How to remove Antivirus 2009 infection from website

**generalche** · 01-17-2009, 04:03 PM

Hi guys,

I'm reaching the end of my tether with Antivirus 2009. A friend has a website, www.visi.es, which has become infected with this poisonous piece of software.

Does anyone have any experience rooting out the infection and killing it? I've read a million guides, and followed most of them, but it seems they are all for individual computers, not websites. I've had a good look through, and I can't see anything immediately suspiscious...

The strange thing is that when you access it, only sometimes does it redirect to their website. I don't know. Whatever it is, any help at all would be very much appreciated.

Rob

**Decaf** · 01-17-2009, 04:08 PM

Completely delete your files and upload from the latest backup, then apologize to your loyal viewers. (This is the easiest way, but not the best.)

**chrishirst** · 01-17-2009, 06:19 PM

Antivirus 2009 is spyware that infects YOUR machine it will NOT be on the server.

It is NOT a virus.

**Decaf** · 01-17-2009, 06:27 PM

(what i meant was) If the server has been infected with the virus then you need to fix that.

**Brian07002** · 01-17-2009, 06:27 PM

Restore your servers machine if you have a backup, otherwise, go with either Mcafee or Norton if your on a windows based machine. I don't know what to tell ya, other than don't run ANY programs that you don't know about. You can always get a hand written note from the software company.

**generalche** · 01-17-2009, 07:32 PM

Thanks for the replies - I don't know how it happened, but it seems Antivirus 2009 has hijacked the web page... could it be a problem with the host? Their server has the infection?

Yeah, about those backups... heh... funny story... the friend whose site it is really isn't a webmaster, and not really having much of a clue about these things, didn't see the point in making backups.

Sucks, I know. It does mean that the only thing we have to work with is the files on the site at the moment...

Appreciate the input guys

.

**Brian07002** · 01-17-2009, 08:01 PM

Quote:

Originally Posted by generalche

Thanks for the replies - I don't know how it happened, but it seems Antivirus 2009 has hijacked the web page... could it be a problem with the host? Their server has the infection?

Yeah, about those backups... heh... funny story... the friend whose site it is really isn't a webmaster, and not really having much of a clue about these things, didn't see the point in making backups.

Sucks, I know. It does mean that the only thing we have to work with is the files on the site at the moment...

Appreciate the input guys

.

The first thing I would do is do a search for all of the files that are important to your site:

1. Html pages
2. Images / Videos / Sounds
3. Scripts php, javascript, etc.

Then copy those files onto a removal hard drive or another non-infected pc, then format the infected machine, then re-install from scratch. That would be my first choice in this case.

If you don't want to format, then I would try an online virus scanner to remove the culprit, but that usually doesn't work unless you buy it. It will however, tell you what is infecting your pc, but it won't remove it until you buy it.

Good Luck.

**ms2134** · 01-18-2009, 04:19 AM

As stated above. The member believes that the Hosting Company is infected.

This would be the issue I believe, but looking through your HTML code and files for abnormal code that you did not put there.

It may be partly the host, and then some kind of Script or Code injection that is being malicious.

~ Mike

**chrishirst** · 01-18-2009, 07:18 AM

There is NOTHING on that site that brings up a warning for me. Tried with several different configurations of protection all the way up to "Paranoid".

"Antivirus 2009" is very very unlikely to be on the server unless somebody has been browsing the Internet while being actually ON the server and allowed the malware to be installed. And given that it is a *nix box and the vast majority of spyware can only "hook" in to a Windows OS, that is highly unlikely.

**generalche** · 01-19-2009, 11:24 AM

Thanks everyone for your suggestions and help.

In the end, after having run about a million different scans and finding precisely nothing, we contacted the support from the hosting company.

They had a look, and found that the .htaccess file had some lines of code that were redirecting users depending on the referrer. E.g. if you accessed the site from a google or yahoo search, it redirected you to Antivirus 2009 spam sites.

The reason we didn't see it was that the was no .htaccess file, only a "ht" file, and a php file which renamed ht to .htaccess when it was accessed.

Anyway, all cleaned, deleted and pristine once again now. And several back ups made too. Lesson well learned.

Thanks again!

Rob

**colbyt** · 01-19-2009, 12:06 PM

Nice follow up now stick around and visit with us.

**chrishirst** · 01-19-2009, 12:55 PM

One thing you do need to find out is how the files got there

**rolda hayes** · 01-19-2009, 01:01 PM

Exactly... That sounds pretty scary when someone can change your htaccess file?

You also need to ask the hosting company what they are going to do to stop it happening again... Glad you got it sorted though