Skip to main content

Identifying And Removing HTML / JavaScript / XML Based Malware From Your Blog

Occasionally, in the recently discovered social engineering blog attacks that involve shiny blog accessories, we've seen reports of aggressively protected malware, that's being installed on some blogs.

When a misbehaving HTML gadget is the source of the problem, it's sometimes possible to click on the "Quick Edit" icon for the gadget, and click "Remove". Alternatively, go to "Page Elements", and click on the "Edit" link for the gadget in question. This does not always work so simply, however.

If you can't remove a recently installed gadget, because you get redirected when trying to use the "Layout" button from the dashboard, or the "Remove" button from the "Page Elements" wizard, you may have to be imaginative.
  • Use a well protected browser - minimally, one which blocks scripts from any non Blogger / Google domain, to clean your blog. This is the simplest possibility here.
  • Use an HTTP text proxy, to examine the blog code.
  • Remove the code manually.
    1. Use a protected browser or proxy server to access the blog, and "View Source".
    2. Look in the source, and find the offending gadget / module. If it was installed as an "HTML / JavaScript" or Blogger "Add a Gadget" (XML) gadget, look at the code carefully, and look for "Gadgetnn" and "HTMLnn", where "nn" will be the sequential number for that HTML / XML gadget. This is important.
    3. Manually access the Layout "Edit HTML" wizard for the blog.
    4. Do not check "Expand widget templates" - just "Edit HTML".
    5. Look in the code, carefully, for each "Gadgetnn" or "HTMLnn" entry.
      <div class='widget Gadget' id='Gadget1' />
      <div class='widget HTML' id='HTML1' />
    6. Remove that line of code.
    7. Save.
  • As always, please backup the template before and after you do this cleanup!

If you cannot find an obvious culprit from a quick "View Source", then start removing all "HTML / JavaScript" gadgets, and all XML gadgets (possibly including some installed from the Blogger "Add a Gadget" wizard), installed most recently ("recently", in some cases, being 2 - 3 months back).
  1. Remove a gadget.
  2. Clear browser cache.
  3. Test.
  4. If no improvement, repeat.
Alternatively, just remove all accessories and gadgets - then re install and test everything, one by one.
  1. Add a gadget back.
  2. Clear browser cache.
  3. Test.
  4. If a problem is seen, remove that gadget and identify it.
  5. Repeat.
It's your blog, and your decision which way to go. Barring any obvious suspects, I think I'd try the latter.

If you do put some accessories back, or add anything more, keep an eye on what you add, and check your blog frequently. A lot of the complaints this week appears to involve hacks that may have been installed 2 or 3 months ago. Watch out for smart code, that doesn't activate (reactivate) the hacking immediately when installed.

It appears that some malware may be included in some gadgets installed by the Blogger "Add a Gadget" wizard. If you find removing any Blogger gadgets to provide you any relief, please report your findings in my article Some Hijack Malware Is Being Claimed To Be Blogger Provided. Your details, provided there, would be greatly appreciated.


Thank you for helping me get to the code. Once I saw the evil meanies, I cut them out of there! THANK YOU for keeping me calm enough to snoop around.
Sai Lealea said…
Many thanks for your advice. I was successful in getting rid of the suspect gadgets which had subverted by blog. Much appreciated.
cik bella said…
yess.i did it! thanks soo much!finally i can view my blog without the warning that my blog contain malware!!yeaaa!!!!thanks yaaaa
Allegretto said…
Thanks for your advice. I'm preparing to have a go at it.
Thanks... hate it when jerks pull stuff like that.
zana said…
thanks for helping.

Popular posts from this blog

Stats Components Are Significant, In Their Own Context

One popular Stats related accessory, which displays pageview information to the public, is the "Popular Posts" gadget.

Popular Posts identifies from 1 to 10 of the most popular posts in the blog, by comparing Stats pageview counts. Optional parts of the display of each post are a snippet of text, and an ever popular thumbnail photo.

Like many Stats features, blog owners have found imaginative uses for "Popular Posts" - and overlook the limitations of the gadget. Both the dynamic nature of Stats, and the timing of the various pageview count recalculations, create confusion, when Popular Posts is examined.

Help! I Can't See My Blog!

I just posted to my blog, so I know that it's there. I can tell others are looking at it. But I can't see it.

Well, the good news is you don't have a blog hijack or other calamity. Your blog is not gone.

Apparently, some ISPs are blocking *, or maybe have network configuration or infrastructure problems. You can access or you can access, but you can't access, or

You can't access them directly, that is. If you can access any free, anonymous proxy servers, though, you may be able to access your blog.

Note: You can use PKBlogs with the URL pre packaged. Here is the address of this post (with gratuitous line breaks to prevent the old post sidebar alignment problem):

And an additional URL, to provide to those suffering from this problem, would be the WordPress version of this post: