diff --git a/sc.php b/sc.php
index 7e59cc7..711d6ca 100644
--- a/sc.php
+++ b/sc.php
@@ -29,7 +29,6 @@ $error = "Fatal error: Allowed memory size of 134217728 bytes exhausted (tried t
     <ul>
     <li><a href="?run=infection" style="color: #ff0000;">Known PHPShell Scan</a></li>
     <li><a href="?run=scanme" style="color: #ff0000;">Known Malware Scan</a></li>
-    <li><a href="?run=less" style="color: #ff0000;">Less used patterns</a></li>
     <li><a href="?run=checkexif" style="color: #ff0000;">Scan JPEG EXIF Data</b></a></li>
     <li><a href="?run=iframe" style="color: #ff0000;">malicious IFRAME scan</a></li>
     <li><a href="?run=checklarge" style="color: #ff0000;">Check Files With Large Lines</b></a></li>
@@ -1118,79 +1117,6 @@ echo '<input name="submit" type="submit" value="Go">';
 
 }
     */
-function less(){
-$rray = array("php", "js", "css", "pl");
-foreach ($rray as $i => $vals) {
-    /* echo '\<style name=\"Mr.HiTman\"<br />';
-    system('find ./ -name "*.'.$vals.'" -exec grep -l "\<style name=\"Mr.HiTman\"" {} \;');   */
-
-echo "OOO000000=urldecode(<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "OOO000000=urldecode(" {} \;');
-echo "visitorTracker_isMob<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "visitorTracker_isMob" {} \;');
-echo "this->privmsg(<br />";
-system('find ./ -name "*.'.$vals.'" -exec grep -l "this->privmsg(" {} \;');
-echo "Starting call<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "Starting call" {} \;');
-echo "Hacker<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "Hacker" {} \;');
-echo "boff<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "boff" {} \;');
-echo "r57Shell Edited By Margu<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "r57Shell Edited By Margu" {} \;');
-echo "IRC_socket<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "IRC_socket" {} \;');
-echo "ConfigSpy<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "ConfigSpy" {} \;');
-echo "aWYo<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "aWYo" {} \;');
-echo "currentCMD<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "currentCMD" {} \;');
-echo "IyEvdXNyL2Jpbi9<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "IyEvdXNyL2Jpbi9" {} \;');
-echo "bind_port<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "bind_port" {} \;');
-echo "BaseIRC<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "BaseIRC" {} \;');
-echo "procname<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "procname" {} \;');
-echo "Web Shell<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "Web Shell" {} \;');
-echo "Goog1e_analist<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "Goog1e_analist" {} \;');
-echo "Upload Fail !<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "Upload Fail !" {} \;');
-echo "FilesMan<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "FilesMan" {} \;');
-echo "uname -a<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "uname -a" {} \;');
-echo "OOO000000<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "OOO000000" {} \;');
-echo "Sakerhetsniva<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "Sakerhetsniva" {} \;');
-echo "0x00 PHP shell<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "0x00 PHP shell" {} \;');
-echo "surl = htmlspecialchars<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "surl = htmlspecialchars" {} \;');
-echo "function echoQueryResult() {<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "function echoQueryResult() {" {} \;');
-echo "Safe Mode on/off:  <br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "Safe Mode on/off:  " {} \;');
-echo "Script for l33t admin job<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "Script for l33t admin job" {} \;');
-echo "ONBOOMSHELL V 0.2<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "ONBOOMSHELL V 0.2" {} \;');
-echo "StresBypass v1.0<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "StresBypass v1.0" {} \;'); //StressBypass shell
-echo "JspWebshell<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "JspWebshell" {} \;'); //JSP shell
-echo "StAkeR ~ Shell<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "StAkeR ~ Shell" {} \;'); //StAkeR shell
-echo "SnIpEr_SA<br />";
-system('find ../ -name "*.'.$vals.'" -exec grep -l "SnIpEr_SA" {} \;'); //SnIpEr_SA shell
-
-}
-}
 
 
 // Checking for suspicious files in /tmp
@@ -1327,156 +1253,153 @@ if (isset($_GET['run'])) $linkchoice=$_GET['run'];
                 infection();
             break;
 
-            case 'less' :
-                less();
-    break;
+            case 'pwds' :
+                pwds();
+            break;
 
-case 'pwds' :
-    pwds();
-    break;
+            case 'mailing' :
+                mailing();
+            break;
 
-case 'mailing' :
-    mailing();
-    break;
+            case 'mysqlsearch' :
+                mysqlsearch();
+            break;
 
-case 'mysqlsearch' :
-    mysqlsearch();
-    break;
+            case 'remove' :
+                remove();
+            break;
 
-case 'remove' :
-    remove();
-    break;
+            case 'clean' :
+                clean();
+            break;
 
-case 'clean' :
-    clean();
-    break;
+            case 'loop' :
+                loop();
+            break;
 
-case 'loop' :
-    loop();
-    break;
+            case 'otherinfect' :
+                otherinfect();
+            break;
 
-case 'otherinfect' :
-    otherinfect();
-    break;
+            case 'hta' :
+                hta();
+            break;
 
-case 'hta' :
-    hta();
-    break;
+            case 'version' :
+                version();
+            break;
 
-case 'version' :
-    version();
-    break;
+            case 'checkexif' :
+                checkexif();
+            break;
 
-case 'checkexif' :
-    checkexif();
-    break;
+            case 'transfer' :
+                transfer();
+            break;
 
-case 'transfer' :
-    transfer();
-    break;
+            case 'cleanexif' :
+                cleanexif();
+            break;
 
-case 'cleanexif' :
-    cleanexif();
-    break;
+            case 'custom' :
+                custom();
+            break;
 
-case 'custom' :
-    custom();
-    break;
+            case 'iframe' :
+                iframe();
+            break;
 
-case 'iframe' :
-    iframe();
-    break;
+            case 'lastfiles' :
+                lastfiles();
+            break;
 
+            case 'execcmd' :
+                execcmd();
+            break;
 
-case 'lastfiles' :
-    lastfiles();
-    break;
+            case 'mysqlpwd' :
+                mysqlpwd();
+            break;
 
-case 'execcmd' :
-    execcmd();
-    break;
+            case 'findbackups' :
+                findbackups();
+            break;
 
-case 'mysqlpwd' :
-    mysqlpwd();
-    break;
+            case 'findlarge' :
+                findlarge();
+            break;
 
-case 'findbackups' :
-    findbackups();
-    break;
+            case 'findsql' :
+                findsql();
+            break;
 
-case 'findlarge' :
-    findlarge();
-    break;
+            case 'findsymlinks' :
+                findsymlinks();
+            break;
 
-case 'findsql' :
-    findsql();
-    break;
+            case 'zencart' :
+                zencart();
+            break;
 
-case 'findsymlinks' :
-    findsymlinks();
-    break;
+            case 'getsize' :
+                getsize();
+            break;
 
-case 'zencart' :
-    zencart();
-    break;
+            case 'repl' :
+                repl();
+            break;
 
-case 'getsize' :
-    getsize();
-    break;
+            case 'fixperms' :
+                fixperms();
+            break;
 
-  case 'repl' :
-    repl();
-    break;
+            case 'checklarge' :
+                checklarge();
+            break;
 
-      case 'fixperms' :
-    fixperms();
-    break;
+            case 'processlist' :
+                processlist();
+            break;
 
-          case 'checklarge' :
-    checklarge();
-    break;
+            case 'scanme' :
+                scanme();
+            break;
 
-          case 'processlist' :
-    processlist();
-    break;
+            case 'cleanPHP' :
+                cleanPHP();
+            break;
 
-          case 'scanme' :
-    scanme();
-    break;
+            case 'securetemps' :
+                securetemps();
+            break;
 
-          case 'cleanPHP' :
-    cleanPHP();
-    break;
-          case 'securetemps' :
-    securetemps();
-    break;
-          case 'cleanPL' :
-    cleanPL();
-    break;
+            case 'cleanPL' :
+                cleanPL();
+            break;
 
-              case 'insecplug' :
-    insecplug();
-    break;
+            case 'insecplug' :
+                insecplug();
+            break;
 
-              case 'reshog' :
-    reshog();
-break;
+            case 'reshog' :
+                reshog();
+            break;
 
-    case 'findbot' :
-findbot();
-break;
+            case 'findbot' :
+                findbot();
+            break;
 
-case 'cleangravity' :
-cleangravity();
-    break;
+            case 'cleangravity' :
+                cleangravity();
+            break;
         
-        case 'cleanupl' :
-        cleanupl();
-        break;
+            case 'cleanupl' :
+                cleanupl();
+            break;
         
-default :
-    norun();
-    echo 'no function chosen. please pick a function from the menu above';
+            default :
+                norun();
+            echo 'no function chosen. please pick a function from the menu above';
 
 }
 
diff --git a/scan.php b/scan.php
index f7de764..7f11888 100644
--- a/scan.php
+++ b/scan.php
@@ -1,15 +1,12 @@
 <?php
 /*
-[+] Malware Scanner version 2.1
-[+] Patterns updated on July 18 2015 - next update in September 2015
+[+] Malware Scanner version 3.0
+[+] May 2017
 [+] by Malin Cenusa
-*/
-
-/* let's make sure nobody uses this further */
-
+*/ 
 
 /* script variables */
-$version = '2.1';
+$version = '3.0';
 $self = basename(__FILE__);
 
 $eroot = '../';
@@ -35,6 +32,434 @@ $counter_warning = 0;
 set_time_limit(0);
 error_reporting(E_ALL);
 
+    $pattern = array(
+    "^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)(\?><\?php)*\n",
+    "eval(\s*)\((.*)base64_decode(\s*)\(",
+    "this.form.upload_file.disabled=false",
+    "function(\s*)jspw3\(d\,m\,f\)",
+    "a(\s*)simple(\s*)Web-based(\s*)file(\s*)manager",
+    "php\_uname(\s*)\(preg_replace(\s*)\(",
+    "function(\s*)rewrioutclbkxxx1\(",
+    "eval\(\(base64_decode\(",
+    "preg_replace\(strrev\(",
+    "s=base64_decode\(str_replace\(chr\(32\)",
+    "_GET\[base64_decode\(",
+    "eval\(base64_decode\(<(.*)POST(.*)>php",
+    "\.\"<html><head><title>404\s*Not\s*Found<\/title><\/head><body>",
+    "@error_reporting\(0\)",
+    "==========================+(\s*)Credit.Mutuel.ReZult(\s*)+==================",
+    "X-Mailer:(\s*)The(\s*)Bat\!(\s*)\(v",
+    "WordPress(\s*)Inserter(\s*)Links",
+    "The(\s*)Sword(\s*)Config(\s*)Fuck(\s*)Script",
+    "@kr(\s*)=(\s*)<d0mains>;",
+    "copyto(\s*)=(\s*)explode\(",
+    "d.=sprintf\(\(substr\(urlencode\(print_r\(array\(",
+    "eval\(gzinflate\(base64_decode\(",
+    "eval\(gzinflate\(str_rot13\(base64_decode\(",
+    "Bank(\s*)of(\s*)America(\s*)\|(\s*)Home(\s*)\|(\s*)Personal",
+    "Bank(\s*)of(\s*)America(\s*)\|(\s*)Online(\s*)Banking(\s*)\|(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking",
+    "Bank(\s*)of(\s*)America(\s*)\|(\s*)Thank(\s*)you",
+    "Wells(\s*)Fargo(\s*)Home(\s*)Page",
+    "Chase(\s*)Online(\s*)-(\s*)Logon",
+    "Send(\s*)Money,(\s*)Pay(\s*)Online(\s*)or(\s*)Set(\s*)Up(\s*)a(\s*)Merchant(\s*)Account(\s*)with(\s*)PayPal",
+    "Login(\s*)-(\s*)PayPal",
+    "Sign(\s*)Up(\s*)for(\s*)PayPal(\s*)-(\s*)It\'s(\s*)Free(\s*)and(\s*)Easy(\s*)to(\s*)Get(\s*)Started",
+    "My(\s*)Account(\s*)-(\s*)Telstra",
+    "RBC(\s*)Royal(\s*)Bank(\s*)-(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking",
+    "RBC(\s*)Financial(\s*)Group(\s*)-(\s*)Online(\s*)Banking",
+    "Online(\s*)Banking(\s*)Security(\s*)and(\s*)Privacy(\s*)Guide(\s*)-(\s*)RBC(\s*)Royal(\s*)Bank",
+    "~(\s*)Santander(\s*)Online(\s*)Banking(\s*)~",
+    "Santander(\s*)e-Banking(\s*)?(\s*)Logon(\s*)page",
+    "Santander(\s*)Online(\s*)Banking",
+    "eBucks(\s*)>(\s*)Home",
+    "Chase(\s*)Personal(\s*)Banking(\s*)Investments(\s*)Credit(\s*)Cards(\s*)Home(\s*)Auto(\s*)Commercial(\s*)Small(\s*)Business(\s*)Insurance",
+    "Yahoo!(\s*)Mail:(\s*)The(\s*)best(\s*)web-based(\s*)email!",
+    "Remax(\s*)ReZulT(\s*)By",
+    "ErrorDocument(\s*)404(\s*)http",
+    "ErrorDocument(\s*)500(\s*)http",
+    "ErrorDocument(\s*)403(\s*)http",
+    "%u0c0c%u0c0c",
+    "String.fromCharCode(32)",
+    "HTTP_REFERER(.*)msn(.*)live",
+    "SnIpEr_SA",
+    "php_value(\s*)auto_append_file",
+    "AddType(\s*)application(\s*).jpg",
+    "AddHandler(\s*)php5-script(\s*).jpg",
+    "HTTP_USER_AGENT(.*)google(.*)yahoo",
+    "HTTP_REFERER(.*)\*search.yahoo\*",
+    "Card(.*)number:",
+    "Mass(.*)Mailer",
+    "<\?php\s*eval\(\"\?>\"\.base64\_decode\(\"(.*)\"\)\)\;\s*\?>",
+    "\;if\(aa\.indexOf\(aaa\)\=\=\=0\)",
+    "function\s*re\(s\,n\,r\,b\,e\)",
+    "var\s*foobar\s*\=\s*unescape\;",
+    "auth\_pass\s*\=\s*\"(.*)\"\;\s*eval\(\"",
+    "<\?php\s*\@copy\(\W\_FILES\[file\]\[tmp\_name\]\,\s*\W\_FILES\[file\]\[name\]\)\;\s*exit\;\s*\?>",
+    "<\?php\s*\/\/(.*)\_\=\s*\/\/system\s*file\s*do\s*not\s*delete\'\'\;\s*\/\/system\s*file\s*do\s*not\s*delete\s*\W\_\_\s*\=\s*\"(.*)\"\;\W\_\_\_\s*\=\s*\"(.*)\"\;eval\(\W\_\_\_\(\W\_\_\)\)\;",
+    "preg\_replace\(\"\/\.\+\/esi\"\,\"",
+    "<script\s*language\=\"JavaScript\"\s*type\=\"text\/javascript\"><\!\-\-\s*var(.*)\;eval\(unescape\(\"(.*)\;document\.write\(u\)\;u\=\"\"\;\/\/\-\->\s*<\/script>",
+    "<\?php\s*session\_start\(\)\;\s*\Wme\=\W\_SERVER\[\'PHP\_SELF\'\]\;\s*\WNameF\=\W\_REQUEST\[\'NameF\'\]\;\s*\Wnowaddress\=\'<input\s*type\=hidden\s*name\=address\s*value\=\"\'\.getcwd\(\)\.\'\">\'\;\s*\Wpass\_up\=",
+    "<\?php\s*\@set\_time\_limit\(0\)\;\s*\@error\_reporting\(NULL\)\;\s*\@ini\_set\(\'display\_errors\'\,0\)\;\s*\@ignore\_user\_abort\(TRUE\)\;\s*if\(md5\(md5\(\W\_REQUEST\[\'(.*)\'\]\)\)\=\=\'",
+    "<\?PHP\s*defined\(\'\_OLD\_JEXEC\_\'\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;\s*\?>",
+    "<\?php\s*if\(isset\(\W\_REQUEST\[\"(.*)\"\]\)\)\s*\{\s*eval\(base64\_decode\(\W\_REQUEST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}\s*else\s*\{\s*die\(\"404\s*Not\s*Found\"\)\;\s*\}\?>",
+    "function\_exists\(\'date\_default\_timezone\'\)\s*\?\s*date\_default\_timezone\_set\(\'America\/Los\_Angeles\'\)\s*\:\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\;",
+    "<\?PHP\s*define\(\'REAL\_SERVER\_ROOT\'\,\s*\'SERVER\'\)\;\s*\/\/DIR(.*)define\(\'SYSTEM\_SKEL\_DIR\'\,\s*\'skel\'\)\s*\?\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\:(.*)define\(\'WORKGROUPS\_META\_SETTINGS\_FILENAME\'\,\s*\'settings.xml\'\)\;\s*\?>",
+    "<\?\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}\s*\?>",
+    "<\?php\s*echo\s*\'<b>Sw\s*Bilgi<br><br>\'\.php\_uname\(\)\.\'<br><\/b>\'\;(.*)else\s*\{\s*echo\s*\'<b>Basarisiz<\/b><br><br>\'\;\s*\}\s*\}\s*\?>",
+    "GIF89\;<br><br>\s*<Hmei7>\s*<\?php\s*if\s*\(\s*isset\(\W\\[\'versi\'\]\)\s*\)\'s*\{\s*vers\(\)\;",
+    "<\?php\s*if\(\!empty\(\W\_FILES\[\'message\'\]\[\'name\'\]\)\s*AND\s*\(md5\(\W\_POST\[\'nick\'\]\)\s*\=\=",
+    "<\?php\s*\Wis\_bot\s*\=\s*FALSE\s*;\s*\Wuser\_agent\_to\_filter\s*\=\s*array\(\s*\'\#fileuploads\#\'\)\s*\;",
+    "auth_pass(.*)eval\(",
+    "<\?php\s*\/\*\s*Plugin\s*Name\:\s*GSM",
+    "<\?php\s*\W(.*)array\(\"(.*)\"\)\;eval\(\"(.*)x3B\"\)\;\?>",
+    "base=base64_encode\(",
+    ".rand\(100000000,9999999999\).",
+    "__++\)\)\].=",
+    "Fredrik N. Almroth - h.ackack.net",
+    "The Sword Config Fuck Script",
+    "4297f44b13955235245b2497399d7a93",
+    "<\!-- provided by.\/katAK -->",
+    "user_agent_to_filter",
+    "\@unserialize\(base64_decode\(",
+    "file_put_contents\(__FILE__,base64_decode\(",
+    "echo eval\(urldecode\(",
+    "echo @eval\(base64_decode\(",
+    "xml_str = base64_decode",
+    "X-Mailer: Microsoft Office Outlook",
+    "mode=show>Commands Run",
+    "_SAPE_USER",
+    ".gzuncompress\(base64_decode\(",
+    "\);preg_replace\(",
+    "\),base64_decode\(",
+    "eVAl\( base64_decode\(",
+    "\(gzinflate\(str_rot13\(base64_decode\(",
+    "body=stripslashes\(urldecode\(",
+    "REQUEST = array_merge\(",
+    ";eval\(\(\(strlen\(",
+    "viagra",
+    "levitra",
+    "male enhancement",
+    "propceia",
+    "xViewState\(\)",
+    "Fonksiyonlar",
+    "<vuln> <dork>",
+    "Sh3llBoT",
+    "Upload Your Fav Shell",
+    "Is cURL installed\? \(nst\) which curl",
+    "Magic Include Shell ver",
+    "irc.securitychat.org",
+    "function printLogin\(\)",
+    "function GetMama\(\)",
+    "runcommand",
+    "my @nickname = ",
+    "dosyaPath = mid\(mpat,InStrRev\(mpat",
+    "coded by z0mbie",
+    "Php Bypass - www.shellci.biz",
+    "fistik=PHVayv;",
+    "Dark Shell",
+    "CTT SHELL",
+    "\/etc\/passwd",
+    "<tr><td>Chiave<\/td><td>Valore<\/td><\/tr>",
+    "fonk_kap = get_cfg_var",
+    "PHPSHELL_VERSION",
+    "Root-Access Shell",
+    "s101 Interamente creata da Sora101",
+    "SimAttacker - Vrsion",
+    "Shell Dizini:",
+    "\/etc\/syslog.conf",
+    "die\(PHP_OS.chr\(49\).chr\(48\)",
+    "stCurlLink = base64_decode\(",
+    "cookey =",
+    "cxyyt = array\(",
+    ".str_pad\(strtoupper\(dechex\(",
+    "veb65c0b0 = array_keys\(",
+    "=Array\(base64_decode\(",
+    "edoced_46esab",
+    "\*\/base64_decode\/\*",
+    "eval\(stripslashes\(",
+    "eval\(\@gzinflate\(base64_decode\(",
+    "eva1fYlbakBcVSir",
