Trojan Removal In Progress - Possible Downtime?

[GTiR-Aholic]

Hi Guys,

I'm helping Rishi to get rid of this virus. It's quite heavily injected into the source coding of the entire site and so whilst trying to remove every bit of it, we may notice little downtime.

I will however keep the forum open in my firefox and with every line of code I remove, I will make sure it does not effect functionality.. this is just a pre-warning that if you do get any errors or anything.. it's expected and nothing to worry about.

Regards,
Jay

 

[GTiR-Aholic]

Also, if any of you see any progress.. i.e. no trojan alerts when posting comments, threads or searching etc.. please list them in this thread.

 

[Rishi]

For the first time i'm actually seeing the virus warning.. See attachment..

 

[GTiR-Aholic]

Okay I'll look into that.. I've deleted it from like 4-5 pages already and had to change permissions on some pages so that it can't re-infect those files whilst not interferring with the running of the site.

It seems to be working.. I go to www.gtiroc.com and get the virus warning, click on Forums and get no warning, click on New posts and get no warnings...
I click the advanced reply and get no warnings...

Can you confirm this as well?

 

[GTiR-Aholic]

Okay I'm not seeing any trojan warnings in the forum now - can anyone confirm this? There are more pages to delete but need to know it's working.

There are still trojan warnings on the homepage, arcade and few other places that I need to address to.

 

[Trondelond]

I've turned my filters back on, and I'm not getting any warnings.

 

[GTiR-Aholic]

Thanks for the update mate, very much appreciated!

I believe I've removed the trojan from the homepage now www.gtiroc.com - can somebody try the homepage to confirm whether the warning still appears or not?

 

[Trondelond]

That produced a warning. Let me try to clear the cache, just in case.

 

[Trondelond]

Nope, still getting the warning.

 

[GTiR-Aholic]

Yeah it's reinfected the file. It's able to re-infect so having to change file permissions as I go along. There's probably more than 1000+ infected files easily!
It seems to infect more and more files.. over time because some are showing up as infected in April.. some beginning of May and others only days ago!!

 

[Rishi]

http://www.gtiroc.com/forums/login.php and http://www.gtiroc.com/ is still coming up with a Trojan warning..

 

[Trondelond]

So there's malicious software installed on the server then? Or are the pages themselves infecting files locally as we access them?
Just thinking if you could boot the server (assuming windows and "our own" server) and create a script that identified and removed - or at least rendered the code useless?

 

[GTiR-Aholic]

http://www.gtiroc.com/forums/login.php and http://www.gtiroc.com/ is still coming up with a Trojan warning..

The homepage (www.gtiroc.com) will continue to be infected until all linked pages are cleaned.

The login page is very complex and will take more time so I've put that aside for now.. lol

 

[GTiR-Aholic]

So there's malicious software installed on the server then? Or are the pages themselves infecting files locally as we access them?
Just thinking if you could boot the server (assuming windows and "our own" server) and create a script that identified and removed - or at least rendered the code useless?

It's the actual pages which are infected. We could delete all contents inside the public directory of the forum then reload from a backup.. but you will possibly lose things like image resizing, links opening in new windows and other addon scripts which may not have been installed at the time of the clean backup.

Because the trojan is never the same in any 2 pages, it wouldn't be possible to produce such a system to clean it automatically.. it starts of as <script.. but then from there on it constantly changes from page to page how it looks.

You should continue to block the trojan if you get the option (Allow or Block) because allowing it can still put you at risk.

 

[geoff pine]

The desk top is now allowing me to access the forum and all warnings have gone . Just to add every thing is loading quickly it seams better than it has been over the last few months.

 

[darkyGTI-R]

Does anyone in west mids know john aka saddler as he can't access the site and needs danGTI-R to contact him regarding the club banner for sunday that he hasn't received yet, he asked me to tell him but there's about 3 dans lol

 

[snoon]

i can't load the home page but no other errors on any other pages

 

[GTiR-Aholic]

The desk top is now allowing me to access the forum and all warnings have gone . Just to add every thing is loading quickly it seams better than it has been over the last few months.

It's loading a lot faster now because it's not trying to send/receive data with gumblar anymore.. not in the forum anyway but other pages are still infected and still working on them.

 

[GTiR-Aholic]

i can't load the home page but no other errors on any other pages

The homepage is still infected so your AV will still be blocking it. Working on fixing the homepage and other pages by the weekend hopefully.

 

[Major_Sarcasm]

Google says this currently, for reference only:

http://safebrowsing.clients.google....B&site=http://www.gtiroc.com/forums/index.php