Home

This Plugin was created to help WordPress admins clean infections off their site. It was inspired by my own need to to clean up one of my BlueHost accounts after a pretty bad hack (see How It All Started). It is still a little rough around the edges and I want to add many new and exciting features. It is currently being offered completely FREE of charge, though it did take quite a lot of time to develop, test, and make nice.

This project will continue to need my energy to keep it effectively getting rid of new threats and patching new vulnerabilities. That is why I am asking anyone who can, to please make a donation to keep it going.

Aloha and Mahalo,

Eli Scheetz

  • “The cost of the donation is well worth the product. People must remember, if people like Eli Scheets were not here, we would be paying far more for a product that expires frequently and costs many times more than your donation.


    Thanks Much Eli.


    James”

    -- James

179 Comments on "Home"

  • Graham
    On May 18, 2014 at 1:12 am, Graham said:

    Hi Eli,
    Been using your plugin on my sites for some time now, and have donated in the past. All my sites with Bluehost are currently down. I’ve been told it’s likely to be malware. Is there any way of using your plugin through cPanel as I don’t have access to wp-admin?

    Reply
    • Anti-Malware Admin
      On May 18, 2014 at 6:17 am, Anti-Malware Admin said:

      Unfortunately you will need at least one site on the server to have a working WP Admin so you can run my plugin. If you can get your main site working I can get my plugin to scan all the site at once. If you need help getting a site working you can email me directly with your cPanel login and I’ll see what I can do.

      Reply
  • Bastien
    On April 7, 2014 at 8:12 am, Bastien said:

    Great plugin which help me to save a lot of time ! Cheers from France.

    Reply
  • Ian R. Wilson
    On March 5, 2014 at 7:07 pm, Ian R. Wilson said:

    Fantastic plug-in! Spent hours trying to track down the malware on my customers site. stumbled across this tool. BAMB!!! All taken care of. Will donate soon! Thank you!!!!!

    Reply
  • Piotr Wilkin
    On February 2, 2014 at 12:59 pm, Piotr Wilkin said:

    Thought you might want to know – on a virtual server that I ran the plugin on it had problems scanning the root directory – probably due to an empty path after splitting on __file__. Adding

    if (empty($dir)) $dir = “/”;

    after line 583 fixed the problem for me.

    Reply
    • Anti-Malware Admin
      On February 3, 2014 at 1:59 am, Anti-Malware Admin said:

      Thanks for this bug report!

      I can see how your addition would quiet the error you were getting but I am more concerned with the circumstances that produce an empty $dir array. I don’t see how you could have my plugin installed in a lower directory the WordPress itself (even on a virtual server). How does __FILE__ resolve to a path that is less than 3 directories deep?

      I would love to gain a more thorough understanding of what factors produce this result on your server so that I can release a plugin update that comprehensively addresses this issue. Would you be willing to grant me WP Admin access to your site so that I can debug this issue first-hand?

      Please get back to me either way to let me know if you are willing to assist any further with this issue. Thanks :-)

      Reply
  • Mike H
    On January 21, 2014 at 9:32 am, Mike H said:

    This plugin is amazing and you have my thanks for creating it!

    I’ve done a couple of scans successfully, but ran into one issue. A quick scan keeps occurring when viewing the scan section. It keeps automatically scanning, therefore preventing me from doing a full scan. Not sure why. I even uninstalled it + reinstalled it to see if I could get it to stop, but it’s permanently scanning and failing (reports that it can’t complete because of lack of memory).

    Reply
    • Anti-Malware Admin
      On January 22, 2014 at 6:03 am, Anti-Malware Admin said:

      The Quick Scan is meant to run automatically when you choose it off the menu directly, but it’s only good for small selections of files on a server that has enough memory for a single PHP process to scan them all. If you want to run the Complete Scan you can do that from the Scan Settings page. There you can adjust all the scan settings and then choose which type of scan to run (Quick or Complete).

      If you still have trouble just let me how I can help.

      Reply
  • Joy
    On January 16, 2014 at 5:32 am, Joy said:

    Hi Eli:

    I am coming across a bug in one of my sites (in the header) that is not being caught via a scan:

    <?php
    #b8da75#
    if(empty($gcsf)) {
    $gcsf = "”;
    echo $gcsf;
    }

    #/b8da75#
    ?>

    Thought you would like to know.

    Aloha, Joy

    Reply
    • Anti-Malware Admin
      On January 16, 2014 at 7:31 am, Anti-Malware Admin said:

      The code you have here innocuous and will have no impact on your sites performance or security. I was likely part of a bug that my plugin removed and you should be able to remove without adverse side-effects but it’s not necessary.

      Reply
  • chris jones
    On January 9, 2014 at 2:51 pm, chris jones said:

    I cannot say how thankful I am to Eli and his plugin. Simply the best support I have ever received from any company. I posted a support question and he literally emailed me in 30 mins and helped me through the issue. Amazing !! We cleaned 2 entire sites with Malware and saved me a ton of $.

    I have since then implemented the plugin on a number of my sites.

    Reply
  • Flashpoint Miniatures
    On December 30, 2013 at 3:09 am, Flashpoint Miniatures said:

    Howdy , this is a great tool !

    I am having trouble with a trojan (Trojan.JS.Iframe) in the footer of my wordpress site/blog. I have the updated version of your program and have run the complete scan for wp-content AND for plugins , and am not finding the file being flagged that I think I should be finding. (ie; a woothemes file)

    I have also been running wordfence scans which give the all-clear.
    Sucuri is also giving me the all clear .

