elmyra Posted April 6, 2014 Posted April 6, 2014 Hello, My account name is elmyra.I've had a website on the stevie server since 2011.My domain is at: clerith.heliohost.org I do not know why my account was suspended. Some pages of my site are still available, but when I click into other pages, I get a page saying that my account has been suspended. Would you please clarify why this has happened, and explain how to reactivate my account? As I remember, I last visited by cpanel last week so I do not think it's because I've been inactive or anything like that. I would appreciate your help. Thank you.
Tjoene Posted April 6, 2014 Posted April 6, 2014 Your account was suspended for the following reason: Malware. 1 file(s). PHP.ShellExec FOUND That means that there are some malware files found on your account. For your safety and to protect your website from potential further corruption the account has been suspended. To find the infected files we recommend making a backup of your site, download the backup file to your computer, and scan the backup using a reputable virus and malware scanner. If you're having trouble locating the offending files please ask and we can provide more information. If you are you certain that it is a false-positive, we strongly encourage you to file a false positive form here: http://cgi.clamav.net/sendvirus.cgi Your account should be unsuspended now, but keep in mind that this is a temporary unsuspension. You have 24 hours starting at the time of this post to clean your account of any and all malicious files or your account will be resuspended.
elmyra Posted April 6, 2014 Author Posted April 6, 2014 I believe I've already done that. I ran Malwarebytes Anti-Malware on my home computer on 4/5/2014, and it found the following: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle). Malwarebytes Anti-Malware program deleted and quarantined against this malware successfully. Can I assume that the malware has also been deleted from my account?
wolstech Posted April 6, 2014 Posted April 6, 2014 Registry entries like the one listed are completely irrelevant to your hosting account. You need to download a backup of your account, extract it, then run the scanner on those files. Delete anything found infected from both the backup and your account.
jje Posted April 6, 2014 Posted April 6, 2014 I ran a quick scan on your account from Stevie, and the results showed there is a file called "v.php" in public_html which is matching a PHP.ShellExec.
elmyra Posted April 6, 2014 Author Posted April 6, 2014 Thanks very much to both of you - I'm unfamiliar with things like this. So the problem file is v.php? BTW, I already have a copy of my site on my computer, and I've run Malwarebytes' Anti-Malware on it. Should I just reload the entire thing? If there's an easier way to do it, I don't know how. *blush* Again, thanks for all of your help!
jje Posted April 6, 2014 Posted April 6, 2014 Yes, ClamAV is matching v.php as being the infected file. If you didn't place v.php yourself in public_html, it is possible that other files *could* be infected, however.
elmyra Posted April 6, 2014 Author Posted April 6, 2014 No, I didn't place v.php in public html myself. In fact, I didn't load that file at all. I assume I should delete the file - but I'm not sure what else I need to do. How do I tell which files are infected and which aren't? Should I just delete all files and reload them from the copy I have stored on my computer? Sorry I'm so ignorant about this stuff, but I've never had to deal with it before. And thanks again for all of your help!
wolstech Posted April 7, 2014 Posted April 7, 2014 If you want to be completely sure all the malware is gone, removing all the files for your website and restoring them from your computer would be the way to do it. To start though, please delete the v.php file so you don't get suspended again for it.
elmyra Posted April 7, 2014 Author Posted April 7, 2014 Thank you VERY much! I've deleted the v.php file, and I've spent the last four hours deleting and then re-loading the files for my site from my computer. However, I do not think my computer is fast enough to restore all files within 24 hours (I only have a phone connection). So I hope I will continue to have access to the file manager so I can continue uploading in case some files still look infected. I'm trying to do it as fast as I can. Once again, thank you very much for your help!
Recommended Posts