+    "preg_replace\(\"\/\.\*\/e\"\,\"\\x65",
+    "cg2bW3yV4NSpnvKX2cFAvjczD7",
+    "fcgr2boWm3yVC4NShpnvaKrXC2ocFAdvjcezD7",
+    "Macro Hack",
+    "JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1Mzs",
+    "XERATUTA",
+    "unserialize\(string_cpt\(base64_decode\(",
+    "data.dat.gz",
+    "Scam Redirector",
+    "\/images\/config.db",
+    "\/temp\/links.db",
+    "LS0tLS0tLS0tLS0tLS0t",
+    "BlackMail",
+    "\{ hauguen priv\@ spammer \}",
+    "echo \'Shell Ok \';",
+    "Da Slake PHP MAILER",
+    ": :   M A I L E R   : :   \$ d o m a i n   -   I n s i d e T e a m   v",
+    "\/etc\/valiases/",
+    "numemails",
+    "PHP Mailer",
+    "\/etc\/named.conf",
+    "set_index .= base64_encode\(",
+    "eval\(gzinflate\(base64_decode\(strrev\(",
+    "system file do not delete",
+    "nslookup -type=MX",
+    "\$copyto = explode\(\'wp-content\'\,",
+    "default_action =(.*)default_charset =(.*)preg_replace\((/*)\,str_replace\(",
+    "\<\?php for\(\$o=0,\$e=",
+    "\$felp = explode\(\$kaka",
+    "getdata = base64_decode\(\$datacheck\);",
+    "array_map\(strrev\(\"ed\".\"oced_\".\"46esab\"\),array\(str_replace\(",
+    "if \(md5\(md5\(\$\_REQUEST\[\'hhh\'\]\)\) ==",
+    "Upload GAGAL",
+    "Config Grabber",
+    "@symlink\(",
+    "OOO000000=urldecode\(",
+    "eval \(gzinflate\(base64_decode\(",
+    "return rawurlencode\(rawurlencode\(",
+    "=array_map\(\"ba\".\"se6\".\"4\".\"_decode\",array\(\'\',str_replace\(",
+    "d.=sprintf\(\(substr\(urlencode\(print_r\(array\(",
+    "eval\(gzinflate\(base64_decode\(",
+    "eval\(gzinflate\(str_rot13\(base64_decode\(",
+    "eval\(gzinflate\(base64_decode\(str_rot13\(",
+    "eval\(gzinflate\(base64_decode\(base64_decode\(",
+    "eval\(gzuncompress\(base64_decode\(",
+    "eval\(gzuncompress\(str_rot13\(base64_decode\(",
+    "eval\(gzuncompress\(base64_decode\(str_rot13\(",
+    "eval\(str_rot13\(gzinflate\(base64_decode\(",
+    "eval\(gzinflate\(base64_decode\(strrev\(str_rot13\(",
+    "eval\(gzinflate\(base64_decode\(strrev\(",
+    "eval\(gzinflate\(base64_decode\(str_rot13\(",
+    "eval\(gzinflate\(base64_decode\(str_rot13\(strrev\(",
+    "echo\(gzinflate\(base64_decode\(",
+    "^<\?php\s*\\\$md5\s*=\s*[\"|\']\w+[\"|\'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*\?>\s*",
+    "libworker.so",
+    "by.\/katAK",
+    "array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\)",
+    "<span>Make dir:<\/span>",
+    "\}eval\(x0r\(\"",
+    "function x0r\(\$h3ll0s\)",
+    "<\?php\s*preg_replace\(\"",
+    "\$security_code = \(empty\(\$_POST\[\'security_code\'\]\)\)",
+    "\.ucwords\(str_replace\(",
+    "\)\);array_multisort\(array_map\(",
+    "\.rawurlencode\(strtolower\(",
+    "<\?php\s*eval \( base64_decode \(\"",
+    "eval\(stripslashes\(\$_POST\[codee\]\)\);\"",
+    "eval\(pet\(\"",
+    "<\?php \$g___g_=\'base\'.\(32*2\).\'_de\'.\'code\';\$g___g_=\$g___g_\(str_replace\(\"\n\", \'\', \'",
+    "eval\((.*)\(base64_decode\((.*)1234567890\)\);",
+    "\$opt\(\"\/292\/e\",\$au,292\); die\(\);\}\}\}",
+    "\$MailTo = base64_decode\(\$_POST\[\"mailto\"\]\);",
+    "email_polucha",
+    "if\(isset\(\$_REQUEST\[\'(.*)eval\((.*)\); exit\(\); \} if\(isset\(\$_REQUEST\[\'(.*)exit\(\); \}\s*\?>",
+    ".::\[ Phproxy \]::.",
+    "teksasli=unescape\(teks\);document.write\(teksasli\)",
+    "eval\(base64_decode\(\$jembot\)\);",
+    "eval\(base64_decode\(\$_REQUEST\[\'p64\'\]\)\);",
+    "die\(\"Restricted accoss\"\);",
+    "<\?php\s*eval\(gzinflate\(str_rot13\(base64_decode\(\'",
+    "phpRemoteView",
+    "if \(isset\(\$_POST\[\'_\'\]\) \&\& \(sha1\(base64_decode\(\$_POST\[\'_\'\]\)\^\$str\) ==",
+    "x47FzcyA9ICI",
+    "mkdir\(\'Indishell\',0777\);",
+    "Superfast Zone-H submitter",
+    "if\(stripos\((.*)=base64_decode\((.*)=create_function\(\"\"",
+    "Done ==> \$userfile_name",
+    "preg_match\(\"\/google\|bot\|msn\|spider\|crawl\|spam",
+    "WEB(.*)Shell",
+    "index.php replaced successufuly\!",
+    "sloboz",
+    "\$URI = str_replace\(\"sync.php\", \$filename, \$URI\);",
+    "<\? eval\(gzuncompress\(base64_decode\(\'",
+    "WPcheckInstall",
+    "echo \"Already writed\"",
+    "if \(move_uploaded_file \(\$_FILES\[\"update\"\]\[\"tmp_name\"\], __FILE__\)\)",
+    "FilesMan",
+    "<\?php(.*)= array\(\'(.*)= array\(\'(.*)= array\(\'(.*)\";if \(\!function_exists\(\"",
+    "\{eval\(base64_decode\(\$_POST\[\"",
+    "\$uid = strtoupper\(md5\(uniqid\(time\(\)\)\)\);",
+    "Created By Spaghy",
+    "= strrev\(\'ed\'.\'oc\'.\'ed_4\'.\'6e\'.\'sab\'\);",
+    "= strrev\(\'eca\'.\'lper\'.\'_ge\'.\'rp\'\);",
+    "<\?php\s*if \(\!function_exists\(\"(.*)\"\)\)\s*\{\s*function(.*)= base64_decode\((.*)= strlen\((.*)= file_get_contents\(",
+    "Mestre eCoLoGy",
+    "PHP eMailer",
+    "= \"p\".\"r\".\"e\".\"g\".\"_\".\"r\".\"e\".\"p\".\"l\".\"a\".\"c\".\"e\";",
+    "The Devil made me do it :\)",
+    "echo \"Can\'t upload file:",
+    "<\?\/\/BREACK\/\/\?>",
+    "Bypass SuHosin",
+    "\$_FILE\(stripslashes\(\$_REQUEST\[\'HOST\'\]\)\);\}",
+    "atualizar_flash_player_ver",
+    "Made By mr.hosam",
+    "<script>document.getElementById\(\'a22\'+\'222\'\).style.display=\'no\'+\'ne\'<\/script><\!-- InstanceEnd -->",
+    "\$auth_pass = \"",
+    "<\?php\s*\/\*(.*)*\/\s*eval \( base64_decode \(\"",
+    "\/usr\/bin\/host",
+    "<\?php preg_replace\(\"\/.\*\/e\",\"",
+    "\]\}=__FUNCTION__;return\@is_object\(",
+    "eval\(\"\?>\".gzuncompress\(base64_decode\(",
+    "\$headers = \"Alibaba:",
+    "<\?php \@array_diff_ukey\(\@array\(\(string\)",
+    "\$auth = \$filter\(\@\$_COOKIE\[\'p1\'\]\);",
+    "<\?php\s*if \(isset\(\$_REQUEST\[\'p1\'\]\)\) \{\s*eval\(stripslashes\(\$_REQUEST\[\'p1\'\]\)\);",
+    "<\?php function(.*)=gzinflate\(base64_decode\((.*)\)\); for\(\$i=0;\$i<strlen\(",
+    "\'\]=Array\(base64_decode\(\'",
+    "<\?php \(\$_=\@\$_GET\[2\]\).\@\$_\(\$_POST\[1\]\)\?>",
+    "return stripslashes\(ltrim\(rtrim\(\$string\)\)\);",
+    "4297f44b13955235245b2497399d7a93",
+    "<\?php \$a=\'bas\'.\'e6\'.\'4_d\'.\'ecode\';eval\(\$a\(\"",
+    "l = \"http:\/\/(.*)\" + r + \"&r=\" + document.referrer;\s*document.write\(\"<img src=\'\" + l + \"\'>\"\);",
+    "<title>(.*)PORN(.*)</title>",
+    "Login your email address below to view the document",
+    "symlink\(\'\/home",
+    "local-root-exploit",
+    "my \$fakeproc\s*= \"\/usr\/sbin\/httpd\";",
+    "Server Scanner",
+    "<\?\$x\d\d=\"(.*)\"; \$GLOBALS\[\'",
+    "<\?php(.*)=\s*\'(.*)\';(.*)=\s*str_replace\(\'(.*)\',\'\',(.*)\);(.*)=\s*\'(.*)\';(.*)=\s*str_replace\(\'",
+    "function\s*xViewState\(\)",
+    "<\!\-\-start\-add\-div\-content\-\->",
+    "<\?php\s*if\(\W_GET\[\"(.*)\"\]==\"(.*)value=\"ok\"><\/form><\?php\s*\}\?>",
+    "function\s*research_plugin\(\)(.*)eval\(base64_decode\(",
+    "<chr\(ord\(\Wn\)\-1\);\}\s*\@error_reporting",
+    "Exploit\s*failed",
+    "for\s*i\s*in\s*\"uname\s*-a\"\s*\"mount\"\s*\"df\s*-h\"",
+    "<\?php\s*\Wdomain\s*=\s*\"(.*)header\(\"Location:\s*\Wurl\"\);\s*\?>",
+    "move_uploaded_file\(\W_FILES\[\"file\"\]\[\"tmp_name\"\],\Wz\);",
+    "str_replace\(\"w\",\"\",\"wstrw_wrewpwlwawcwe\"\);",
+    "echo\s*\'\[vuln\]\';",
+    "echo\"<font\s*color=\#FFFFFF>\[uname\]\".php_uname\(\).",
+    "if\(\Wresult\)\s*\{\s*echo\s*\'good\';\s*\}\s*else\s*\{\s*\'error\s*:\s*\'.\Wresult;\s*\}",
+    "<\?php\s*\Wandroid\s*=\s*strpos\(\W_SERVER\[\'HTTP_USER_AGENT\'\],\"Android\"\);\s*\Wandroid_urls\s*=\s*array\s*\(",
+    "last\s*root\s*\(nst\)\s*last\s*root",
+    "online\s*encode\s*by\s*cha88.cn\!",
+    "<title>SERVER\s*INFO<\/title>",
+    "ZnZGZnZGZnZGZn",
+    "else\{\s*echo\s*\"sorry\s*file\s*didn\'t\s*chmoded\";\s*\}",
+    "\"\];exit\(\);\}error_404\(\);function\s*is_good_ip\(",
+    "\@system\(\"killall\s*-9\s*\".basename\(\"\/usr\/bin\/host\"\)\);",
+    "<\?php\s*\/\/\#\#\#==\#\#\#(.*)\/\/\#\#\#==\#\#\#\s*\?>",
+    "<\?php\s*\$r76=\"F\[<PAlDf\|\]\}",
+    "<\?php\s*include\(\'(.*)\.png\'\);\s*\?>",
+    "<\?php\s*include\(\'(.*)\.jpg\'\);\s*\?>",
+    "<\?php\s*include\(\'(.*)\.gif\'\);\s*\?>",
+    "\$GLOBALS\[(.*)\$GLOBALS\[(.*)\}\s*\}\s*return\s*$(.*)\$GLOBALS\[(.*)\}\s*return\s*\$",
+    "\$qV=\"stop_\"",
+    "\$GD_get_img\s*=\s*\"p\"\.\s*\"r\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"l\"\.\"ace\";",
+    "<\?php\s*\$array\s*=\s*array\(\'(.*)=\s*implode\(\"\"\,\s*\$array\)\;\$(.*)eval\(\$(.*)\)\)\)\);\?>",
+    "\#\!\/usr\/bin\/perl(.*)\#\s*Do\s*login\s*authentication\s*subroutine(.*)\#EOF",
+    "<\?php\s*\$(.*);eval\(base64_decode\(gzuncompress\(base64_decode\(\$(.*)\)\)\)\);\?>",
+    "<\?php(.*)\$EmailTemporario\s*=\s*\$email\[\$i\];(.*)Safe\s*Mode:\s*<\?php\s*echo\s*\$safe_mode\s*=\s*\@ini_get\(\'safe_mode\'\);\s*\?>(.*)<\/form>",
+    "<\?php\s*\@ignore_user_abort\(true\);(.*)\@eval\(\$(.*)\@realpath\(\"\"\)\.DIRECTORY_SEPARATOR(.*)404\s*Not\s*Found(.*)\?>",
+    "\#\!\/usr\/bin\/perl\s*\-w\s*\'\'\=\~\(\'\(\?\{\'\.\(\'(.*)\'\)\.\'\$\/\}\)\'\);",
+    "<\?php\s*\/\*\*(.*)\$https_in\s*=\s*\"(.*)\"\);\s*\?>",
+    "<html>\s*<head>(.*)if\(is_uploaded_file(.*)move_uploaded_file(.*)\?>\s*<\/body>\s*<\/html>",
+    "DK\s*Shell\s*\-",
+    "<\?php\s*\$(.*)\]\.\$(.*)\]\.\$(.*)\]\.\$(.*)\]\.\$(.*)\"\.chr\((.*)\"\.chr\((.*)\"\.chr\((.*)\"\.chr\((.*)\,\"(.*)\"\);",
+    "<\?php\s*\@ini_set\(\'max_execution_time\'\,0\);(.*)\}\}echo\s*\'rahui\#\'\,\$maxlen\,\'\#rahui\';\s*\?>",
+    "randomId(.*)Access\s*Denied(.*)wproPreviewHTML",
+    "md5\(IMAILpassword\)(.*)base64_decode",
+    "value=\'Ввойти\'><br><\/form><br>вы\s*не\s*авторизованы\s*<\/center>",
+    "ping(.*)ping_host(.*)browser_strings",
+    "Help(.*)support(.*)=base64_decode\(\$create_function\(\'\$",
+    "if\(isset\(\$_COOKIE\[\'google\'\]\)\)(.*)if\(strtolower\(substr\(PHP_OS\,0\,3\)\)==\'win\'\)\s*\$",
+    "class\s*RSSInitEx(.*)getCMS\(\)(.*)new\s*RSSInitEx\(\);",
+    "\$this\-\>headers\s*\.=\s*\"Errors\-To\:\s*\{\$this\-\>from\}",
+    "PRIV8",
+    "for\s*i\s*in\s*\"uname\s*\-a\"",
+    "Exploit\s*failed",
+    "Suicide\(\'Windows\s*\-\s*Suicide\'\)\;\}",
+    "=\s*str\_replace\(\"w\"\,\"\"\,\"wstrw\_wrewpwlwawcwe\"\);",
+    "\(\"x\"\,\s*\"\"\,\s*\"xbxasxex6x4x_xdexcoxde\"\);",
+    "\(\"s\"\,\"\"\,\"scsrsesatses_fsusnscstsisosn\"\);",
+    "\$i=strrev\(\"uoy yb dekcah\"\);",
+    "<font\s*color=\#FFFFFF>\[uname\]\"\.php_uname\(\)\.\"",
+    "\$result\s*=\s*mail\(stripslashes\(\$to\)\,\s*stripslashes\(\$subject\)\,\s*stripslashes\(\$message\)\);",
+    "\$android\s*=\s*strpos\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\,\"Android\"\);",
+    "last\s*\(all\s*users\)\s*\(nst\)\s*last\s*all",
+    "online\s*encode\s*by\s*cha88\.cn\!",
+    "<title>Solutions\s*en\s*ligne\s*\-\s*AccèsD<\/title>",
+    "<title>SERVER\s*INFO<\/title>",
+    "\$OUT=alfa\(\$OUT\);eval\(\$OOO0000O0\(\$OUT\)\);return;",
+    "\$sys\s*=\s*strrev\(base64_decode\(\"bWV0U3lT\"\)\);\/\/system",
+    "\}=\@unserialize\(base64_decode\(\$_POST\[\"",
+    "\@system\(\"killall\s*\-9\s*\"\.basename\(\"\/usr\/bin\/host\"\)\);",
+    "\@system\(\"\(crontab\s*\-l\|grep\s*\-v\s*crontab;echo;echo\s*\'\*\s*\*\s*\*\s*\*\s*\*\s*\"\.\$SCP\.\"\/1\.sh\'\)\|crontab\"\,\s*\$ret\);",
+    "function\s*GetWPFooterFNs\(\)",
+    "\$tmp\s*=\s*\@fread\s*\(\$a\,\s*sprintf\s*\(\"\%u\"\,\s*\@filesize\s*\(\$a\)\)\);",
+    "\(\"e\"\.\"va\"\.\"l\(\'",
+    "title=\"Remote\s*Shell\">",
+    "\/\/Obfuscation\s*provided\s*by\s*FOPO\s*-\s*Free\s*Online\s*PHP\s*Obfuscator\s*v1\.2\:",
+    "<\?php\s*\@array_diff_ukey\(\@array\(\(string\)\$_REQUEST\[\'password\'\]\=\>1\)",
+    "\$file=\@\$_COOKIE\[\'Jlma3\'\];",
+    "\$fc64=strip_tags\(str_replace\(\"\s*\"\,\"\"\,trim\(\$_GET\[\'fc\'\]\)\)\);",
+    "<li><a\s*href=http\:\/\/(.*)<\/a><\/li>\s*<li><a\s*href=http\:\/\/(.*)<\/a><\/li>(.*)<li><a\s*href=http\:\/\/(.*)<\/a><\/li>(.*)<li><a\s*href=http\:\/\/",
+    "echo\s*base64_encode\(\'error\s*\:\s*\'\.\$result\);",
+    "\$i59\[",
+    "\$x74\[",
+    "if\s*\(get_magic_quotes_gpc\(\)\)\s*\{\s*\$wp=stripslashes\(\$wp\);\s*\}",
+    "my\s*\@dangercalls=qw\(",
+    "<\?php\s*extract\(\$_COOKIE\);\s*\@\$F\&\&\@\$F\(\$A\,\$B\);",
+    "copy\(\$_FILES\[\"upfile\"\]\[\"tmp_name\"\]\,\s*\$_FILES\[\"upfile\"\]\[\"name\"\]\)",
+    "\$back_connect=\"",
+    "add_action\(\'after_setup_theme\'\,\s*\'research_plugin\'\);",
+    "document\.getElementById\(\'HideMeBetter\'\)",
+    "<\?php\s*\/\*\s*copyright\s*\*\/(.*)\/\*\s*copyright\s*\*\/ ?>",
+    "elseif\(strstr\(\$_0\,_203519383",
+    "<div\s*style=\"position\:absolute;\s*left\:\-(.*)px;\s*top\:\-(.*)px;\"><a\s*href=\"http\:\/\/",
+    "<\?php\s*eval\(\"\?>\"\.base64_decode\(\"",
+    "\$workdir\s*=\s*preg_replace\(\"\/\^www\W\.\/\"\,\s*\"\"\,\s*\$_SERVER\[\"HTTP_HOST\"\]\);",
+    "<\?php\s*echo\s*eval\(base64_decode\(str_replace\(\'\*\'\,\'a\'\,str_replace\(\'\%\'\,\'B\'\,str_replace\(\'\~\'\,\'F\'\,str_replace\(\'\_\'\,\'z\'\,str_replace\(\'\$\'\,\'x\'\,str_replace\(\'\@\'\,\'d\'\,str_replace\(\'\^\'\,\'3\'\,str_rot13\(",
+    "<\?php\s*if\(\@\$_COOKIE\[\'ft\'\]\)\{\$xww=\$_COOKIE\[\'ft\'\]\(\"\"\,\@\$_COOKIE\[\'st\'\]\(\@\$_COOKIE\[\'nk\'\]\)\);\$xww\(\);\}\?>",
+    "function\s*Decode\(\)\{var",
+    "<\?php\s*function\s*hex2str\(\$hex\)\s*\{\s*return\s*pack\(\'H\*\'\,\s*\$hex\);\s*\}\s*if\(\$_GET\[\'xhelp\'\]\)\s*\{\s*echo\s*\"<pre>\";\s*eval\(\$_GET\[\'xhelp\'\]\);\s*\}\s*if\(\$_GET\[\'hex\'\]\)\s*\{\s*\$payload=hex2str\(\$_GET\[\'hex\'\]\);\s*echo\s*\"<pre>\";\s*system\(\$payload\);\s*\}\s*\?>",
+    "\$z=get_option\(\"_site_transient_browser_(.*)\)\"\);\s*\$z=base64_decode\(str_rot13\(\$z\)\);\s*if\(strpos\(\$z\,\"C20F58DE\"\)\!\=\=false\)\{\s*\$_z=create_function\(\"\"\,\$z\);\s*\@\$_z\(\);\s*\}",
+    "Copyright7_20_127\(\);",
+    "eval\(\"\W\$x=gzin\"\.\"flate\(base\"\.\"64_de\"\.\"code\(\W\"",
+    "\$userAgents\s*=\s*array\(\"Google\"\,\s*\"Slurp\"\,\s*\"MSNBot\"\,\s*\"ia_archiver\"\,\s*\"Yandex\"\,\s*\"Rambler\"\)",
+    "for\(\$i=0;\s*\$i\s*<\s*strlen\(\$x\);\s*\$i\+\+\)\{\$(.*)=\"base64_decode\";return\s*\$",
+    "Upload Complete\!",
+    "\$query\s*=\s*base64_decode\(str_replace\(\'\s*\'\,\s*\'\+\'\,\s*\$_POST\[\'query\'\]\)\);",
+    "<\?php\s*\$wp__wp=\'base\'\.\(32\*2\)\.\'_de\'\.\'code\';\$wp__wp=\$wp__wp\(str_replace\(\"",
+    "\#Coded\s*By\s*Pejvaknuse\s*Socket;",
+    "<\?php\s*\(\$www=\s*\$_POST\[\'yt\'\]\)\s*\&\&\s*\@preg_replace\(\'\/ad\/e\'\,\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s*\'add\'\);\?>",
+    "OOO000000=urldecode(",
+    "visitorTracker_isMob",
+    "this->privmsg(",
+    "Starting call",
+    "Hacker",
+    "boff",
+    "r57Shell Edited By Margu",
+    "IRC_socket",
+    "ConfigSpy",
+    "aWYo",
+    "currentCMD",
+    "IyEvdXNyL2Jpbi9",
+    "bind_port",
+    "BaseIRC",
+    "procname",
+    "Web Shell",
+    "Goog1e_analist",
+    "Upload Fail !",
+    "FilesMan",
+    "uname -a",
+    "Sakerhetsniva",
+    "0x00 PHP shell",
+    "surl = htmlspecialchars",
+    "function echoQueryResult() {",
+    "Safe Mode on/off:",
+    "Script for l33t admin job",
+    "ONBOOMSHELL V 0.2",
+    "StresBypass v1.0",
+    "JspWebshell",
+    "StAkeR ~ Shell",
+    "SnIpEr_SA",
+    "<style name=\"Mr.HiTman\""
+
+);
+
 foreach ($tree as $finfo)
 {
     // exclude self
@@ -91,3304 +516,20 @@ foreach ($tree as $finfo)
         }
 
     }
-    // known infection - can be auto-cleaned
-    elseif(preg_match('#^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)(\?><\?php)*\n#i', $tmp, $matches))
-    {
+
+   elseif('php' == $ext)   
+   {
+        foreach($pattern as $regex){
+        if(preg_match('#'.$regex.'#i', $tmp, $matches)){
         if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
         if($print_infected || $print_all) print "...INFECTED";
         $counter_infected++;
         if($print_infected || $print_all) print "\n";
-
-        //        $counter_error++;
-        //print("\n\ERROR: {$finfo['path']}{$finfo['fname']} will NOT BE CLEANED! Please use the shell version of this script.\n\n");
         continue;
+           }      
+       }
     }
 
-    // just a guess - eval(base64_decode(... pattern match
-    elseif(preg_match('#eval(\s*)\((.*)base64_decode(\s*)\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval/base64_decode found)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    // Found inside the compromised e107 full release (class2.php)
-    elseif(preg_match('/\$_COOKIE\[[\'|"]access-admin[\'|"]\]/i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all)
-        {
-            print "...INFECTED (access-admin COOKIE reference)\n";
-        }
-        //        print("\nERROR: {$finfo['path']}{$finfo['fname']} can't be auto-cleaned!\n\n");
-        $counter_infected++;
-        //        $counter_error++;
-        continue;
-    }
-
-/* new patterns */
-    elseif(preg_match('#this.form.upload_file.disabled=false#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (this.form.upload_file.disabled=false)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#function(\s*)jspw3\(d\,m\,f\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (function jspw3 (d ,m ,f))</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#a(\s*)simple(\s*)Web-based(\s*)file(\s*)manager#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (a simple Web-based file manager)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#php\_uname(\s*)\(preg_replace(\s*)\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (php_uname(preg_replace()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#function(\s*)rewrioutclbkxxx1\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (function rewrioutclbkxxx1()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#eval\(\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (eval((base64_decode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#preg_replace\(strrev\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (preg_replace(strrev()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#s=base64_decode\(str_replace\(chr\(32\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (s=base64_decode(str_replace(chr(32))</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#_GET\[base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (_GET[base64_decode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#@error_reporting\(0\)#i', $tmp))
-    {
-        if($print_suspected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_suspected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (error_reporting)</font>";
-        $counter_suspected++;
-        if($print_suspected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#eval\(base64_decode\(<(.*)POST(.*)>php#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (eval(base64_decode(<.*POST.*>php)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#==========================+(\s*)Credit.Mutuel.ReZult(\s*)+==================#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (==========================+ Credit.Mutuel.ReZult +==================)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#X-Mailer:(\s*)The(\s*)Bat\!(\s*)\(v#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (X-Mailer: The Bat! (v)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#WordPress(\s*)Inserter(\s*)Links#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (WordPress Inserter Links)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#The(\s*)Sword(\s*)Config(\s*)Fuck(\s*)Script#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (The Sword Config Fuck Script)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#@kr(\s*)=(\s*)<d0mains>;#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (@kr = <d0mains>;)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#copyto(\s*)=(\s*)explode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (copyto = explode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#d.=sprintf\(\(substr\(urlencode\(print_r\(array\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (d.=sprintf((substr(urlencode(print_r(array()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#eval\(gzinflate\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (eval(gzinflate(base64_decode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#eval\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (eval(gzinflate(str_rot13(base64_decode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Home(\s*)\|(\s*)Personal#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Bank of America | Home | Personal)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Online(\s*)Banking(\s*)\|(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Bank of America | Online Banking | Sign In to Online Banking)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Bank(\s*)of(\s*)America(\s*)\|(\s*)Thank(\s*)you#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Bank of America | Thank you)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Wells(\s*)Fargo(\s*)Home(\s*)Page#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Wells Fargo Home Page)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Chase(\s*)Online(\s*)-(\s*)Logon#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Chase Online - Logon)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Send(\s*)Money,(\s*)Pay(\s*)Online(\s*)or(\s*)Set(\s*)Up(\s*)a(\s*)Merchant(\s*)Account(\s*)with(\s*)PayPal#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Send Money, Pay Online or Set Up a Merchant Account with PayPal)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Login(\s*)-(\s*)PayPal#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Login - PayPal)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Sign(\s*)Up(\s*)for(\s*)PayPal(\s*)-(\s*)It\'s(\s*)Free(\s*)and(\s*)Easy(\s*)to(\s*)Get(\s*)Started#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Sign Up for PayPal - It's Free and Easy to Get Started)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#My(\s*)Account(\s*)-(\s*)Telstra#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (My Account - Telstra)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#RBC(\s*)Royal(\s*)Bank(\s*)-(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (RBC Royal Bank - Sign In to Online Banking)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#RBC(\s*)Financial(\s*)Group(\s*)-(\s*)Online(\s*)Banking#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (RBC Financial Group - Online Banking)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Online(\s*)Banking(\s*)Security(\s*)and(\s*)Privacy(\s*)Guide(\s*)-(\s*)RBC(\s*)Royal(\s*)Bank#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING(Online Banking Security and Privacy Guide - RBC Royal Bank)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#~(\s*)Santander(\s*)Online(\s*)Banking(\s*)~#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (~ Santander Online Banking ~)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Santander(\s*)e-Banking(\s*)?(\s*)Logon(\s*)page#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Santander e-Banking ? Logon page)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Santander(\s*)Online(\s*)Banking#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Santander Online Banking)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#eBucks(\s*)>(\s*)Home#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (eBucks > Home)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Chase(\s*)Personal(\s*)Banking(\s*)Investments(\s*)Credit(\s*)Cards(\s*)Home(\s*)Auto(\s*)Commercial(\s*)Small(\s*)Business(\s*)Insurance#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Chase Personal Banking Investments Credit Cards Home Auto Commercial Small Business Insurance)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Yahoo!(\s*)Mail:(\s*)The(\s*)best(\s*)web-based(\s*)email!#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Yahoo! Mail: The best web-based email!)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Remax(\s*)ReZulT(\s*)By#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (Remax ReZulT By)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#ErrorDocument(\s*)404(\s*)http#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (ErrorDocument 404 http)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#ErrorDocument(\s*)500(\s*)http#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (ErrorDocument 500 http)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#ErrorDocument(\s*)403(\s*)http#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (ErrorDocument 403 http)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#%u0c0c%u0c0c#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (%u0c0c%u0c0c)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#String.fromCharCode(32)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (String.fromCharCode\(32\))</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#HTTP_REFERER(.*)msn(.*)live#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (HTTP_REFERER msn live)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#SnIpEr_SA#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (SnIpEr_SA)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#php_value(\s*)auto_append_file#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (php_value auto_append_file)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#AddType(\s*)application(\s*).jpg#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (AddType application .jpg)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#AddHandler(\s*)php5-script(\s*).jpg#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALWARE (AddHandler php5-script .jpg)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#HTTP_USER_AGENT(.*)google(.*)yahoo#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (HTTP_USER_AGENT google yahoo)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#HTTP_REFERER(.*)\*search.yahoo\*#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED REDIRECT (HTTP_REFERER *search.yahoo*)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#Card(.*)number:#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED PHISHING (Card number:)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-/*    elseif(preg_match('#Mass(.*)Mailer#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MAILER (Mass Mailer)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    } */
-    elseif(preg_match('#<\?php\s*eval\(\"\?>\"\.base64\_decode\(\"(.*)\"\)\)\;\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (base64 encoded shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#\;if\(aa\.indexOf\(aaa\)\=\=\=0\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED JS MALWARE(;if(aa.indexOf(aaa)===0))</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#function\s*re\(s\,n\,r\,b\,e\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED JS MALWARE (function re(s,n,r,b,e))</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#var\s*foobar\s*\=\s*unescape\;#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (var foobar = unescape;)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#auth\_pass\s*\=\s*\"(.*)\"\;\s*eval\(\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (encrypted filesman)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?php\s*\@copy\(\W\_FILES\[file\]\[tmp\_name\]\,\s*\W\_FILES\[file\]\[name\]\)\;\s*exit\;\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED DEFACE SCRIPT (filecopy)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?php\s*\/\/(.*)\_\=\s*\/\/system\s*file\s*do\s*not\s*delete\'\'\;\s*\/\/system\s*file\s*do\s*not\s*delete\s*\W\_\_\s*\=\s*\"(.*)\"\;\W\_\_\_\s*\=\s*\"(.*)\"\;eval\(\W\_\_\_\(\W\_\_\)\)\;#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#preg\_replace\(\"\/\.\+\/esi\"\,\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<script\s*language\=\"JavaScript\"\s*type\=\"text\/javascript\"><\!\-\-\s*var(.*)\;eval\(unescape\(\"(.*)\;document\.write\(u\)\;u\=\"\"\;\/\/\-\->\s*<\/script>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED JS MALWARE(eval/unescape)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?php\s*session\_start\(\)\;\s*\Wme\=\W\_SERVER\[\'PHP\_SELF\'\]\;\s*\WNameF\=\W\_REQUEST\[\'NameF\'\]\;\s*\Wnowaddress\=\'<input\s*type\=hidden\s*name\=address\s*value\=\"\'\.getcwd\(\)\.\'\">\'\;\s*\Wpass\_up\=#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT(malicious)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?php\s*\@set\_time\_limit\(0\)\;\s*\@error\_reporting\(NULL\)\;\s*\@ini\_set\(\'display\_errors\'\,0\)\;\s*\@ignore\_user\_abort\(TRUE\)\;\s*if\(md5\(md5\(\W\_REQUEST\[\'(.*)\'\]\)\)\=\=\'#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT(malicious)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?PHP\s*defined\(\'\_OLD\_JEXEC\_\'\)\s*or\s*die\(\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\)\;\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED base64 injection script</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?php\s*if\(isset\(\W\_REQUEST\[\"(.*)\"\]\)\)\s*\{\s*eval\(base64\_decode\(\W\_REQUEST\[\"(.*)\"\]\)\)\;\s*exit\;\s*\}\s*else\s*\{\s*die\(\"404\s*Not\s*Found\"\)\;\s*\}\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED base64 injection script</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#function\_exists\(\'date\_default\_timezone\'\)\s*\?\s*date\_default\_timezone\_set\(\'America\/Los\_Angeles\'\)\s*\:\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\;#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALICIOUS SCRIPT</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?PHP\s*define\(\'REAL\_SERVER\_ROOT\'\,\s*\'SERVER\'\)\;\s*\/\/DIR(.*)define\(\'SYSTEM\_SKEL\_DIR\'\,\s*\'skel\'\)\s*\?\s*\@eval\(base64\_decode\(\W\_REQUEST\[\'(.*)\'\]\)\)\s*\:(.*)define\(\'WORKGROUPS\_META\_SETTINGS\_FILENAME\'\,\s*\'settings.xml\'\)\;\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALICIOUS SCRIPT</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?\s*if\(\@\W\_POST\[\'(.*)\'\]\)\{eval\(base64\_decode\(\W\_POST\[\'(.*)\'\]\)\)\;\s*exit\(\)\;\}\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED base64 injection script</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?php\s*echo\s*\'<b>Sw\s*Bilgi<br><br>\'\.php\_uname\(\)\.\'<br><\/b>\'\;(.*)else\s*\{\s*echo\s*\'<b>Basarisiz<\/b><br><br>\'\;\s*\}\s*\}\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#GIF89\;<br><br>\s*<Hmei7>\s*<\?php\s*if\s*\(\s*isset\(\W\\[\'versi\'\]\)\s*\)\'s*\{\s*vers\(\)\;#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (GIF infection)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?php\s*if\(\!empty\(\W\_FILES\[\'message\'\]\[\'name\'\]\)\s*AND\s*\(md5\(\W\_POST\[\'nick\'\]\)\s*\=\=#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (POST backdoor)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?php\s*\Wis\_bot\s*\=\s*FALSE\s*;\s*\Wuser\_agent\_to\_filter\s*\=\s*array\(\s*\'\#fileuploads\#\'\)\s*\;#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED UPLOAD SCRIPT</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#auth_pass(.*)eval\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?php\s*\/\*\s*Plugin\s*Name\:\s*GSM#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED MALICIOUS PLUGIN</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\?php\s*\W(.*)array\(\"(.*)\"\)\;eval\(\"(.*)x3B\"\)\;\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED SHELL</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#base=base64_encode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (base=base64_encode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#.rand\(100000000,9999999999\).#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (.rand(100000000,9999999999).)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#__++\)\)\].=#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (__++))].=)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Fredrik N. Almroth - h.ackack.net#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Fredrik N. Almroth - h.ackack.net)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#The Sword Config Fuck Script#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (The Sword Config Fuck Script)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#4297f44b13955235245b2497399d7a93#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (4297f44b13955235245b2497399d7a93)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<\!-- provided by.\/katAK -->#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (<!-- provided by./katAK -->)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#user_agent_to_filter#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (user_agent_to_filter)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#\@unserialize\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (@unserialize(base64_decode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#file_put_contents\(__FILE__,base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (file_put_contents(__FILE__,base64_decode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#echo eval\(urldecode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (echo eval(urldecode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#echo @eval\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (echo @eval(base64_decode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#xml_str = base64_decode#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (xml_str = base64_decode)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#X-Mailer: Microsoft Office Outlook#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (X-Mailer: Microsoft Office Outlook)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#mode=show>Commands Run#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (mode=show>Commands Run)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#_SAPE_USER#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (_SAPE_USER)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#.gzuncompress\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (.gzuncompress(base64_decode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#\);preg_replace\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED ();preg_replace()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#\),base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (),base64_decode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#eVAl\( base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eVAl( base64_decode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED ((gzinflate(str_rot13(base64_decode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#body=stripslashes\(urldecode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (body=stripslashes(urldecode()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#REQUEST = array_merge\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (REQUEST = array_merge()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#;eval\(\(\(strlen\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (;eval(((strlen()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#viagra#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (viagra)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#levitra#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (levitra)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#male enhancement#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (male enhancement)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#propceia#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (propceia)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#xViewState\(\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (xViewState)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Fonksiyonlar#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Fonksiyonlar)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<vuln> <dork>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (<vuln> <dork>)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-     elseif(preg_match('#Sh3llBoT#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Sh3llBoT)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Upload Your Fav Shell#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Upload Your Fav Shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Is cURL installed\? \(nst\) which curl#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Is cURL installed\? \(nst\) which curl)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Magic Include Shell ver#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Magic Include Shell ver)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#irc.securitychat.org#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (irc.securitychat.org)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#function printLogin\(\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (function printLogin\(\))</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#function GetMama\(\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (function GetMama\(\))</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#runcommand#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (AJAX runcommand)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#my @nickname = #i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (my @nickname = )</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#dosyaPath = mid\(mpat,InStrRev\(mpat#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (ASP Shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#coded by z0mbie#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (coded by z0mbie)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Php Bypass - www.shellci.biz#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Php Bypass - www.shellci.biz)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#fistik=PHVayv;#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (fistik=PHVayv;)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Dark Shell#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Dark Shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#CTT SHELL#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CTT SHELL)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#\/etc\/passwd#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (/etc/passwd)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<tr><td>Chiave<\/td><td>Valore<\/td><\/tr>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cShell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#fonk_kap = get_cfg_var#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (fonk_kap = get_cfg_var)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#PHPSHELL_VERSION#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (PHPSHELL_VERSION)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Root-Access Shell#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Root-Access Shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#s101 Interamente creata da Sora101#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (s101 Interamente creata da Sora101)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#SimAttacker - Vrsion#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (SimAttacker - Vrsion)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#Shell Dizini:#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Shell Dizini:)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#\/etc\/syslog.conf#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/etc\/syslog.conf)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#die\(PHP_OS.chr\(49\).chr\(48\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED die\(PHP_OS.chr\(49\).chr\(48\)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#stCurlLink = base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (stCurlLink = base64_decode\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#cookey =#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cookey =)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#cxyyt = array\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cxyyt = array\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#.str_pad\(strtoupper\(dechex\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (.str_pad\(strtoupper\(dechex\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#veb65c0b0 = array_keys\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (veb65c0b0 = array_keys\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#=Array\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (=Array(base64_decode\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#edoced_46esab#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (edoced_46esab)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#\*\/base64_decode\/\*#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\*\/base64_decode\/\*)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(stripslashes\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval\(stripslashes\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(\@gzinflate\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval\(\@gzinflate\(base64_decode\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eva1fYlbakBcVSir#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eva1fYlbakBcVSir)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#preg_replace\(\"\/\.\*\/e\"\,\"\\x65#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (preg_replace\(\"\/\.\*\/e\"\,\"\\x65)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#cg2bW3yV4NSpnvKX2cFAvjczD7#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cg2bW3yV4NSpnvKX2cFAvjczD7)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#fcgr2boWm3yVC4NShpnvaKrXC2ocFAdvjcezD7#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (fcgr2boWm3yVC4NShpnvaKrXC2ocFAdvjcezD7)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#Macro Hack#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Macro Hack)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1Mzs#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1Mzs)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#XERATUTA#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (XERATUTA)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#unserialize\(string_cpt\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unserialize\(string_cpt\(base64_decode\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#data.dat.gz#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (data.dat.gz)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#Scam Redirector#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Scam Redirector)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#\/images\/config.db#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/images\/config.db)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#\/temp\/links.db#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/temp\/links.db)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#LS0tLS0tLS0tLS0tLS0t#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (LS0tLS0tLS0tLS0tLS0t)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#BlackMail#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (BlackMail)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#\{ hauguen priv\@ spammer \}#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\{ hauguen priv\@ spammer \})</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#echo \'Shell Ok \';#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (echo \'Shell Ok \';)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#Da Slake PHP MAILER#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Da Slake PHP MAILER)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#: :   M A I L E R   : :   \$ d o m a i n   -   I n s i d e T e a m   v#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (: :   M A I L E R   : :   \$ d o m a i n   -   I n s i d e T e a m   v)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#\/etc\/valiases/#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/etc\/valiases/)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#numemails#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (numemails)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#PHP Mailer#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (PHP Mailer)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#\/etc\/named.conf#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\/etc\/named.conf)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#set_index .= base64_encode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (set_index .= base64_encode\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval\(gzinflate\(base64_decode\(strrev\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#system file do not delete#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (system file do not delete)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#nslookup -type=MX#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (nslookup -type=MX)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#\$copyto = explode\(\'wp-content\'\,#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (copyto = explode\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#default_action =(.*)default_charset =(.*)preg_replace\((/*)\,str_replace\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED FilesMan Shell</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#\<\?php for\(\$o=0,\$e=#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\<\?php for\(\$o=0,\$e=)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#\$felp = explode\(\$kaka#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (\$felp = explode\(\$kaka)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#getdata = base64_decode\(\$datacheck\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (getdata = base64_decode\(\$datacheck\);)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#array_map\(strrev\(\"ed\".