    ….. but http://support.clean-mx.de/clean-mx/viruses.php?response=alive&email=abuse@ozservers.com.au&limit=195
    ….still identifies the trojan as active.

    what to do next ?

    Thankyou in advance.
    Jimmi

    Reply
    • Anti-Malware Admin
      On December 30, 2013 at 3:33 am, Anti-Malware Admin said:

      It looks to me like your site is clean. Did you remove the iframe?

      I think that clean-mx site is checking email viruses that may still be circulating but not active on your site. Is there anything to indicate that your site is still showing these iframes?

      If you have reason to believe you still have an active malicious iframe embeded on your site then you can send me your WP Admin login and a will take a look at it for you.

      Aloha, Eli

      Reply
  • Will Chapman
    On December 2, 2013 at 9:29 pm, Will Chapman said:

    Eli

    I just upgraded to the latest version and on starting a complete scan I get the following:

    Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 524829 bytes) in /home/waterway/public_html/wp-content/plugins/gotmls/images/index.php on line 393

    CHeers

    Will

    Reply
    • Anti-Malware Admin
      On December 3, 2013 at 10:25 am, Anti-Malware Admin said:

      Hey, thanks for sending me your login credentials.

      The problem here is that you have a php.ini file in your wp-admin directory with the memory_limit directive set to “64M”. I tried overriding this setting with the ini_set function in PHP and by using “php_value memory_limit 256M” in your .htaccess file but neither method will work on your server. I cannot change the php.ini file directly because it is owned by “root”, but maybe you can gain write access to this file and raise the memory_limit directive to “256M”?

      Let me know if there is anything else I can do.

      Reply
  • Pete Lauder
    On October 6, 2013 at 12:46 am, Pete Lauder said:

    Hi Eli, I have been trying to login to my site for a few weeks now, and keep getting a loop on entry, leaving an error, although logged in, all dashboard access is denied.

    The site is up, and after attempting to access the dashboard, the live site shows the admin bar.

    I have noticed that one of my GOTMLS quarantined files is a php file that is full of login commands, and wonder if this has any bearing on my problem.

    I do not know how to manually restore the file, so perhaps you could take a look for me.

    On a side note, have you any plans to release a standalone version for html sites?

    Reply
    • Anti-Malware Admin
      On October 6, 2013 at 1:18 am, Anti-Malware Admin said:

      First, what is the error left by the looping when you try to login?

      Second, I am right in assuming that, after this attempt to login that will show the admin bar on the live site, that you can use the admin bar to access the dashboard successfully?

      Third, I’m not sure I understand what you mean by “a php file full of login commands” in the quarantine. can you send me this PHP file so I give you a better answer on that?

      If you want me to take a look at this you can send me a WP Admin login to your site and I’ll login later today to check it out.

      As for that side note, I do plan to write a wrapper for my plugin that would enable it to run without a WordPress install.

      Reply
      • Pete Lauder
        On October 6, 2013 at 3:46 am, Pete Lauder said:

        The error on chrome is; Error code: ERR_TOO_MANY_REDIRECTS

        Secondly, no, although the admin bar is there, attempting to enter the dashboard results in a 404 error.

        I’m sending you the login, and the ftp access to take a look at the file, I’m no php coder, but the page does seem centered around logging in to WP, and may be from one of my security plugins.

        And that is really great news about writing the wrapper for the plugin, it is much needed.

        Reply
        • Anti-Malware Admin
          On October 6, 2013 at 9:02 pm, Anti-Malware Admin said:

          Thanks for getting me the FTP login info. I was able to figure out what was blocking you from your wp-admin pages. It wasn’t my plugin, or even any of the other plugins that was interfering with the wp-admin folder. There was actually a custom php.ini file in the wp-admin directory that was using directives like ‘magic_quotes_gpc’ and ‘allow_call_time_pass_reference’ which are no longer supported in the version of PHP you now have on your server. I just rem’d out those two lines and your wp-admin folder became accessible again.

          Let me know if there is anything else I can do for you. It would also be great to get a big fat donation from you for all that work ;-) and that would help me get to work on improvements for my plugin (like that non-WP wrapper you need).

          Reply
          • Pete
            On October 7, 2013 at 6:26 am, Pete said:

            Thats my second donation in as many day’s, Eli is such a gent, as you can see, he fixed my site when it was unrelated to GOTMLS.

            You really can’t beat that!

            I must now review the plugin on my plugin site, and see how to squeeze an extra star in for service.

            Thanks Eli

  • Will Chapman
    On October 4, 2013 at 4:43 pm, Will Chapman said:

    Eli

    I have run a scan and everything is clean except for a notation in the scan report that there were 15 read/write errors. What is the significance of this?

    Regards

    Will

    Reply
    • Anti-Malware Admin
      On October 6, 2013 at 1:00 am, Anti-Malware Admin said:

      Read/Write errors can be caused by abnormal file permission, zero byte file size, or files that are too big to match in a regular expression. It’s hard to say, without seeing the files, if they are a threat to you. Hackers are known to make their files non-readable so as to escape detection but there are always lots of benign reason for read errors too. You should first try to download the files via FTP and look at the file contents with a text editor to see if you can tell if they are safe. You can also use any good FTP client to check that the file permission right. Feel free to send me any files you are not sure of.

