VBS\Psyme VirusSDcan Alert! (McAfee)

If you downloaded from wp.org (this site) it’s either a false alert, OR your website is infected itself.

I had the hope someone could clarify or let me know if the problem is not only on my site to determine what the truth is.

I downloaded the WP 3.2 upgrade via the auto upgrade procedure and beyond that I downloaded WP 3.2 from here and deleted the files on the web-server and uploaded WP 3.2 by hand. Same alert responses from McAfee after new upload.

And as said before I have downloaded the entire files and scanned these locally no alerts then. So it simply seems that the alert only occurs when I work at the WP back-end and load-scripts.php is called.

Which means it’s your SERVER that is infected, not WP. Which sucks :/

1) Call your host NOW.

2) Consider https://codex.www.ads-software.com/FAQ_My_site_was_hacked

Well my Host did a check and was not able to find any virus or trojan and my laptop is virus free as well. So this is definitely something that is McAfee related.

YogieAnamCara, did you find anything else out about this problem?

I just heard about this issue today from my boss who has McAfee on her computer. I logged into a computer with McAfee and get the virus alert for VBS/Psyme when I try to access admin pages in the back end. The front-facing pages aren’t affected. If I’m logged into a regular user account, I don’t get the alert at all, even when viewing my profile.

I downloaded everything on the web server and scanned with Microsoft Internet Essentials (Windows 7) and nothing was found. I used WinMerge and couldn’t find any differences between the live site and a fresh copy of WordPress.

We upgraded to WP3.2 on July 7th. I upgraded to 3.2.1 today and overwrote all files on the server. Still, I get the McAfee warnings when logged into the back-end as an administrator. My Windows 7 computer doesn’t detect any problems using Microsoft’s Internet Essentials.

Here is a log entry from McAfee:
7/18/2011 12:22:04 PM Deleted [DOMAIN deleted]\[username deleted by me] C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\[username deleted by me]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WL2UEN8I\load-scripts[1].php VBS/Psyme (Trojan)

I’m waiting to hear back from my host, but this is looking like a false alarm to me. The only thing that worries me is I don’t see other people with the same issue when searching with Google.

Okay, did some more investigation. I rolled back my database to May 12th and the McAfee alert goes away. My next snapshot is May 19th, and if I roll back to that date, the alert appears.

We upgraded to WP3.1 on March 23rd and WP3.2 on July 7th.

I’ll have to take a close look at these two SQL files and see what I can find. I’m not really sure what I’m looking for or if VBS/Psyme affects the database.

Okay, after investigating more, the problem is with the plugin Exec-PHP, so obviously this IS a false positive from McAfee. (sigh)

jwarcher, this is the same I found out and what my host confirmed. It is a false positive from McAfee. So no worries!

I switched to the “PHP Execution” plugin and all is well.

Thanks very much for posting this help everyone. I’ve switched to PHP Execution as well and the McAfee conflict luckily seems to be gone. Shame a McAfee mistake is making us switch away from a perfectly good plugin, but hey ho…

I also switched over to PHP Execution. Thanks for sharing the solution!

I’m not experiencing the McAfee issue but thought I’d check out PHP Execution as an alternative to Exec-PHP since it doesn’t work with another plugin I use – Widget Entries (allows WYSIWYG editing of Text widgets).

Unfortunately, with PHP Execution my custom footer PHP no longer works inside a Text widget let alone within Widget Entries.

Thanks for the discussion. I manage a site at work that handles a lot of the administration of our ERP system, and I had the exact problem listed, McAfee barking about VBS/Psyme. I had Exec-PHP applied so I disabled it, applied PHP Execution, and the problem went away.

Better support than I could have received if I had paid good money for it!

Shame a McAfee mistake is making us switch away from a perfectly good plugin, but hey ho…

After I was unable to do any admin editing with Firefox on widgets and widget area’s.

Stop/Restart did not help but I found out that it still worked in Chrome end MS IEv9.

McAfee came up with the Trojan… three times ….. and counting.
And removal of it resolved my problem. Problem is that it has not gone then, has it ? Now looking to kill it forever (EXEC-PHP ???)
It all started after the update to WP 3.2.1 this very morning….

Out of the blue – jwarcher:

I switched to the “PHP Execution” plugin and all is well.

How did you come to the conclusion that there would be any connection between EXEC-PHP and this virus ??

I got it immediately after the update to WP 3.2.1. EXEC-PHP was untouched.