\"oced_\".\"46esab\"\),array\(str_replace\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#if \(md5\(md5\(\$\_REQUEST\[\'hhh\'\]\)\) ==#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#Upload GAGAL#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Upload GAGAL)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#Config Grabber#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Config Grabber)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#@symlink\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (@symlink\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#OOO000000=urldecode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (OOO000000=urldecode\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval \(gzinflate\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (eval \(gzinflate\(base64_decode\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#return rawurlencode\(rawurlencode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (return rawurlencode\(rawurlencode\()</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#=array_map\(\"ba\".\"se6\".\"4\".\"_decode\",array\(\'\',str_replace\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#d.=sprintf\(\(substr\(urlencode\(print_r\(array\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(gzinflate\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(gzinflate\(str_rot13\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(gzinflate\(base64_decode\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(gzuncompress\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(gzuncompress\(str_rot13\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(gzuncompress\(base64_decode\(str_rot13\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(str_rot13\(gzinflate\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(str_rot13\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(gzinflate\(base64_decode\(strrev\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#eval\(gzinflate\(base64_decode\(str_rot13\(strrev\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#echo\(gzinflate\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#^<\?php\s*\\\$md5\s*=\s*[\"|\']\w+[\"|\'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*\?>\s*#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED Shell (encrypted)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#libworker.so#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (libworker.so)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#by.\/katAK#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (by.\/katAK)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (crawler filter)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-    elseif(preg_match('#<span>Make dir:<\/span>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#\}eval\(x0r\("#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#function x0r\(\$h3ll0s\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-    elseif(preg_match('#<\?php\s*preg_replace\(\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-     elseif(preg_match('#\$security_code = \(empty\(\$_POST\[\'security_code\'\]\)\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#\.ucwords\(str_replace\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#\)\);array_multisort\(array_map\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#\.rawurlencode\(strtolower\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#<\?php\s*eval \( base64_decode \(\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#eval\(stripslashes\(\$_POST\[codee\]\)\);"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#eval\(pet\(\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#<\?php \$g___g_=\'base\'.\(32*2\).\'_de\'.\'code\';\$g___g_=\$g___g_\(str_replace\(\"\n\", \'\', \'#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#eval\((.*)\(base64_decode\((.*)1234567890\)\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#\$opt\(\"\/292\/e\",\$au,292\); die\(\);\}\}\}#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#\$MailTo = base64_decode\(\$_POST\[\"mailto\"\]\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#email_polucha#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#if\(isset\(\$_REQUEST\[\'(.*)eval\((.*)\); exit\(\); \} if\(isset\(\$_REQUEST\[\'(.*)exit\(\); \}\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#.::\[ Phproxy \]::.#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#teksasli=unescape\(teks\);document.write\(teksasli\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#eval\(base64_decode\(\$jembot\)\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#eval\(base64_decode\(\$_REQUEST\[\'p64\'\]\)\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#die\(\"Restricted accoss\"\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-/*        elseif(preg_match('#F(.*)i(.*)l(.*)e(.*)s(.*)m(.*)a(.*)n#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }      */
-        elseif(preg_match('#<\?php\s*eval\(gzinflate\(str_rot13\(base64_decode\(\'#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#phpRemoteView#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#if \(isset\(\$_POST\[\'_\'\]\) \&\& \(sha1\(base64_decode\(\$_POST\[\'_\'\]\)\^\$str\) ==#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#x47FzcyA9ICI#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#mkdir\(\'Indishell\',0777\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#Superfast Zone-H submitter#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#if\(stripos\((.*)=base64_decode\((.*)=create_function\(\"\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#Done ==> \$userfile_name#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#preg_match\(\"\/google\|bot\|msn\|spider\|crawl\|spam#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#WEB(.*)Shell#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#index.php replaced successufuly\!#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#sloboz#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#\$URI = str_replace\(\"sync.php\", \$filename, \$URI\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#<\? eval\(gzuncompress\(base64_decode\(\'#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#WPcheckInstall#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#echo \"Already writed\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#if \(move_uploaded_file \(\$_FILES\[\"update\"\]\[\"tmp_name\"\], __FILE__\)\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#FilesMan#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#<\?php(.*)= array\(\'(.*)= array\(\'(.*)= array\(\'(.*)\";if \(\!function_exists\(\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#\{eval\(base64_decode\(\$_POST\[\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#\$uid = strtoupper\(md5\(uniqid\(time\(\)\)\)\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#Created By Spaghy#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#= strrev\(\'ed\'.\'oc\'.\'ed_4\'.\'6e\'.\'sab\'\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#= strrev\(\'eca\'.\'lper\'.\'_ge\'.\'rp\'\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#<\?php\s*if \(\!function_exists\(\"(.*)\"\)\)\s*\{\s*function(.*)= base64_decode\((.*)= strlen\((.*)= file_get_contents\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#Mestre eCoLoGy#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#PHP eMailer#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#= \"p\".\"r\".\"e\".\"g\".\"_\".\"r\".\"e\".\"p\".\"l\".\"a\".\"c\".\"e\";#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#The Devil made me do it :\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#echo \"Can\'t upload file:#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#<\?\/\/BREACK\/\/\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#Bypass SuHosin#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-        elseif(preg_match('#\$_FILE\(stripslashes\(\$_REQUEST\[\'HOST\'\]\)\);\}#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#atualizar_flash_player_ver#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#Made By mr.hosam#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<script>document.getElementById\(\'a22\'+\'222\'\).style.display=\'no\'+\'ne\'<\/script><\!-- InstanceEnd -->#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#\$auth_pass = \"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<\?php\s*\/\*(.*)*\/\s*eval \( base64_decode \(\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#\/usr\/bin\/host#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<\?php preg_replace\(\"\/.\*\/e\",\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#\]\}=__FUNCTION__;return\@is_object\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#eval\(\"\?>\".gzuncompress\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#\$headers = \"Alibaba:#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<\?php \@array_diff_ukey\(\@array\(\(string\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#\$auth = \$filter\(\@\$_COOKIE\[\'p1\'\]\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<\?php\s*if \(isset\(\$_REQUEST\[\'p1\'\]\)\) \{\s*eval\(stripslashes\(\$_REQUEST\[\'p1\'\]\)\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<\?php function(.*)=gzinflate\(base64_decode\((.*)\)\); for\(\$i=0;\$i<strlen\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#\'\]=Array\(base64_decode\(\'#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<\?php \(\$_=\@\$_GET\[2\]\).\@\$_\(\$_POST\[1\]\)\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#return stripslashes\(ltrim\(rtrim\(\$string\)\)\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#4297f44b13955235245b2497399d7a93#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<\?php \$a=\'bas\'.\'e6\'.\'4_d\'.\'ecode\';eval\(\$a\(\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#l = \"http:\/\/(.*)\" + r + \"&r=\" + document.referrer;\s*document.write\(\"<img src=\'\" + l + \"\'>\"\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-              elseif(preg_match('#<title>(.*)PORN(.*)</title>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                elseif(preg_match('#Login your email address below to view the document#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Google Docs Phishing)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#symlink\(\'\/home#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#local-root-exploit#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (local root)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-              elseif(preg_match('#my \$fakeproc\s*= \"\/usr\/sbin\/httpd\";#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#Server Scanner#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<\?\$x\d\d=\"(.*)\"; \$GLOBALS\[\'#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<\?php(.*)=\s*\'(.*)\';(.*)=\s*str_replace\(\'(.*)\',\'\',(.*)\);(.*)=\s*\'(.*)\';(.*)=\s*str_replace\(\'#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#function\s*xViewState\(\)#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (function xViewState())</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<\!\-\-start\-add\-div\-content\-\->#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (<!--start-add-div-content-->)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-              elseif(preg_match('#<\?php\s*if\(\W_GET\[\"(.*)\"\]==\"(.*)value=\"ok\"><\/form><\?php\s*\}\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#function\s*research_plugin\(\)(.*)eval\(base64_decode\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious WP plugin)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-              elseif(preg_match('#<chr\(ord\(\Wn\)\-1\);\}\s*\@error_reporting#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-              elseif(preg_match('#Exploit\s*failed#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (local root exploit)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                 elseif(preg_match('#for\s*i\s*in\s*\"uname\s*-a\"\s*\"mount\"\s*\"df\s*-h\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (server info grabber)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-              elseif(preg_match('#<\?php\s*\Wdomain\s*=\s*"(.*)header\(\"Location:\s*\Wurl\"\);\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious redirect)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-            elseif(preg_match('#move_uploaded_file\(\W_FILES\[\"file\"\]\[\"tmp_name\"\],\Wz\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                 elseif(preg_match('#str_replace\(\"w\",\"\",\"wstrw_wrewpwlwawcwe\"\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-            elseif(preg_match('#echo\s*\'\[vuln\]\';#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (exploit)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                elseif(preg_match('#echo"<font\s*color=\#FFFFFF>\[uname\]\".php_uname\(\).#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (server info grabber)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#if\(\Wresult\)\s*\{\s*echo\s*\'good\';\s*\}\s*else\s*\{\s*\'error\s*:\s*\'.\Wresult;\s*\}#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious mailer)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-               elseif(preg_match('#<\?php\s*\Wandroid\s*=\s*strpos\(\W_SERVER\[\'HTTP_USER_AGENT\'\],\"Android\"\);\s*\Wandroid_urls\s*=\s*array\s*\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious redirect)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                elseif(preg_match('#last\s*root\s*\(nst\)\s*last\s*root#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                 elseif(preg_match('#online\s*encode\s*by\s*cha88.cn\!#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#<title>SERVER\s*INFO<\/title>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#ZnZGZnZGZnZGZn#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#else\{\s*echo\s*\"sorry\s*file\s*didn\'t\s*chmoded\";\s*\}#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#\"\];exit\(\);\}error_404\(\);function\s*is_good_ip\(#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#\@system\(\"killall\s*-9\s*\".basename\(\"\/usr\/bin\/host\"\)\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#<\?php\s*\/\/\#\#\#==\#\#\#(.*)\/\/\#\#\#==\#\#\#\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                      elseif(preg_match('#<\?php\s*\$r76=\"F\[<PAlDf\|\]\}#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                        elseif(preg_match('#<\?php\s*include\(\'(.*)\.png\'\);\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CryptoPHP)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                      elseif(preg_match('#<\?php\s*include\(\'(.