      Reply
  • John
    On September 29, 2013 at 9:27 pm, John said:

    Your software is no longer showing up on my wp….I try to reinstall and it fails because it says it’s already there…any suggestions?

    Reply
  • Dr. Shefali Dandekar
    On August 13, 2013 at 10:33 am, Dr. Shefali Dandekar said:

    my website does not contain any malware buy google chrome / firefox always shows warning :(

    Reply
    • Anti-Malware Admin
      On August 13, 2013 at 11:04 am, Anti-Malware Admin said:

      I don’t see any malware on there either but I see the warnings from Google. Do you have a Webmaster Tools account with Google? You should check for specific malware warnings in the health section of your Google Webmaster Tools account.

      Reply
      • Dr. Shefali Dandekar
        On August 13, 2013 at 9:50 pm, Dr. Shefali Dandekar said:

        yes i already send review my website request to google

        Reply
        • Anti-Malware Admin
          On August 14, 2013 at 5:19 am, Anti-Malware Admin said:

          To request a review is a good way to resolve this but if there are still “infected” URLs on your site Google will not lift the warnings. On that same Malware page in the Health section of your Webmaster Tools there should be a list of URLs on your site that Google found to contain malware and when it was detected. This may indicate that you have a conditional redirect or some malicious links that only show themselves to the search engine. If this is the case, and my plugin has not found this threat on your site, then you can give me your WP Admin login and I will track down the source of this infection for you.

          You can email login info directly to me: eli AT gotmls DOT net

          Reply
  • Dejo
    On August 9, 2013 at 5:01 am, Dejo said:

    I ran the scan and it found a few items which it quarantined. But when I add my web address in a Facebook post, I see spam in the description so there must be something still wrong. Can you check it out? There are a few potential threats also. Thanks!

    Reply
    • Anti-Malware Admin
      On September 19, 2013 at 9:52 pm, Anti-Malware Admin said:

      First let me say that I am really sorry fro not replying sooner. I completely missed the notification of your post.

      I am guessing that this was a cache issue and it just took a little while for the facebook post to refresh with your cleaned up content. If you are still having any issue though please contact me directly and I’ll see what I can do.

      Reply
  • Rosie
    On August 2, 2013 at 1:15 pm, Rosie said:

    Eli,
    I love your plugin. I’ve used it on another of sites. However, when I tried running it on this website, it does not run. Also, when I click on Eli’s Blog
    Anti-Malware, AVG blocks it and it says it found a virus JS/Phish. Do you have any suggestions on why it won’t run?

    Reply
    • Anti-Malware Admin
      On August 3, 2013 at 3:05 pm, Anti-Malware Admin said:

      It sounds like your site is infected and maybe it is embedding infections in the links too.

      I would be happy to check it out for you if you want to send me your WP Admin login.

      You can email you password directly to me if you want: eli AT gotmls DOT net

      Reply
  • Evan Huang
    On July 20, 2013 at 8:54 am, Evan Huang said:

    Hi, how does the “Plugin Updates for WP 3.5.2″ section in the top right corner of AM settings differ from normal wordpress plugin updating?

    The one on the settings screen just seems to keep searching for no reason, and I just installed this plugin today.

    Reply
    • Anti-Malware Admin
      On July 20, 2013 at 10:02 am, Anti-Malware Admin said:

      The Plugin Update section on the Anti-Malware Settings page checks the changelog on my site for updates. It displays the changes in those updates if any are available so you can see what’s in the next release. It displays this information independent of the WP repository or the WP Cron job that is supposed to let you know when any plugin updates are available.

      Reply
  • Gokhan Ayyildiz
    On June 23, 2013 at 8:24 am, Gokhan Ayyildiz said:

    Thanks

    Reply
  • Вячеслав Подварчан
    On June 21, 2013 at 5:55 pm, Вячеслав Подварчан said:

    Спасибо! Но не всё понятно.

    Reply
    • Anti-Malware Admin
      On June 21, 2013 at 6:29 pm, Anti-Malware Admin said:

      You’re welcome!

      What is not clear? Do you still have malicious code on your site?
      If you want to send me your WP Admin credentials for your site, you can email the login directly to: eli at gotmls dot net

      Sorry, I don’t speak Russian :(

      Reply
  • Will Chapman
    On May 29, 2013 at 3:07 pm, Will Chapman said:

    Eli

    I’ve been seeing examples of malware on all sorts of sites (even on big sites) that puts a doube-line under some words thus inbiting one to click (you can see examples on the front page of http://alrewascanalfestival.org) when one clicks you get taken to an innocuous-looking website that runs an ad or survey – clicking through may be a point of infection?

    Anyway looking at the code on my webpage it has been hacked to read apprenticeship. Is this one that GoMLS can repair?

    Regards

    Will

    Reply
    • Anti-Malware Admin
      On May 29, 2013 at 3:35 pm, Anti-Malware Admin said:

      You are seeing these link on various websites because your browser is infected not the sites themselves. If I look at the same sites I don’t see the infection but you will see these malicious site even on sites that are clean. It is an Add-On/Extension that is installed into your browser that is embedding these link that you see.

      Try running Malwarebytes or a good anti-virus on your computer. You could also try uninstalling the adware from the Programs in the Control Panel if you know what to look for.

