Skip to main content

Identifying And Removing HTML / JavaScript / XML Based Malware From Your Blog

Occasionally, in the recently discovered social engineering blog attacks that involve shiny blog accessories, we've seen reports of aggressively protected malware, that's being installed on some blogs.

When a misbehaving HTML gadget is the source of the problem, it's sometimes possible to click on the "Quick Edit" icon for the gadget, and click "Remove". Alternatively, go to "Page Elements", and click on the "Edit" link for the gadget in question. This does not always work so simply, however.

If you can't remove a recently installed gadget, because you get redirected when trying to use the "Layout" button from the dashboard, or the "Remove" button from the "Page Elements" wizard, you may have to be imaginative.
  • Use a well protected browser - minimally, one which blocks scripts from any non Blogger / Google domain, to clean your blog. This is the simplest possibility here.
  • Use an HTTP text proxy, to examine the blog code.
  • Remove the code manually.
    1. Use a protected browser or proxy server to access the blog, and "View Source".
    2. Look in the source, and find the offending gadget / module. If it was installed as an "HTML / JavaScript" or Blogger "Add a Gadget" (XML) gadget, look at the code carefully, and look for "Gadgetnn" and "HTMLnn", where "nn" will be the sequential number for that HTML / XML gadget. This is important.
    3. Manually access the Layout "Edit HTML" wizard for the blog.
    4. Do not check "Expand widget templates" - just "Edit HTML".
    5. Look in the code, carefully, for each "Gadgetnn" or "HTMLnn" entry.
      <div class='widget Gadget' id='Gadget1' />
      <div class='widget HTML' id='HTML1' />
    6. Remove that line of code.
    7. Save.
  • As always, please backup the template before and after you do this cleanup!

If you cannot find an obvious culprit from a quick "View Source", then start removing all "HTML / JavaScript" gadgets, and all XML gadgets (possibly including some installed from the Blogger "Add a Gadget" wizard), installed most recently ("recently", in some cases, being 2 - 3 months back).
  1. Remove a gadget.
  2. Clear browser cache.
  3. Test.
  4. If no improvement, repeat.
Alternatively, just remove all accessories and gadgets - then re install and test everything, one by one.
  1. Add a gadget back.
  2. Clear browser cache.
  3. Test.
  4. If a problem is seen, remove that gadget and identify it.
  5. Repeat.
It's your blog, and your decision which way to go. Barring any obvious suspects, I think I'd try the latter.

If you do put some accessories back, or add anything more, keep an eye on what you add, and check your blog frequently. A lot of the complaints this week appears to involve hacks that may have been installed 2 or 3 months ago. Watch out for smart code, that doesn't activate (reactivate) the hacking immediately when installed.

It appears that some malware may be included in some gadgets installed by the Blogger "Add a Gadget" wizard. If you find removing any Blogger gadgets to provide you any relief, please report your findings in my article Some Hijack Malware Is Being Claimed To Be Blogger Provided. Your details, provided there, would be greatly appreciated.


Thank you for helping me get to the code. Once I saw the evil meanies, I cut them out of there! THANK YOU for keeping me calm enough to snoop around.
Sai Lealea said…
Many thanks for your advice. I was successful in getting rid of the suspect gadgets which had subverted by blog. Much appreciated.
cik bella said…
yess.i did it! thanks soo much!finally i can view my blog without the warning that my blog contain malware!!yeaaa!!!!thanks yaaaa
Allegretto said…
Thanks for your advice. I'm preparing to have a go at it.
Thanks... hate it when jerks pull stuff like that.

Popular posts from this blog

Adding A Link To Your Blog Post

Occasionally, you see a very odd, cryptic complaint I just added a link in my blog, but the link vanished! No, it wasn't your imagination.

What's The URL Of My Blog?

We see the plea for help, periodically I need the URL of my blog, so I can give it to my friends. Help! Who's buried in Grant's Tomb, after all? No Chuck, be polite. OK, OK. The title of this blog is "The Real Blogger Status", and the title of this post is "What's The URL Of My Blog?".

Embedded Comments And Main Page View

The option to display comments, embedded below the post, was made a blog option relatively recently. This was a long requested feature - and many bloggers added it to their blogs, as soon as the option was presented to us. Some blog owners like this feature so much, that they request it to be visible when the blog is opened, in main page view. I would like all comments, and the comment form, to be shown underneath the relevant post, automatically, for everyone to read without clicking on the number of comments link. And this is not how embedded comments work.