Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1005
  • Last Modified:

Trojan Virus infection

my pc was infected by these viruses:

they generate .htaccess and index.php files which redirect my clients websites to infected websites (I am webhoster)

I found the viruses via nod32 online scanner, infected files were automaticaly removed by online scanner.

QUESTION: will that be enough or should I go to registry or so and do some more removals?
(Intresting thing is that I used this basic trial version of NOD32 antivirus and it did not find anything, but online scanner did.).

Background: I have XP windows 2002 sp3 home edition with nod32 antivirus installed.
  • 10
  • 4
  • 4
  • +6
3 Solutions
I would add a rootkit remover like Panda Anti-Rootkit. Combofix is a good tool too.
Go to symantec, check the removal tool for each of them and run it. The removal tool usually fixes registry and similar options.
Couldn't find the others right away, but try searching around.
Sudeep SharmaTechnical DesignerCommented:
Try hitmanpro:



If it fails then I would recommend Combofix:

And post the logs there for further analysis


Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

jbmdAuthor Commented:
Q1: I would like to know: is it really necessary to use additional cleaning after this infection or is it just to be sure?

Q2: is there any manual way how to remove it?

I would like to spare my pc as much as possible.Do you guarantee the software you suggest is ok?

The symantec is ok, and so is combofix. I don't know hitmanpro, so I can't tell you about it.
The good thing about the removal tools, though, is that they're specific for that kind of virus/trojan/malware. So it'll only search for it's executables, processes and registry entries. It will do nothing else (even if you have other viruses).
As for manual ways, there are a few. Basically, you'll be doing what the removal tool does automatically. Just google for <virus name> manual removal (e.g. netsky manual removal).
jbmdAuthor Commented:
would not be a problem using suggested software with nod32 antivirus installed on my pc?
If someone here is suggesting something, it's almost sure that it's reliable. Most that can happen is that the suggested software isn't effective, or not as effective as another, but it's not likely it would be malicious. So you can go ahead and use them :)
jbmdAuthor Commented:
as I mentioned before, I run eset online scan antivirus and it said this: see file
then I run symantec netsky, see bellow
Symantec W32.Netsky FixTool 1.13.0
C:\System Volume Information: (not scanned)
H:\System Volume Information: (not scanned)
I:\System Volume Information: (not scanned)
J:\System Volume Information: (not scanned)
L:\System Volume Information: (not scanned)
Z:\System Volume Information: (not scanned)
W32.Netsky has not been found on your computer.

Fadi SODAH (aka madunix)Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP, CCIP, SCSC and SCECommented:
look @ Bootable antivirus Rescue CD
Bootable antivirus Rescue CD method consider as the most effective way to remove the virus, trojan and malware because it track down some viruses, trojans and other malware are embedded so tightly into your operating system that when you boot Windows the normal way.
>> Q1: I would like to know: is it really necessary to use additional cleaning after this infection or is it just to be sure?

You can't guarantee that the clean got everything.  Most likely it did.  This is just additional checking and security.

>> Q2: is there any manual way how to remove it?

Well, first you have to find it.  And even then manual methods may not work as well as the anti-virus products.  And you have to know what manual methods to use which aren't necessarily documented.  And because of the variations in a virus the method you choose won't necessarily work.  Been there, done that.

>> Would not be a problem using suggested software with nod32 antivirus installed on my pc?

Disable your anti-virus while the other products are running.  That will stop all conflicts.  If not doing online scanning then disconnect network while running these other products.

If you ran eset (excellent software), I would run malware bytes, and Spybot SD (from safer-networking) and ClamWin (to name free ones) if they continue to come back clean, then you are probably good to go.

jbmdAuthor Commented:
please what is this file? it is new from today, I erased it yesterday, the website where it generates should not create anything like that. it was generated in cache directory.

I zipped it, the original file is inside.
It is a text file.

Possibly an RSS file?  Looks like a list of links and descriptions what is there.  Most of it is in Czech?  Open it up in Notepad and you'll see the contents.

I've cut and pasted a small section here.

a:4:{s:8:"feedinfo";a:3:{s:4:"type";s:3:"RSS";s:7:"version";i:1;s:8:"encoding";s:5:"UTF-8";}s:4:"info";a:3:{s:4:"link";a:1:{s:9:"alternate";a:1:{i:0;s:22:"";}}s:5:"title";s:29:" - Hlavn+¡ str+ínka";s:11:"description";s:33:" - zpravodajsk+¢ server";}s:5:"items";a:50:{i:0;O:14:"SimplePie_Item":1:{s:4:"data";a:3:/rdf/novinky.rdf";}
well my dear you can use trojan hunter or trojan remover
trojan hunter
trojan remover
or spybot search n destroy


ESET usually identify virus

run hijackthis and paste log here

you can also use
malware software too

well as far as i know ONLINE SCANNER Doesnot effected in such case


last but not least

these sort of virus hijack start up mean when you open window they start function

they automatically generate them self and transmit date
to unknown server

so in such case HiJACKTHIS software
works fine which is use to kill their functions

and the description given DBRUNTON  CLEARLY MENTION there is a link in the text this may be use to to transmit data on a server

All the comments given deal with the virus on the system. As this is a server how did it get there and everytime you clean it does it reinfect straight away? Odds are via remote file includes attacks. you may think that only the index file and hta files were impacted.
search all the php files and odds are you will find stuff like this.

$str = 'SSBhbSBydW5uaW5nIGNvZGUgSSBkbyBub3Qgd2FudCB5b3UgdG8gc2Vl';
echo base64_decode($str);

encoded base64 code in either compressed or non compressed format. you will see the php tags ahead to the orig tags in most likely every php file on the server and they run that code I enourage cleaning all your files but save some of the code and hunt it down on your server it points to a nested set of files burried someplace that is really doing the nasty.

you can find online converters that will decode your code safely so you can hunt down the source.

make sure directory browsing is off
fix file permissions on the server
folders are good at 755 and files at 644
and make sure hosted code can defend against cross server attacks and clean up query strings to defend against RFI attacks

now for the virus cleanup
down the web server services while doing the cleanup
killbox use to kill all profiles temp files
followed up with either malwarebytes or superantispyware
check the registry run keys and pull any entries that are not legit
jbmdAuthor Commented:
Ardiseis, thanx for advice but it is too profesional languge for me.

1. the virus(worm, trojan) got there via infected .elm. On top of it I was manipulating with infected .elm files as my client wanted me to.

2. I did not have any reinfection. First time I had .htaccess with redirection to viral website. I replaced it with healthy .htaccess and changed passwords everywhere. But it was not enough. It hapened again and besides .htaccess injection there was also index.php injection in the roots of all websites.

3. THEN I started treated the pc with online scanner form eset and it cought the viruses and likvidated them. I also run tool from symantec against netsky but it did not find anything. So far I have no problem.

4. I am reading all advice here and try to decide what other tool I am going to use to make sure that it will not repeat again.
jbmdAuthor Commented:
also, I keep checking if new files generated on my server are ok every day and do not see anything dangerous. Before I saw cca 7.000 or so new .htaccess and indexes.
Google PHP Remote File Inclusion attacks
read up on it trust me it will help you. Until you fix that you will get hacked over and over again.

Trust me look at a few other PHP files besides the indexs I have see a good hacker add 10 lines of code to a file and not change the size so most monitoring tools missed it.

As this is hosted on a xp box home at that you are going to have a hell of a time with secure folder and file permissions if you are to stay wth windows I strongly encourage you move to Server 2003 or if that is not an option follow this link

Due to serious limitations in XP home native security you should not be using it as a publicly exposed web server.

In order of the worst to the best apache web servers
XP Home <--Not a server OS and no Security
XP Pro < Not a server OS
Server 2003 <-  Server OS and Can be secured Costs money
Linux patched and secured look into precompiled LAMP Distros < Why you are in technology learn something and best part it is FREE Open source for the WIN! as I am guessing that you have some serious budget concerns.

Dont get me wrong as an IT Director for my day job 99% of my systems are windows I only have 3 linux servers in my enviroment vs 20+ windows servers and several hundred XP Pro, and Win 7 Pro workstations(Hangs head in shame to 3 Vista Business still deployed)
jbmdAuthor Commented:

1) in here  they describe these attacks:

However, I was affected also on non php non mysql websites. I had my original .htaccess and index.php file from hacker placed in all directories where I have my web server document root. These htaccess and index.php files were also in image folders and many other folders where these files are not supposed to be.

2) I did check for othe php files and found nothing new inside of them.

3) I fully recognize you as an expert, however you gave me instructions I would have to google to be able to follow.



your link finally says that I can change all permissions and I should pick the folder. I DO NOT KNOW what to exactly change and do not know what folder to pick (www?, Inetpub? or whole J:?)?  

where and how can I change directory browsing - on apache config. level or on folder level?
jbmdAuthor Commented:
to be more specific: hacker gave me his files not a part of the code inside of my files.
jbmdAuthor Commented:
.. and hacker¨s files (.htaccess and index.php) contained only simple redirection to his web, no other code  was inside of these files.
If they did not infect any of your other files you are lucky.

On the permissions if it were me I would create a user account say web-service
change the apache service to use that new user as the startup account
then make the path to any apache site read only to web-service

Ok so now for steps this is not 100% as I could not put my hands on a xp system that has not been joined to a domain.

~~~Create new User for Service Account~~~
open control panel
create new user
standard user
password protected

~~~Change service Account~~~
Now depending on which version of apache or tomcat your are running this could be different

Start | Run | Services.msc

Find web serivce hopefully it is just Apache but see this link for more information

open the service and click on the log on tab
change to this account and enter the user you just created in here
restart service to test all is well

~~~Set Web Folder Security~~~
open your root folder for your website or sites hosted by apache
proceed to the security tab and change permissions
System - Full Control
Administrators - Full Control
Web-Serivce (or whatever you named the new user used above) - Read & Execute, List Folder Contents and Read is all that should be checked

~~~Block web service from loggin into desktop~~~
Control Panel | Administrative Tools | Local Security Policy |  
Local Policies | User Rights Assignment

Add the service account to the following (All may not be an option on XP Home)
Deny Log on Locally
Deny log on through remote desktops
Deny access to this computer from the network

Restart and you should be good you may want to think about doing something like this to mysql service as well

lastly Disable the user guest account and make sure there is a password on the administrator account or that it also disabled I think in xp home it is disabled by default.
Sorry I forgot the directory browsing
This can be done for the server or in each site config file I like the latter as it overrides the server setting
See this link
jbmdAuthor Commented:
thankx to all
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 4
  • 4
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now