      Reply
  • Will Chapman
    On May 25, 2013 at 6:37 am, Will Chapman said:

    Dear Eli

    I continue to be very impressed with your plugin and I thought the following minor cosmetic observations might be helpful:

    1. This doesn’t always happen but sometimes the start of a full scan 609 folders were found – about 60% through the scan, that increased to 899 folders. At the end of the scan 893 folders had been selected and 899 scanned.

    2. Normally the original estimated time to complete the scan was several given as 1-2 hours. As the scan proceeded, this changed to about an hour. On one recent occasion midway through the scan time elapsed changed to 22824335 minutes and time remaing to 17700505 minutes. As the scan proceeded, I noticed that only the last two digits of time scanned were changing at appeared to be the accurate number of minutes whereas time remaining had no apparent pattern and changed wildly.
    At the completion (100%) of the scan time taken was 22824357 minutes versus an actual 57 minutes. Time remaining was -9139898 seconds and -6 folders remained.
    3. The list of possible infections seemed to be concentrated in wp-content (plugins and themes] and I wondered whether only active plugins and the current theme were scanned [to save time] and, as such whether it was worthwhile to delete inactive plugins (and themes).
    The other folder taking up a lot of time was wp-include and as most (if not all) of this WP core code would it be safe for us to exclude wp-include as a target for scanning?
    4. Another plugin I use – not as good as yours! – flags a couple of WP core files as not matching the current WP version and when I check them I notice that they contain GoMLS code. Would it be practical to place this code in a non-core file like theme/functions.php (which I understand can be used for bits of code that won’t be overwritten by theme & WP updates)?
    5. I have 6 websites all running from subfolders of a main domain. This creates a problem when I want to scan the main domain (waterwaywatch.org) because GoMLS offers three radio button options I have the choice of public_html (all subdomains which is tempting because it would check all domains but takes several hours) or wp-content (plugins & themes but not wp-admin or wp-includes?) or plugins (not much different to wp-content?) – could we have a multi-choice option of wp-admin, wp-content and wp-include?

    Best regards

    Will

    Reply
    • Anti-Malware Admin
      On May 26, 2013 at 9:12 pm, Anti-Malware Admin said:

      These are all great points. I will give you a reply to each numbered accordingly:
      1. This happens sometimes because of errors during the scan where folders were not read on the fist attempt are re-scanned, thereby increasing the overall scanned folders count. Some folders that are skipped or could not be read will sometimes throw off the total count.
      2. I have only seen this happen when a second scan is started before the first scan finishes, throwing off the start time and thus the calculated time to completion. This could also be due to a system time update during the scan process.
      3. Potential threats are a real gray area. I am working on improving the white-list, which will take care of most of these. It is extremely important to scan all files, not only active plugins and the current theme, because the threats are sometimes included or linked elsewhere and are therefore still active even if the plugin is deactivated. However it would be worthwhile to delete inactive plugins and themes, and un-needed backups (and any other un-necesary files) to save time when scanning. It is also just as important to scan wp-include and all WP core files because it is very common for these files to be infected. Therefore it would not be safe to exclude any directory from the scan.
      4. If it is the wp-login.php file that is flagged as not matching the current WP version then yes, it should contain GOTMLS code. It would not be practical to place this code in any other file because it has to load before the WP bootstrap to prevent DOS for brute-force attacks on the login page.
      5. As well as the three radio button options you also do have the multi-choice option of scanning only the wp-admin, wp-content and wp-include under public_html. Just click the linked “public_html” and select only the folder you want to scan.

      I hope this helps. Please feel free to write me back with any more questions.

      Reply
  • Jeff Rafael
    On May 24, 2013 at 7:52 am, Jeff Rafael said:

    Hello,

    I’m using the latest definitions, I run quick scan it goes to about 61% and stops. It says there are 2 backdoor scripts. I run fix, it says its cleaned but it doesn’t remove them when i scan again, nor does it quarantine them. I also run a complete scan and it gets stuck at 99%, tries to re-scan but nothing happens. Below are the scripts it finds over and over again and does not remove them. Please help! Thank you.

    /home/biotcoup/public_html/wp-content/cache/object/000000/3ca/c4f/3cac4fcbc57b63046e84988bf6ccfede.php
    /home/biotcoup/public_html/wp-content/cache/object/000000/5de/1b3/5de1b35463eb632e87a806c4d9def5bb.php

    Reply
    • Anti-Malware Admin
      On May 24, 2013 at 9:52 am, Anti-Malware Admin said:

      Thanks for give me the login to your site. It looks like it actually is cleaning those files and putting them in the Quarantine. But because those are cache files, they are just being re-written by the w3-total-cache plugin. The folder it keeps getting stock in is /public_html/wp-content/cache/object/000000/b14, which is the directory that w3-total-cache is writing all the files to.

      I would strongly advise disabling all caching and deleting any stored cache files (at least while you try to scan and clean up your site). Caching is a direct hindrance to removing malware because the cache can preserve the malicious content even after the threat has been removed. You also need to look at changing your .htaccess file to completely disable caching.

      Please let me know if I can be of any further assistance.

      Reply
  • namor
    On May 22, 2013 at 7:53 pm, namor said:

    dear eli

    i get a exploit message with a freshly from wordpress uploaded wp-login.php. is this possible. what can i do?

