Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

PHP.exe hijacked to attack Sites (mostly Worpress)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

PHP.exe hijacked to attack Sites (mostly Worpress)

Unread postby FlamminBacon » October 15th, 2019, 3:58 am

Hello! :)

First let me thank you for all the work you do to help others. This is my fisrt post here so i hope i am following the rules and protocols correctly :P.

Here is the problem:
To my shock and horror today i turned on my Laptop only to find out after loggin in that Cmd windows started opening that were called from PHP.exe.. The problem is that PHP started sendng command to websites in wordpress trying to LOG IN them :(.. like guessing the password of those sites :(.. This makes me think my PC is being used as a zombie PC to attack sites....

I have no clue how this thing got into my laptop.. I have done a full scan with bitdefender (free version) but no trace of the culprit.. right now i have blocked PHP.exe in the windows firewall..

But tbh i am lost here, dunno how to really remove this disgusting thing from my PC, so any help would be appreciated. Thanks in advance. :P :P
You do not have the required permissions to view the files attached to this post.
FlamminBacon
Active Member
 
Posts: 3
Joined: October 15th, 2019, 3:39 am
Advertisement
Register to Remove

Re: PHP.exe hijacked to attack Sites (mostly Worpress)

Unread postby mAL_rEm018 » October 19th, 2019, 12:41 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 3 days will result in this thread being closed.


Hello FlamminBacon,

Welcome to Malware Removal! My name is mAL_rEm018, but feel free to call me mAL. I will be helping you with your malware related problems :)

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Because of this, I advise you to backup any personal files and folders before you start.

To make sure everything goes smoothly, I would like you to observe the following rules:
  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread. Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum. Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".

I am currently reviewing your logs and will return as soon as possible, with additional instructions. In the meantime I would like you to read and get acquainted with the following topic: HOW TO GET HELP IN THIS FORUM - everyone must read this, where the conditions for receiving help here are explained.
User avatar
mAL_rEm018
MRU Teacher
MRU Teacher
 
Posts: 2294
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: PHP.exe hijacked to attack Sites (mostly Worpress)

Unread postby FlamminBacon » October 19th, 2019, 5:43 pm

Hi mAL !!.. thanks for comming to my rescue :)..

I generally dont like bothering others with my problems but i am seriously lost on this. I sure will give the link you gave a read. But getting ahead, i have no issues deleting any program or changing things you may request.

Ill wait for your anwser. :)
FlamminBacon
Active Member
 
Posts: 3
Joined: October 15th, 2019, 3:39 am

Re: PHP.exe hijacked to attack Sites (mostly Worpress)

Unread postby mAL_rEm018 » October 22nd, 2019, 6:13 am

Hello FlamminBacon,

My apologies for the delay. For some reason my previous answer wasn't sent.

Please answer the following question..

  • Is this computer used for any type of business purposes?


CKScanner

  • Please download CKScanner from Here
  • Save it to your Desktop.
  • Right-Click on CKScanner.exe and select Run as Administrator.
  • Select Search For Files
  • When the scan in finished, click on Save List To File.
  • Open CKFiles.txt on your desktop and post the contents in your next reply.
    Only run CKScanner.exe once.



-----------------------------------------
In your next reply, I would like to see..
  • Answer to my question.
  • CKFiles.txt
User avatar
mAL_rEm018
MRU Teacher
MRU Teacher
 
Posts: 2294
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: PHP.exe hijacked to attack Sites (mostly Worpress)

Unread postby FlamminBacon » October 23rd, 2019, 2:14 pm

Hi Mal!!, thanks..

My computer is only used by me for personal purpouses and sometimes small bussines gigs like some programming or design. But this computer does not belong to any bussines isntitution. :)
You do not have the required permissions to view the files attached to this post.
FlamminBacon
Active Member
 
Posts: 3
Joined: October 15th, 2019, 3:39 am

Re: PHP.exe hijacked to attack Sites (mostly Worpress)

Unread postby mAL_rEm018 » October 24th, 2019, 6:52 pm

Hello FlamminBacon,

FlamminBacon wrote:My computer is only used by me for personal purpouses and sometimes small bussines gigs like some programming or design

Thank you for your honesty. :) We don't work on business computers on this forum, and this is something that is clearly stated in the rules, which I linked to earlier. I will post another link below.

While looking through your logs, I noticed that you are using cracked software, which is also against the rules of our forum. Not only is using cracked software illegal, but it's also the best way to invite malware onto a computer.

Also, please take a look at the following lines taken from your computer:
FirewallRules: [{AA799ADF-E2A3-44B5-A37C-C6D594275021}] => (Allow) C:\Users\Bernardo\AppData\Roaming\uTorrent\uTorrent.exe No File
FirewallRules: [{449CF881-2AD1-4271-ACF9-CDCAE8B7AD2B}] => (Allow) C:\Users\Bernardo\AppData\Roaming\uTorrent\uTorrent.exe No File

Using Peer-to-peer (P2P) programs such as uTorrent is another sure way to get infected. As you can see from the lines taken from your logs, uTorrent is allowed to bypass your firewall. This basically means that anything can go in and out of your computer without asking for your permission. It's no surprise that most people who get infected are P2P users.

You use this computer for business, and I'm sure there is some information on it that you wouldn't want to be compromised. Given the fact that your computer is clearly infected and that you use cracked software and P2P, I would suggest reformating the computer. That being said, I wish you all the best in getting your computer issues fixed, but as mentioned above, I won't be able to help you any further.

Link to the rules of the forum: HOW TO GET HELP IN THIS FORUM - everyone must read this.

I will now go ahead an close this topic.
User avatar
mAL_rEm018
MRU Teacher
MRU Teacher
 
Posts: 2294
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware