Quote:
Originally Posted by LiveDose
Nice read. Thank you.
|
np
so here is the way to fix it (thanx muchas ED!!!!!):
1- backup filezilla.xml just in case. Create a clean filezilla.xml file (simply open notepad and save as filezilla.xml without adding anything)
2- backup your registry
3- backup your server.
4- if you don't have Avast, install it, it's free. Download it at
http://www.avast.com and scan your PC in thorough mode
(NOT FAST MODE!)
5- With Avast installed and running, surf all your sites. If any of them is infected, Avast will warn you.
6- If your server is infected, Avast will tell you which files are compromised. Usually it will be php and js files, but I've seen html files and heard pdf and swf files are infected as well. You may have to edit them or re-upload files. It's faster to reupload, but you may not have the files, so it's your choice. However, wait before doing anything.
7- If you find out either your PC or your server are compromised, do the following:
a) turn off your PC and restart in safe mode
b) open registry (remember: BACKUP FIRST!!!)
c) look for the following registry keys
Quote:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\JQSIESta rtDetector.DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{E311BFF 9-7280-40D3-AE0B-2D3651C37EC8}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\ProgID
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\Programmable
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\TypeLib
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\VersionIndependentProgID
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\ProxyStubClsid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\TypeLib
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\0\win32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\FLAGS
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\HELPDIR
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl\CLSID
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl\CurVer
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl.1
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl.1\CLSID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
|
Delete them all
d) Look for the following registry values:
Quote:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\JQSIESta rtDetector.DLL]
- AppID = "{E311BFF9-7280-40D3-AE0B-2D3651C37EC8}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{E311BFF 9-7280-40D3-AE0B-2D3651C37EC8}]
- (Default) = "JQSIEStartDetector"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\VersionIndependentProgID]
- (Default) = "ieplugin.JQSIEStartDetectorImpl"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\TypeLib]
- (Default) = "{D85100D8-894D-4F80-9697-C220AF4202EB}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\ProgID]
- (Default) = "ieplugin.JQSIEStartDetectorImpl.1"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}\InprocServer32]
- (Default) = "[file and pathname of the sample #1]"
- ThreadingModel = "Apartment"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F03 1-17CE-4C07-BC86-EABFE594F69C}]
- (Default) = "JQSIEStartDetectorImpl Class"
- AppID = "{E311BFF9-7280-40D3-AE0B-2D3651C37EC8}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\TypeLib]
- (Default) = "{D85100D8-894D-4F80-9697-C220AF4202EB}"
- Version = "1.0"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\ProxyStubClsid32]
- (Default) = "{00020424-0000-0000-C000-000000000046}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}\ProxyStubClsid]
- (Default) = "{00020424-0000-0000-C000-000000000046}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD5 FB04F-5A8D-44D4-8206-6A8734186EA2}]
- (Default) = "IJQSIEStartDetectorImpl"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\0\win32]
- (Default) = "[file and pathname of the sample #1]"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\HELPDIR]
- (Default) = "%System%\"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0\FLAGS]
- (Default) = "0"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8510 0D8-894D-4F80-9697-C220AF4202EB}\1.0]
- (Default) = "JQSIEStartDetector 1.0 Type Library"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl\CurVer]
- (Default) = "ieplugin.JQSIEStartDetectorImpl.1"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl\CLSID]
- (Default) = "{E7E6F031-17CE-4C07-BC86-EABFE594F69C}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl]
- (Default) = "JQSIEStartDetectorImpl Class"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl.1\CLSID]
- (Default) = "{E7E6F031-17CE-4C07-BC86-EABFE594F69C}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ieplugin.JQSIE StartDetectorImpl.1]
- (Default) = "JQSIEStartDetectorImpl Class"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
- (Default) = "JQSIEStartDetectorImpl"
- NoExplorer = 0x00000001
|
Delete them all
e) just to be sure, search the registry for JQSIE. If you find any occurrence, delete it.
f) close registry, turn off PC and restart in normal mode
8- Run Avast again. You'd be fine, but do it to confirm
9- Now clean your server files. If possible (ie Wordpress, Joomla, phpBB, VBulletin and such) replace all but the uploads folders. To play on the safe side, check that folder's php or html files to see if they have the code, if not, you're safe. Since databases aren't compromised, replace the regular files plus your theme or skin's files if you have'em.
10- Also check for strange files that aren't supposed to be there, the most common is image.php
11- Check files up to 2 levels BELOW the infected folder, pay attention to strange php or js files. Check your .htaccess as well
12- Once everything is cleaned, change your FTP passwords
13- Done. Annoying, but that's what you gotta do
On a side note, it isn't supposed to have a keylogger "per se" (regarding eroticsexxx post), but it will try to download a keylogger that scans for financial info at a later time, I don't know if that's for real, but it's supposed to be that way according to several sources.
Another thing: this bitch WAITS before re-infect. Once you've cleaned everything in your server (or you thought you did), it will wait a few hours or up to a couple of days and reinfect you again, so
C
LEAN EVERYTHING ON YOUR SIDE BEFORE CLEANING YOUR SERVER
Just lmk if you have any problem, I'm no expert by any mean but my partner is quite knowlegeable on the matter