    Found 1 WP-Login Exploit…

    greatings, namor

    Reply
    • Anti-Malware Admin
      On May 22, 2013 at 8:08 pm, Anti-Malware Admin said:

      I have received other inquiries as to why the wp-login.php file is flagged as a WP Login Exploit on every install of WordPress, even brand new installs of the most current version. This is simply because WordPress has no built-in brute-force protection and the login page is exploitable. It has been clearly demonstrated through the recent widespread attacks on WordPress login pages around the world that it is not only vulnerable to password cracks via brute-force but it has been shown to overload and bring down a whole server if the attacks are too numerous. That is why my patch prevents the loading of the WordPress bootstrap if a brute-force attack is detected so that your server’s resources are not tied up telling hackers if they guessed the right password or not.

      So basically, if my plugin finds that the first line of code in the wp-login.php file is loading the wp-load.php file without my protection before it then it flags it as a vulnerability. Applying my patch before this first line of code filters out this plague of attack so that they don’t even load WordPress and your server is free to serve the pages that your legitimate visitors are requesting.

      I hope this helps answer your questions about this new threat and my approach to solving it.

      Reply
  • Damir Kropf
    On May 17, 2013 at 9:10 am, Damir Kropf said:

    I’m receiving alerts from Norton: “Web Attack: Mass Injection Website 5″

    I run complete Anti Malware (ver. 1.3.05.14) scan on my site and it didn’t find anything?

    Regards,
    Damir

    Reply
    • Anti-Malware Admin
      On May 17, 2013 at 10:20 am, Anti-Malware Admin said:

      This is a new threat that has not been added to my Definition Update yet. I can see the malicious iframes in the footer of your site. If you can send me the footer.php file from your theme then I will add this threat to my Definition Update so that it can be removed automatically.

      Reply
  • Rolando G
    On May 15, 2013 at 3:40 pm, Rolando G said:

    Eli I have been dealing with malware for the last 2 weeks I have been flagged by google and now found your plugin! I have begun to scan and i ve found threats can you personally take a look at it! I will be more than happy to make a donation..I have 2 sites I think they have the same malware!!! THANKS

    Reply
    • Anti-Malware Admin
      On May 15, 2013 at 4:45 pm, Anti-Malware Admin said:

      Send me your WP Admin login and I’ll take a look.

      Reply
      • Rolando G
        On May 16, 2013 at 8:52 am, Rolando G said:

        hello Eli any updates on my websites..Thanks and have a great day!

        Reply
        • Anti-Malware Admin
          On May 16, 2013 at 9:18 am, Anti-Malware Admin said:

          Sorry for the delay, it took a long time to scan one of the sites. I had to reset some of the scan setting and start the scan over, but both sites are clean and it looks like they are not even blacklisted any more (Google must have updated their cache already).

          Reply
  • Okoro David Osato
    On May 13, 2013 at 10:27 pm, Okoro David Osato said:

    hi, i just want to say thanks a lot to you guys. the slideshow at the top of this website gave me the tips i needed and i found the fr**king malware on my client’s website and deleted it. will download the plugin all the same and install it for (hopefully not) future use.

    Os@o.

    Reply
    • Anti-Malware Admin
      On May 14, 2013 at 11:35 am, Anti-Malware Admin said:

      When you install the plugin you should register it, download the current Definition Update, and run a Complete Scan to make sure there are no other threats, back-doors, or other vulnerabilities (and you should patch the wp-login.php file to protect against brute-force attacks).

      Reply
  • Elizabeth
    On May 3, 2013 at 3:00 pm, Elizabeth said:

    Hi,
    My client’s website seems to have been hacked. I have run the plugin, but I am not sure if I am doing it right as the malware seems to still be there. Please advise and I will donate money for your time and effort in a few. Thanks!

    Reply
    • Anti-Malware Admin
      On May 3, 2013 at 3:31 pm, Anti-Malware Admin said:

      I see there is an iframe still in the header. If you want to give me you WP Admin login I will remove that for you and add it to me definition updates.

      Reply
    • Anti-Malware Admin
      On May 3, 2013 at 5:30 pm, Anti-Malware Admin said:

      Thanks for sending me your login. I found and removed the iframes from the header and footer of your theme and your site is clean now. I also added this new variant to my definition updates so it can be automatically removed in the future.

      Reply
  • agadir aeroport
    On April 29, 2013 at 7:27 am, agadir aeroport said:

    Hi Eli,
    In loving with ur plugin, i’d like if possible it detect the iframes in or out the HTML tag, like this :

    thanks a lot

    Reply
    • Anti-Malware Admin
      On April 29, 2013 at 7:49 am, Anti-Malware Admin said:

      The iframe example you tried to post did not come through. If you want to send me your WP Admin credentials I will login and find that malicious iframe for you and add it to me definition update so that it can be automatically removed.

      Reply
  • Wayne Dibble
    On April 26, 2013 at 4:36 pm, Wayne Dibble said:

    HI,
    As soon as I registered the plugin to download the latest threats my site is off line? Forced to deactivate to get my site back up – whats the issue, does anybody know?
    Wayne…

    Reply
    • Anti-Malware Admin
      On April 26, 2013 at 5:32 pm, Anti-Malware Admin said:

      I would like to help you troubleshoot this issue. These are strange symptoms you are describing. Can you confirm that your site goes off-line just by having my plugin enabled?

      Could you please also tell me what you see when your site is “off-line” (error message, blank white page, etc.)?

      Reply
  • Michele
    On April 26, 2013 at 3:58 am, Michele said:

    hi and thank you for your plugin.

    I was wondering if you could give us a roadmap to the possibility to schedule an automatic-scan function. I read you are planning to add it in a future version?