*)\.jpg\'\);\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CryptoPHP)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#<\?php\s*include\(\'(.*)\.gif\'\);\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CryptoPHP)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                      elseif(preg_match('#\$GLOBALS\[(.*)\$GLOBALS\[(.*)\}\s*\}\s*return\s*$(.*)\$GLOBALS\[(.*)\}\s*return\s*\$#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (GLOBALS backdoor)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#\$qV=\"stop_\"#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (qV stop backdoor)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#\$GD_get_img\s*=\s*\"p\"\.\s*\"r\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"l\"\.\"ace\";#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Wordpress malicious plugin)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                        elseif(preg_match('#<\?php\s*\$array\s*=\s*array\(\'(.*)=\s*implode\(\"\"\,\s*\$array\)\;\$(.*)eval\(\$(.*)\)\)\)\);\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                      elseif(preg_match('#\#\!\/usr\/bin\/perl(.*)\#\s*Do\s*login\s*authentication\s*subroutine(.*)\#EOF#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Proxy opener)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                        elseif(preg_match('#<\?php\s*\$(.*);eval\(base64_decode\(gzuncompress\(base64_decode\(\$(.*)\)\)\)\);\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                     elseif(preg_match('#<\?php(.*)\$EmailTemporario\s*=\s*\$email\[\$i\];(.*)Safe\s*Mode:\s*<\?php\s*echo\s*\$safe_mode\s*=\s*\@ini_get\(\'safe_mode\'\);\s*\?>(.*)<\/form>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (info mailer)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#<\?php\s*\@ignore_user_abort\(true\);(.*)\@eval\(\$(.*)\@realpath\(\"\"\)\.DIRECTORY_SEPARATOR(.*)404\s*Not\s*Found(.*)\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown backdoor)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#\#\!\/usr\/bin\/perl\s*\-w\s*\'\'\=\~\(\'\(\?\{\'\.\(\'(.*)\'\)\.\'\$\/\}\)\'\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (CGI shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                      elseif(preg_match('#<\?php\s*\/\*\*(.*)\$https_in\s*=\s*\"(.*)\"\);\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown backdoor)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#<html>\s*<head>(.*)if\(is_uploaded_file(.*)move_uploaded_file(.*)\?>\s*<\/body>\s*<\/html>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell uploader)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                    elseif(preg_match('#DK\s*Shell\s*\-#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (DK Shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                         elseif(preg_match('#<\?php\s*\$(.*)\]\.\$(.*)\]\.\$(.*)\]\.\$(.*)\]\.\$(.*)\"\.chr\((.*)\"\.chr\((.*)\"\.chr\((.*)\"\.chr\((.*)\,\"(.*)\"\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                    elseif(preg_match('#<\?php\s*\@ini_set\(\'max_execution_time\'\,0\);(.*)\}\}echo\s*\'rahui\#\'\,\$maxlen\,\'\#rahui\';\s*\?>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                         elseif(preg_match('#randomId(.*)Access\s*Denied(.*)wproPreviewHTML#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#md5\(IMAILpassword\)(.*)base64_decode#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown shell)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                      elseif(preg_match('#value=\'Ввойти\'><br><\/form><br>вы\s*не\s*авторизованы\s*<\/center>#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                      elseif(preg_match('#ping(.*)ping_host(.*)browser_strings#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (proxy)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                       elseif(preg_match('#Help(.*)support(.*)=base64_decode\(\$create_function\(\'\$#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (unknown backdoor)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-                      elseif(preg_match('#if\(isset\(\$_COOKIE\[\'google\'\]\)\)(.*)if\(strtolower\(substr\(PHP_OS\,0\,3\)\)==\'win\'\)\s*\$#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam script)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-
-                       elseif(preg_match('#class\s*RSSInitEx(.*)getCMS\(\)(.*)new\s*RSSInitEx\(\);#i', $tmp))
-    {
-        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-        if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
-        $counter_infected++;
-        if($print_infected || $print_all) print "\n";
-        continue;
-    }
-/* added July 2015 */
-elseif(preg_match('#\$this\-\>headers\s*\.=\s*\"Errors\-To\:\s*\{\$this\-\>from\}#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious mailer)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#PRIV8#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#for\s*i\s*in\s*\"uname\s*\-a\"#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#Exploit\s*failed#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (local root)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#Suicide\(\'Windows\s*\-\s*Suicide\'\)\;\}#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (Suicide shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#=\s*str\_replace\(\"w\"\,\"\"\,\"wstrw\_wrewpwlwawcwe\"\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious string replace)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\(\"x\"\,\s*\"\"\,\s*\"xbxasxex6x4x_xdexcoxde\"\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscated base64 strings)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\(\"s\"\,\"\"\,\"scsrsesatses_fsusnscstsisosn\"\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscated function create)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$i=strrev\(\"uoy yb dekcah\"\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (reversed string deface)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<font\s*color=\#FFFFFF>\[uname\]\"\.php_uname\(\)\.\"#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$result\s*=\s*mail\(stripslashes\(\$to\)\,\s*stripslashes\(\$subject\)\,\s*stripslashes\(\$message\)\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious mailer)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$android\s*=\s*strpos\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\,\"Android\"\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (mobile redirect)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#last\s*\(all\s*users\)\s*\(nst\)\s*last\s*all#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#online\s*encode\s*by\s*cha88\.cn\!#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious encoder)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<title>Solutions\s*en\s*ligne\s*\-\s*AccèsD<\/title>#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (phishing)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<title>SERVER\s*INFO<\/title>#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$OUT=alfa\(\$OUT\);eval\(\$OOO0000O0\(\$OUT\)\);return;#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicous script)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$sys\s*=\s*strrev\(base64_decode\(\"bWV0U3lT\"\)\);\/\/system#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\}=\@unserialize\(base64_decode\(\$_POST\[\"#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\@system\(\"killall\s*\-9\s*\"\.basename\(\"\/usr\/bin\/host\"\)\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (WP bruteforcer)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\@system\(\"\(crontab\s*\-l\|grep\s*\-v\s*crontab;echo;echo\s*\'\*\s*\*\s*\*\s*\*\s*\*\s*\"\.\$SCP\.\"\/1\.sh\'\)\|crontab\"\,\s*\$ret\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cron injection)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#function\s*GetWPFooterFNs\(\)#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (WP backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$tmp\s*=\s*\@fread\s*\(\$a\,\s*sprintf\s*\(\"\%u\"\,\s*\@filesize\s*\(\$a\)\)\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (config stealer)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\(\"e\"\.\"va\"\.\"l\(\'#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (base64 obfuscation)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#title=\"Remote\s*Shell\">#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\/\/Obfuscation\s*provided\s*by\s*FOPO\s*-\s*Free\s*Online\s*PHP\s*Obfuscator\s*v1\.2\:#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscated - maybe malicious)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<\?php\s*\@array_diff_ukey\(\@array\(\(string\)\$_REQUEST\[\'password\'\]\=\>1\)#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$file=\@\$_COOKIE\[\'Jlma3\'\];#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cookie backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$fc64=strip_tags\(str_replace\(\"\s*\"\,\"\"\,trim\(\$_GET\[\'fc\'\]\)\)\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<li><a\s*href=http\:\/\/(.*)<\/a><\/li>\s*<li><a\s*href=http\:\/\/(.*)<\/a><\/li>(.*)<li><a\s*href=http\:\/\/(.*)<\/a><\/li>(.*)<li><a\s*href=http\:\/\/#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam links)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#echo\s*base64_encode\(\'error\s*\:\s*\'\.\$result\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$i59\[#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$x74\[#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#if\s*\(get_magic_quotes_gpc\(\)\)\s*\{\s*\$wp=stripslashes\(\$wp\);\s*\}#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#my\s*\@dangercalls=qw\(#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (malicious Perl)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<\?php\s*extract\(\$_COOKIE\);\s*\@\$F\&\&\@\$F\(\$A\,\$B\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (cookie stealer)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#copy\(\$_FILES\[\"upfile\"\]\[\"tmp_name\"\]\,\s*\$_FILES\[\"upfile\"\]\[\"name\"\]\)#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$back_connect=\"#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#add_action\(\'after_setup_theme\'\,\s*\'research_plugin\'\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (WP backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#document\.getElementById\(\'HideMeBetter\'\)#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam JS)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<\?php\s*\/\*\s*copyright\s*\*\/(.*)\/\*\s*copyright\s*\*\/ ?>#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#elseif\(strstr\(\$_0\,_203519383#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<div\s*style=\"position\:absolute;\s*left\:\-(.*)px;\s*top\:\-(.*)px;\"><a\s*href=\"http\:\/\/#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam links)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<\?php\s*eval\(\"\?>\"\.base64_decode\(\"#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$workdir\s*=\s*preg_replace\(\"\/\^www\W\.\/\"\,\s*\"\"\,\s*\$_SERVER\[\"HTTP_HOST\"\]\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (spam redirect)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<\?php\s*echo\s*eval\(base64_decode\(str_replace\(\'\*\'\,\'a\'\,str_replace\(\'\%\'\,\'B\'\,str_replace\(\'\~\'\,\'F\'\,str_replace\(\'\_\'\,\'z\'\,str_replace\(\'\$\'\,\'x\'\,str_replace\(\'\@\'\,\'d\'\,str_replace\(\'\^\'\,\'3\'\,str_rot13\(#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (obfuscator)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<\?php\s*if\(\@\$_COOKIE\[\'ft\'\]\)\{\$xww=\$_COOKIE\[\'ft\'\]\(\"\"\,\@\$_COOKIE\[\'st\'\]\(\@\$_COOKIE\[\'nk\'\]\)\);\$xww\(\);\}\?>#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#function\s*Decode\(\)\{var#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (JS malware)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<\?php\s*function\s*hex2str\(\$hex\)\s*\{\s*return\s*pack\(\'H\*\'\,\s*\$hex\);\s*\}\s*if\(\$_GET\[\'xhelp\'\]\)\s*\{\s*echo\s*\"<pre>\";\s*eval\(\$_GET\[\'xhelp\'\]\);\s*\}\s*if\(\$_GET\[\'hex\'\]\)\s*\{\s*\$payload=hex2str\(\$_GET\[\'hex\'\]\);\s*echo\s*\"<pre>\";\s*system\(\$payload\);\s*\}\s*\?>#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$z=get_option\(\"_site_transient_browser_(.*)\)\"\);\s*\$z=base64_decode\(str_rot13\(\$z\)\);\s*if\(strpos\(\$z\,\"C20F58DE\"\)\!\=\=false\)\{\s*\$_z=create_function\(\"\"\,\$z\);\s*\@\$_z\(\);\s*\}#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#Copyright7_20_127\(\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#eval\(\"\W\$x=gzin\"\.\"flate\(base\"\.\"64_de\"\.\"code\(\W\"#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$userAgents\s*=\s*array\(\"Google\"\,\s*\"Slurp\"\,\s*\"MSNBot\"\,\s*\"ia_archiver\"\,\s*\"Yandex\"\,\s*\"Rambler\"\)#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (uploader)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#for\(\$i=0;\s*\$i\s*<\s*strlen\(\$x\);\s*\$i\+\+\)\{\$(.*)=\"base64_decode\";return\s*\$#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#Upload Complete\!#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (insecure uploader)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\$query\s*=\s*base64_decode\(str_replace\(\'\s*\'\,\s*\'\+\'\,\s*\$_POST\[\'query\'\]\)\);#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (web proxy)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<\?php\s*\$wp__wp=\'base\'\.\(32\*2\)\.\'_de\'\.\'code\';\$wp__wp=\$wp__wp\(str_replace\("#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (shell)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\#Coded\s*By\s*Pejvaknuse\s*Socket;#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (DDoSer)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#<\?php\s*\(\$www=\s*\$_POST\[\'yt\'\]\)\s*\&\&\s*\@preg_replace\(\'\/ad\/e\'\,\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s*\'add\'\);\?>#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (backdoor)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
-elseif(preg_match('#\.\"<html><head><title>404\s*Not\s*Found<\/title><\/head><body>#i', $tmp))
-{
-if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
-if($print_infected || $print_all) print "<font color='#FF0000'>...SUSPECTED (hide behind 404 error)</font>";
-$counter_infected++;
-if($print_infected || $print_all) print "\n";
-continue;
-}
-
     elseif($print_all) print "...OK\n";
     unset($tmp);
 }
@@ -3396,9 +537,7 @@ echo "\n";
 print "Files checked: ".count($tree)."\n";
 print "Files suspected: ".$counter_suspected."\n";
 print "Files infected: ".$counter_infected."\n";
-    //print "Files cleaned: ".$counter_cleaned."\n";
-    //print "Clean errors: ".$counter_error."\n";
-    //print "Clean warnings: ".$counter_warning."\n\n";
+
 if($counter_suspected) print "NOTE: SUSPECTED DOESN'T MEAN INFECTED! DIFF AGAINST TRUSTED COPY OF SUSPECTED FILES TO BE SURE EVERYTHING IS OK. \n\n";
 print "</pre>";
 unlink(__FILE__);