I won’t duplicate information contained on other websites, but I will refer to them here instead.<\/p>\n
http:\/\/blog.unmaskparasites.com\/2009\/05\/07\/gumblar-cn-exploit-12-facts-about-this-injected-script\/<\/a> http:\/\/www.dynamicdrive.com\/forums\/showthread.php?p=194695<\/a><\/p>\n These were the symptoms that I noticed on my PC:<\/p>\n 1. My Visual Studio .NET 2005 was crashing a lot, and I could not get any work done using it. 1. I installed and scanned my PC with Malwarebytes’ Anti-Malware, which found the single file – in my case it was C:\\WINDOWS\\ukvvq.qnx – that was keeping the infection active. Manually deleting it, or letting Anti-Malware attempt to delete it, would delete it, but the file would reappear almost immediately. Don’t worry if Anti-Malware is unable to update its definitions online – this is another symptom of Gumblar – it still detects it, though as something else. That was it to remove it from my PC, voila! To protect my PC from re-infection, I disabled Adobe JavaScript according to http:\/\/www.pcauthority.com.au\/forums\/yaf_postsm289075_A-nasty-virus-called-Gumblar.aspx<\/a>.<\/p>\n Unfortunately, it seems that several people resorted to rebuilding their machines from scratch.<\/p>\n If you manage websites using an FTP program, there is a chance that your sites have become infected. The first thing you must do is change the ftp passwords after your machine has been cleaned.<\/p>\n As yet, I am unaware of any automated script which removes the infection from a website, so I wrote my own and applied it to 5 of the websites that I manage that were infected.<\/p>\n
\nhttp:\/\/blog.unmaskparasites.com\/2009\/05\/18\/martuz-cn-is-a-new-incarnation-of-gumblar-exploit\/<\/a>
\nhttp:\/\/www.pcauthority.com.au\/forums\/yaf_postsm289075_A-nasty-virus-called-Gumblar.aspx<\/a><\/p>\nHow to determine if your PC has the infection<\/h3>\n
\n2. In Firefox 3, each search result would initially redirect to a bogus ad page (I always open search results in a new tab), but clicking the search result once more would open the genuine page.
\n3. I could not start cmd from the XP Start\/Run menu item.<\/p>\nHow I removed this malware from my PC<\/h3>\n
\n2. I ran Hijackthis (I didn’t need a scan), chose “misc tools”, and chose “delete file on reboot” for this file (according to http:\/\/www.dynamicdrive.com\/forums\/showthread.php?p=194695<\/a>).
\n3. I ran regedit and deleted the registry entry (according to http:\/\/www.dynamicdrive.com\/forums\/showthread.php?p=194695<\/a>).<\/p>\nHow to remove the infection from a website<\/h3>\n