    I would be more than happy to make a donation or pay for a “pro” version in order to have such a function in anti-malware.

    Thanks!

    Michele From Italy

    Reply
    • Anti-Malware Admin
      On April 26, 2013 at 7:18 am, Anti-Malware Admin said:

      Thanks for your interest. This feature is in the design stages now. There is one major update slated for next month, which is Automated Updates to the Definition. Then I will start testing the implementation of Scheduled Scans :D

      It’s just me on this project and I donate my to making it better and helping people with infections. Donations to me help me justify the time I spend making this plugin better, so fee free to donate ;-)

      I don’t think I’ll ever charge a fixed fee for this plugin, it has helped many people around the world that cannot pay, and I could never cut them off just because they don’t have the means to pay. I know this leaves the door open for a lot of people who could pay to not pay … but that’s their karma :P

      Reply
  • RJ
    On April 23, 2013 at 4:55 am, RJ said:

    I made a donation so I could use your repair function, but I’m not sure how to make it repair the malware it found. It still keeps asking for a donation.

    Please help!

    Thanks,

    RJ

    Reply
    • Anti-Malware Admin
      On April 23, 2013 at 6:50 am, Anti-Malware Admin said:

      I got your donation, Thank you! It should reflect your donation amount in the sidebar and not pester you to donate any more (of course you’re always welcome to donate more whenever you want to ;-)

      Reply
  • Johnathan Hurwitz
    On April 23, 2013 at 12:15 am, Johnathan Hurwitz said:

    I like this plug in. Is there a way to see what your auto fix actually changed so we can learn what to look for.

    I was getting hit by these and my comments are set to members only. Your system found one issue in the WP-Login.PhP is that how such fools were able to comment on my site without actually joining. Have no posts with such garbage only a few comments.

    louis vuitton bags sale (IP: 223.246.175.120 , 223.246.175.120)
    retro jordans (IP: 123.156.198.240 , 123.156.198.240)

    bEavWIHB (IP: 113.231.232.108 , 113.231.232.108)

    Thanks for your help

    Reply
    • Anti-Malware Admin
      On April 24, 2013 at 2:22 pm, Anti-Malware Admin said:

      Sorry for not replying right away. I have been swampted with this new wp-login.php vulnerability that has resently been exploited by a wide-spread brute-force attack. I have just finished fine-tuning my security patch for the WordPress login file and I am just now able to breath again and catch up on the regular stuff.

      If you click on the linked filename for any file that has been found to contain threats, you can see the contents of that file with a list of links at the top for each match found in that file. clicking on those links at the top will usually highlight the malicious/suspicious code.

      After you run the Automatic Repair you can click the linked file again and, if the file still exists, you will see the new contents (which should not have any malicious code).

      FYI – Comments are stored in the database and not yet scanned by this file scanner. You should look into comment security/spam plugins and maybe tighter database security to prevent this kind of thing.

      Reply
      • Johnathan Hurwitz
        On April 24, 2013 at 2:54 pm, Johnathan Hurwitz said:

        Thanks for the reply. I understand your hard effort the wp-login.php has come up twice for me. I’m relatively new to WP and when I found comments with spam even though there was no new member I was really surprised

        I also learned when one is spammed in WP you need to move the file to the spam folder so the anti spam will learn and then block. I was deleting them all together and banning the IP of which is a near useless process. I have two spam plugins now, one for comments and the other for registrations.

        Keep up the great work and this attack is indeed an interesting one.

        Reply
  • debbie marconi
    On April 22, 2013 at 12:40 pm, debbie marconi said:

    Just spent the last half hour reading your comments Eli. You are heaven sent and plan to be a regular donor as well. Maybe sometime you can also look into the guts of my blog and see if we have all of our bases covered. Thanks again!

    Reply
  • debbie marconi
    On April 22, 2013 at 9:14 am, debbie marconi said:

    After running the scan, two of my files were quarantined and now I cannot log back into my site. I need help….NOW! I cannot find any place to contact you on this site other than here. Did I donate to a legit business?

    Reply
    • debbie marconi
      On April 22, 2013 at 12:25 pm, debbie marconi said:

      I had my problem resolved by Eli and in a most professional and timely manner! At this point, I highly recommend this plug-in. I wish Eli lived next door but he actually handled this problem like he was a neighbor already. Thanks Eli, you rock!

      Reply
  • Christy
    On April 19, 2013 at 1:37 pm, Christy said:

    Hi! Thank you so much for your plugin! My site was recently hacked with malware. It seems that only Chrome is blocking access to my website. I tried to run the scan a few times, and it did not find anything. There was a long list of suspicious files, but I have no idea how to go about checking them. With the most recent update, I was able to find and delete a Login Exploit, but I’m not sure if that removed the malware.

    I’m also getting this message “Another Plugin or Theme is using ‘wpfbogp_callback’ to hadle output buffers.
    This prevents actively outputing the buffer on-the-fly and will severely degrade the performance of this (and many other) Plugins.
    Consider disabling caching and compression plugins (at least during the scanning process).” and I’m not sure which plugins are interfering.

    Is there any way you can help? It would be much appreciated, and I’d be happy to donate to your plugin. Thank you!

    Reply
    • Anti-Malware Admin
      On April 19, 2013 at 2:21 pm, Anti-Malware Admin said:

      You can find out why Google has blocked your site in the Health section of your Google Webmaster Tools account.
      You can also request a review there to clear that warning if the site is now clean.

