The .ico files contain obfuscated code. This malware also creates 8 letter php files with random names like hzgt33ez.php that also have obfuscated code. A scanner has identified those as backdoors. The problem is even if you delete all the .ico and 8 letter php files, tomorrow they appear again. I have deleted them a million times. I have spent days and months on google and I have seen 50 other people having the same infection and nobody has a solution that would preserve the sites but kill the virus. This malware also adds a line of code to your index.php wp-config and wp-settings. This line is obfuscated but it uses "include" and calls those .ico files. Almost all other sites on the server eventually get crosscontaminated because it jumps from folder to folder.
This has cost me a lot of money and I am begging anyone who has any useful info on this to post an answer here. This is what the 8 letter php malware looks like inside from unphp deobfuscator:
Please help
Post a Comment