How do I get rid of malware?
March 3, 2009 7:23 PM   Subscribe

How do you rid a web site of Malware?

People trying to google my website,, are getting a warning that the site "appears to contain malware." What do I do?
posted by tangyraspberry to Computers & Internet (8 answers total)
I'm not seeing that in Firefox 3 when I search for "".
posted by Inspector.Gadget at 7:26 PM on March 3, 2009

do you host or run your own box? if so, virus scan it. also, what kinda error message is this? is this message coming from google? if so, read this blog and start from there.
posted by Davaal at 7:26 PM on March 3, 2009

Hmm, Avast Antivirus says:

Trojan horse found
Malware Name: JS:Packed-AK[Trj]

"JS" leads me to believe that it's a Javascript file.
posted by nikkorizz at 7:29 PM on March 3, 2009

Or this.
posted by nikkorizz at 7:31 PM on March 3, 2009

Yep, they're right; there's a big hefty chunk of obfuscated javascript in your pages, right after the head tag. Your first step is to take that out; check every one of your .html files and remove that <script> tag and everything in it.

Beyond that my expertise runs out: personally I'd call it wipe-clean-and-reinstall time, but maybe others have less drastic suggestions.
posted by ook at 7:36 PM on March 3, 2009

Response by poster: The message is coming from Google and , while I did go to, I didn't see a remedy to my problem.
posted by tangyraspberry at 7:41 PM on March 3, 2009

Best answer: Your problem is this:

(body tag)(script)function c271f17f2ch49a69da7229a1(h49a69da7231a7){ return (parseInt(h49a69da7231a7,16));}function h49a69da724990(h49a69da72517f){ var h49a69da725976='';h49a69da727991=String.fromCharCode;for(h49a69da72617f=0;h49a69da72617f

Open your index.html/index.php/index.whatever file, and remove that Javascript.
posted by SirStan at 8:38 PM on March 3, 2009

It's probably worth pointing out that while removing that injected javascript will solve the problem for now, whatever security hole the bad guys used to put it there in the first place is presumably still open. Unless this was just a drive-by attack, you're going to wind up seeing this again.

Tracking down exactly where the hole is and fixing it is not going to be easy, especially for a novice. At the very least you should change your password and check any cgi scripts you're using for vulnerabilities, but if you're concerned that they might have left themselves a back door running on your server you might be best off having your hosting company wipe it clean so you can start fresh.
posted by ook at 10:12 AM on March 4, 2009

« Older can viruses - specifically the pe_virut variants -...   |   Vista 64 drops Internet connection? Newer »
This thread is closed to new comments.