      If you want me to check your site first and make sure it’s clean, I will need you to send me your WP Admin login. I can also check that wpfbogp_callback to see what plugin is doing that and why.

      Reply
    • Anti-Malware Admin
      On April 25, 2013 at 9:09 am, Anti-Malware Admin said:

      Are you still getting a warning in Chrome?

      I was able to run a Complete Scan and found that wpfbogp_callback in the wp-facebook-open-graph-protocol plugin. That is why the Quick Scan is not running so well.

      I don’t see any malware and Google says you’re clean too so maybe it’s just your browser cache.

      Reply
      • Christy
        On April 25, 2013 at 9:50 am, Christy said:

        Thank you so much for your help, Eli. I’m not getting the warnings anymore, but I’ll have to check if other people still are. I’ll just assure my Facebook fans that my site is clean.

        Thank you,
        Christy

        Reply
  • Mrugesh
    On April 17, 2013 at 8:45 pm, Mrugesh said:

    I have several clients who’s WordPress CMS sites gets unwanted hits and hence increased bandwidth. Some of the frequent hits for files which doesn’t exist on the site. like.. images/view.php, images/wow.php etc.

    What is the solution to reduce the bandwidth and unwanted hits for the WordPress site.

    Thanks in advance.

    Reply
    • Anti-Malware Admin
      On April 18, 2013 at 10:19 am, Anti-Malware Admin said:

      That is a great question. You cannot stop these malicious bots from probing your site but there are ways to minimize their impact on you servers proformance and bandwidth usage. Perhaps the best way is by using mod_rewrite in your .htaccess file to redirect these requests. Here is an example of a rewrite rule you could use:

      <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{REQUEST_URI} ^.*(images/wow\.php|images/view\.php).* [NC]
      RewriteRule ^(.*)$ – [F,L]
      </IfModule>

      Here is a great article about lots of other ways to do it

      Reply
  • Jeff Rafael
    On April 5, 2013 at 9:52 am, Jeff Rafael said:

    I ran the full scan after registering (I had not donated yet), it identified several threats and I clicked to repair… It said all was clean, but I checked with webmaster tools and it said I was still infected. What do I do now? Feel free to contact me to discuss further. thanks!

    Reply
    • Anti-Malware Admin
      On April 5, 2013 at 10:02 am, Anti-Malware Admin said:

      Did you request a review in Webmaster Tools?

      If Google still says you are infected after a review then what are the details of the infection?

      If you need more direct help you can email me your WP Admin login and I’ll look into it.

      Reply
  • Steve Navazio
    On March 31, 2013 at 6:11 am, Steve Navazio said:

    Hey Eli,

    Thanks for a great plugin,

    Can you tell me how to use your plugin to check all of the WP installs on my server?

    Thanks in advance.

    Best Wishes,
    Steve Navazio

    Reply
    • Anti-Malware Admin
      On April 1, 2013 at 11:12 am, Anti-Malware Admin said:

      You can send me the login info for your main site and I will upgrade it to be able to scan the whole server.

      Reply
    • Eli Scheetz
      On April 18, 2013 at 10:30 am, Eli Scheetz said:

      Just following up. How did the scanning go on all those sites? I looked like it would take quite a while to scan all those files but did it work ok?

      Thanks for the donation too.

      Reply
  • Susan
    On March 31, 2013 at 4:11 am, Susan said:

    I cannot find my key in the settings tab of WordPress. I see your plug in as “activated” but cannot find the key to register.
    thanks in advance for the assistance.

    Reply
    • Anti-Malware Admin
      On March 31, 2013 at 10:24 am, Anti-Malware Admin said:

      Just register from the form on the right hand side of the Anti-Malware Settings page in your admin.

      yoursite.com/wp-admin/admin.php?page=GOTMLS-settings

      Your key is already entered on that page. Just submit it, then go back to your admin and refresh the Anti-Malware Settings page and you can then download the definition updates.

      Reply
  • Roger H.
    On March 28, 2013 at 1:56 pm, Roger H. said:

    Great plugin and it takes care of most of my issues but I’m still getting the malware alert on http://sitecheck.sucuri.net after running your plugin and cleaning everything it finds up.

    any help would be appreciated..

    Roger

    Reply
    • Anti-Malware Admin
      On March 30, 2013 at 4:31 pm, Anti-Malware Admin said:

      I think you are actually clean. If you look at the details of that “malware” that sucuri is finding on cheflou.com you will see that it is just an iframe in the footer that is supposed to load some content from your site (hawksviralmarketing.com). Is that not something you have engineered? (It doesn’t show anything anyway).

      I’m guessing this is just a false positive from sucuri.net

      If you do need to remove it, the code is in the Theme’s footer.php file, and the iframe content is loaded from the wp_options with the option_name of either ‘revchurch_abcode’ or ‘revchurch_subtit’.

      Reply
  • Xochi
    On March 25, 2013 at 12:52 pm, Xochi said:

    Greetings Eli,

    I have reinstalled WP to the latest version. Gotten rid of all plugins, and then fresh installed only one that I use. Anti-malware says there are not problems but when I asked for review from Google, I still get a message that there is a script embedded.
    URLs Type Last checked
    http://www.dobbinsfamily.net/?cat=4 Code Injection 3/25/13
    http://www.dobbinsfamily.net/?cat=5 Code Injection 3/5/13
    Please advise.
    Xochi

    Reply
    • Anti-Malware Admin
      On March 25, 2013 at 1:11 pm, Anti-Malware Admin said:

      I just look at that URL and saw that there is actually still some malware in the header. I have added this threat to my definition so that it can also be automatically repaired.

