IS YOUR DREAM COME TRUE!

HELP?

Regards,

Joe

You're probably not going to get the kind of help you need on these forums, since security isn't really the focus here. Your PC has been infected, and the infection is then spreading to the files on your site.

I'm not a security expert, either, but it sounds like you're caught in a vicious circle. I see that you're a Comcast customer, which means that some really first-class help is available. Hit the Comcast user forums, and take a look at the Security section. I haven't been there since I left Comcast country six months ago (and you can't access the forums if you're not on Comcast), but there was a sticky thread at the top that described what to do if you've got an infected PC. Step 5 was to run HijackThis and post the log in that forum. If CajunTek is still a regular on those forums, you'll get the best help money can buy, and it won't cost you a dime! (Say hello for me - I was "EarlyOut" on those forums, too.)

Once your PC is cleaned up, install some serious protection (Kaspersky, for example). Then, and only then, hit your BH stuff. You might end up needing to wipe it all out, and starting over.