Skip to main content

Identifying And Removing HTML / JavaScript / XML Based Malware From Your Blog

Occasionally, in the recently discovered social engineering blog attacks that involve shiny blog accessories, we've seen reports of aggressively protected malware, that's being installed on some blogs.

When a misbehaving HTML gadget is the source of the problem, it's sometimes possible to click on the "Quick Edit" icon for the gadget, and click "Remove". Alternatively, go to "Page Elements", and click on the "Edit" link for the gadget in question. This does not always work so simply, however.

If you can't remove a recently installed gadget, because you get redirected when trying to use the "Layout" button from the dashboard, or the "Remove" button from the "Page Elements" wizard, you may have to be imaginative.
  • Use a well protected browser - minimally, one which blocks scripts from any non Blogger / Google domain, to clean your blog. This is the simplest possibility here.
  • Use an HTTP text proxy, to examine the blog code.
  • Remove the code manually.
    1. Use a protected browser or proxy server to access the blog, and "View Source".
    2. Look in the source, and find the offending gadget / module. If it was installed as an "HTML / JavaScript" or Blogger "Add a Gadget" (XML) gadget, look at the code carefully, and look for "Gadgetnn" and "HTMLnn", where "nn" will be the sequential number for that HTML / XML gadget. This is important.
    3. Manually access the Layout "Edit HTML" wizard for the blog.
    4. Do not check "Expand widget templates" - just "Edit HTML".
    5. Look in the code, carefully, for each "Gadgetnn" or "HTMLnn" entry.
      <div class='widget Gadget' id='Gadget1' />
      <div class='widget HTML' id='HTML1' />
    6. Remove that line of code.
    7. Save.
  • As always, please backup the template before and after you do this cleanup!

If you cannot find an obvious culprit from a quick "View Source", then start removing all "HTML / JavaScript" gadgets, and all XML gadgets (possibly including some installed from the Blogger "Add a Gadget" wizard), installed most recently ("recently", in some cases, being 2 - 3 months back).
  1. Remove a gadget.
  2. Clear browser cache.
  3. Test.
  4. If no improvement, repeat.
Alternatively, just remove all accessories and gadgets - then re install and test everything, one by one.
  1. Add a gadget back.
  2. Clear browser cache.
  3. Test.
  4. If a problem is seen, remove that gadget and identify it.
  5. Repeat.
It's your blog, and your decision which way to go. Barring any obvious suspects, I think I'd try the latter.

If you do put some accessories back, or add anything more, keep an eye on what you add, and check your blog frequently. A lot of the complaints this week appears to involve hacks that may have been installed 2 or 3 months ago. Watch out for smart code, that doesn't activate (reactivate) the hacking immediately when installed.

It appears that some malware may be included in some gadgets installed by the Blogger "Add a Gadget" wizard. If you find removing any Blogger gadgets to provide you any relief, please report your findings in my article Some Hijack Malware Is Being Claimed To Be Blogger Provided. Your details, provided there, would be greatly appreciated.


Thank you for helping me get to the code. Once I saw the evil meanies, I cut them out of there! THANK YOU for keeping me calm enough to snoop around.
Sai Lealea said…
Many thanks for your advice. I was successful in getting rid of the suspect gadgets which had subverted by blog. Much appreciated.
cik bella said…
yess.i did it! thanks soo much!finally i can view my blog without the warning that my blog contain malware!!yeaaa!!!!thanks yaaaa
Allegretto said…
Thanks for your advice. I'm preparing to have a go at it.
Thanks... hate it when jerks pull stuff like that.
zana said…
thanks for helping.

Popular posts from this blog

Stats Components Are Significant, In Their Own Context

One popular Stats related accessory, which displays pageview information to the public, is the "Popular Posts" gadget.

Popular Posts identifies from 1 to 10 of the most popular posts in the blog, by comparing Stats pageview counts. Optional parts of the display of each post are a snippet of text, and an ever popular thumbnail photo.

Like many Stats features, blog owners have found imaginative uses for "Popular Posts" - and overlook the limitations of the gadget. Both the dynamic nature of Stats, and the timing of the various pageview count recalculations, create confusion, when Popular Posts is examined.

Free Domain Registration By "UNONIC" Is Fraudulent

Blogger blog owners, like everybody else, like to save money.

Some blog owners prefer to save money when registering a custom domain, for their blogs. We've seen several free domain registration services, providing what is claimed to be a two level Top Level Domain "co.xx" (where "xx" == various country codes).

The latest in this ongoing story appears to be "" - and 13 other "top level domains".There is also an additional free service offering third-level .tf domains, under the name United Names Organisation. They occupy 14 second-level domains, including,,, and They are run by the same company as, and are given away as URL redirections.