Virus alert!! : gzpqrw or tiny.cc or Tiny or similar

Are you searching for stuff about a virus gzpqrw or tiny.cc or Tiny  or similar, well you’re in the right place!

I thought I’d explain today how to get rid of a virus that’s attacking Joomla 1.5 sites.

Joomla is behind almost 3% of the sites on the web and a large proportion of them are Joomla 1.5.x sites.  These can be easily exploited and a virus easily added.  Today I’ll cover getting rid of one of the more difficult to find ones.

This virus manifests itself as a page at the bottom of every page in your website.  It’ll look something like this:

virus picand it’ll appear directly under the page text but before the footer.

What this virus does is get another page and adverts and download them into your website.  It then places ads in the hope that people will click on them.

Unlike many Joomla viruses this virus is not in an obvious to find place.  Often a virus is placed in the index.php file either in the main index.php file or the template one.  If you don’t know what that means don’t worry you don’t need to in order to be able to remove the virus!

First you need to get yourself a plain text editor: use notepad++ or crimson both are good and free.  Just google them and download and install.

Next you need to be able to download one of the files that runs your website.  You should be able to do this via ftp or through your hosting companies site.  If you don’t know ask your hosting company – or drop me comment.

Once you can access your files go to the httpdocs/includes folder (might be called public_html/includes or similar) and find the file application.php, download it and open it in your text editor.  Save a copy of this file in case things go wrong.  Now edit the original file and find the code that looks like this about line 121:

(note this is an image to make this difficult to copy)

Change it to:
		$contents = JComponentHelper::renderComponent($component);
		$document->setBuffer($contents,'component');

Now save and upload the amended file.  This should fix the problem.  If you have problems please feel free to leave a comment and I’ll try to help you out.

If you’ve been infected with this don’t worry your not alone.  In a short search I found a ton of sites with this virus.

Anyway hope this helps.

 

Alan

2 Responses to Virus alert!! : gzpqrw or tiny.cc or Tiny or similar

  • Thanks Helped out heaps. Interesting that the modified file date had not changed which made it had to find. So my next solution was to search for “gzpqrw” in linux using.

    grep -H -r “gzpqrw” /home

    Result being..
    /home/site/www/includes/application.php: $link = ‘http://tiny.cc/gzpqrw’;

    Where I found the code.

  • Man! Thanks…you rock!

Leave a Reply

Your email address will not be published. Required fields are marked *

Archives