Member Avatar for iwavetostars

Hello! my Avira just detected an infection with PHP/WebShell.A.1. It resides in
C:\Users\Default.Default-PC\AppData\Local\Google\Chrome\User Data\Default\Cache\ and it's called "f_004140".

I don't run any web-server on my computer whatsoever so I have no idea how I got it in here.
Anyways, here's the "source" of the file.
http://pastebin.com/cVzAuS0n
https://mega.co.nz/#!gIJFiCZL!JuTagzrj8TI8nMkDZHPD-SRwu8UYs6Z_blMjkEl-aDE
^ The link to the file itself.

(Scroll down to Raw Paste data). The extension is .file.

I used to run WAMP on my computer but I uninstalled it some time ago.

Any ideas on how to proceed for disinfection from now on? Cheers.

Edited by iwavetostars
  • 2 Contributors
  • 1 Reply
  • 146 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by cereal
Member Avatar for cereal

It means you got this virus from a website you visited with Google Chrome, in this case the PHP script is embedded in a JPEG file, if you open it with an hex editor you will see the code. In this case just empty the cache, this kind of "virus" runs on the webserver and gets executed when the client opens the file only if the file can be handled by the PHP engine.

If you can, try to understand which website was the source and send a report to the owner.

P.S. I tried the script, it's the WSO 2.5 shell.

Edited by cereal
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.