Removal and Prevention of Gumblar.cn Infections

bleuken — Wed, 06 May 2009 02:27:03 +0000

Gumblar.cn is a website is listed to be suspicious and contains several exploit scripts and trojans that might harm and infect computers. Google marked it as not safe for browsing. I first encountered on a website that I am working on and seen how and where it infects the website. What the trojan did on the site is it embeds its encrypted scripts on .HTML, .JS and .PHP files. You can find the Javascript of the trojan on .HTML files prior to the tag while it embeds itself on .JS files at the bottom most of the said script file. On .PHP files, it usually infects INDEX.PHP files and embeds itself either at the top or bottom of the file. I also found some infections on common .PHP files that are usually INCLUDEd as a constant file of the site. The current anti-virus that detects the said virus was AVAST Home Edition with Web Shield and Networking Shield ON.

Here’s what you will see if you will try to surf a site on Google Chrome that is infected by the trojan coming from the said site:

Now, how to remove it from your website? Well I found no reference on the net to remove it instantly so what I did is I removed the trojan scripts on each file (.JS, .HTML, INDEX.PHP) that I suspected for infection using Filezilla (FTP client program). For the WordPress infection, what I only did was I re-updated / upgraded the site to the latest version which causes the process to override existing files then remove the script from the WP-CONFIG.PHP file. This is the only file that is not overwritten by the said process that’s why I need to remove the trojan scripts manually.

As always, prevention is better than cure to avoid the pain of fixing the problems it cause to the site and to the owner. Here are some of my suggestions and recommendations I found from different web hosting sites regarding avoidance of hacking and malware infections on your site:

Change the file attributes of the files that doesn’t require writing permissions. I usually set my files to 755 attributes (MOD 755)
Update your antivirus virus database and enable or use network + web shield features at all times. Usually infection of websites starts from the local PC that uses to upload new files.
Read this PHP Security fixes recommended by a web hosting company. It contains comprehensive tips on how to avoid PHP exploits and hacks. Read it carefully and apply it if it is possible.

If you have any better solutions out there or any recommendations on dealing on this kind of exploits/hacks, feel free to leave it here. I am sure that a lot of people will really highly appreciated the help that you can provide.

Removal and Prevention of Gumblar.cn Infections is a post from: Bleuken.com

No related posts.

Free Tools for Virus, Worm, Malware & Spyware Prevention & Removal

bleuken — Thu, 20 Nov 2008 15:18:48 +0000

Whenever you are online, it seems that you just can’t avoid different forms of malicious codes to invade your system. It seems that these annoying bugs are everywhere. Of course dealing with them is not really easy and it will really cost you both money and time to avoid and remove it. Now, I have listed here some free tools that you can use to prevent and remove common virus, worms, spywares or malwares. These are some of the tools that I personally used to avoid and fix these kind of “infections.”

1. Malwarebytes’ Anti-Malware. This a free downloadable freeware tool that allows you to scan and clean your PC from different kind of malware infections. It is freely available online at Malwarebytes.org and compatible with Windows 2000, XP and Vista. Its simple interface and light use of computer resources make it to scan the computer very fast.

2. NOOB.Killer.Leerz. I think this free virus and world removal tool was made by a Filipino basing on its homepage which is located at ~~http://leerz25.sitesled.com/~~(the site is not existing anymore but I found an archive of the tool and you can download NOOB.Killer.Leers here.) It targets virus and worms such as IMGKulot.VBS (this is a VBScript worm that uses autorun.inf to spread itself), Funny UST Scandal virus or also known as YahLover virus, Krag, KAVO and many other. Actually this was recommended to me by a friend technician who use this to fix problems of his clients. I’ve tried this one to remove the KAVO and Funny UST Scandal virus on our school’s PC and I found it very effective.

3. TrendMicro HijackThis. This free tool is for those who knows how to read the registry. It is use to list all the running process currently executing on the background of the PC and all the programs that ran during start-up. Actually this is the tool that I recommend to my readers who asked for advice about their problems on their PC. This program produces a .LOG file that shows all the said information and I asked them to send it to me via email so I could analyze the .LOG file.

4. SmitFraudFix. A freeware tool from S!Ri which is created to remove rogue anti-spyware applications that uses Trojans to issue fake taskbar, security alerts or that change your background in order to scare you into purchasing the full commercial version of their software. I used this program to remove the infection of SpySheriff / Winstall.exe and Antivirus 2009 infection. You can download and read information about this tool from BleepingComputer.com.

5. AVAST, AVG, Avira. These are the three free anti-virus that I’ve been using for several years. What I like with AVAST (avast.com) is its feature that you can schedule a virus scan at boot-time which I found very effective for removing viruses that hooks themselves on the start-up of windows. AVG (free.avg.com) and AVIRA (avira.com) are the two anti-virus replacements I used when AVAST fails.

Free Tools for Virus, Worm, Malware & Spyware Prevention & Removal is a post from: Bleuken.com

Bleuken.com » Search Results » trojans

Removal and Prevention of Gumblar.cn Infections

Free Tools for Virus, Worm, Malware & Spyware Prevention & Removal