      Please try and download the new definitions and run the scan again. It should then be able to remove this new threat. After that you can request another review of your site in Webmaster Tools.

      Reply
  • Rolf Joho
    On March 21, 2013 at 9:33 pm, Rolf Joho said:

    Hi Eli,

    I like your plugin, but I have one question: How can I find out which “Another Plugin or Theme is using ‘nxs_ogtgCallback’ to hadle output buffers” so I can it disabling?

    Thanks for you help.
    Rolf

    Reply
  • Cameron
    On March 19, 2013 at 7:19 am, Cameron said:

    Hey, I have a nasty bit of malware which Sucuri defines as MW:SPAM:SEO. I found an old post where you resolve this issue for a user and I’m just wondering if your scanner can get rid of it yet?

    If not, would you like to take a look inside my website to see what wonders you can find?

    I would like to give you a donation if you can help me out.

    Reply
  • Patrik Fältström
    On March 15, 2013 at 9:40 pm, Patrik Fältström said:

    I have three questions that I can not find answers for on your site…maybe my click skills fails me…

    1. Do the plugin scan the content of the database?

    2. Do the plugin handle multisite setup (where for example each blog have one wp_post table each)?

    3. I see in the comments you have noticed a person that have issues with things similar to pharma drive by issues where for example google bots get different results (with the scam) while others do not. Have you included checks for such things (yet)?

    Regards, Patrik

    Reply
    • Anti-Malware Admin
      On March 16, 2013 at 9:23 am, Anti-Malware Admin said:

      My plugin does not scan the database yet but it could be made to do so. It specialises in finding and removing malicious CODE from the files on the server (single site, multisite, even non-WordPress sites). Because my plugin scans UN-compiled code from the back-end it does not need to detect the user-agent specific code designed for crawlers like googlebot. I have seen my plugin detect malicious code when other scanners (like sucuri) fail to detect anything on the front-end of the site. I can also detect back-doors and security holes that cannot be found by crawling the indexed pages of the site from the outside.

      Of course nothing is going to protect you 100% from any attack. My plugin takes an approach unlike other security plugins and it has proven to be a very useful tool for getting/staying clean. I will continue to support it and improve it to keep it up to speed with the newest threats and security holes as they are discovered.

      Reply
  • Stefaan Pauwels
    On March 3, 2013 at 11:15 pm, Stefaan Pauwels said:

    Just donated, plugin works amazingly well: got rid of all the malware when other plugins and my own attempts only weeded out a portion of the problems. Got unblocked by Google within 48 hours of running the scan and automated fixes.

    Annoyingly, Google keeps giving the old (malware-infected) results, though: as you can see here: http://knotoryus.com/knot.png. Any idea of this goes away by itself or do I need to take further action?

    Thanks again for all the help!

    Stefaan
    KNOTORYUS.com

    Reply
    • Anti-Malware Admin
      On March 4, 2013 at 8:36 am, Anti-Malware Admin said:

      Thanks for praise but it looks like you still have a nasty script in there that my plugin didn’t catch yet. It generates that “work from home” content if the REFERER of USER_AGENT is Google. I would like to find this threat and add it to my definitions update.

      If you are willing to give me access to your WP Admin I will find it and remove it for you. You can send your credentials directly to me: eli at gotmls dot net

      Reply
  • Jack Yan
    On February 25, 2013 at 8:43 am, Jack Yan said:

    Hello Eli,

    It looks like a very nice and neet tool, but when I tried to have it automatically repair, it came back and reported as Failed. I scanned again and the list came up again. Here is the message:

    fixing /home/tnt/public_html/wp-content/themes/custom-community/header.php … Failed!
    fixing /home/tnt/public_html/wp-content/themes/mammoth/header.php … Failed!
    fixing /home/tnt/public_html/wp-content/themes/mantra/header.php … Failed!
    fixing /home/tnt/public_html/wp-content/themes/redbel/header.php … Failed!
    fixing /home/tnt/public_html/wp-content/themes/twentyeleven/header.php … Failed!
    fixing /home/tnt/public_html/wp-content/themes/twentytwelve/header.php … Failed!

    Can you help, please?

    Thank you!

    Jack

    Reply
    • Anti-Malware Admin
      On February 25, 2013 at 12:11 pm, Anti-Malware Admin said:

      That error means that your webserver (apache) does not have write permission on those files. You should be able to set the permissions on those files with an FTP client like Filezilla.

      If you need my help with this I could do it for you but you would need to send your FTP login info to me: eli at gotmls dot net

      Reply
  • Lauren J.
    On February 20, 2013 at 8:30 am, Lauren J. said:

    Eli, Thank you! I am astonished at your expertise. Incredible. This is better help than I could have ever imagined. I will be donating again soon!

    Reply
  • Linda
    On February 12, 2013 at 9:12 pm, Linda said:

    Hi There, Happily donated! Need your help please as we have a virus on our wordpress blog and I’m not sure what to do…. It says Infection: HTML:Script-inf
    thanks,
    Linda

    Reply
    • Anti-Malware Admin
      On February 13, 2013 at 7:02 am, Anti-Malware Admin said:

      Thanks for your donation. I would be happy to help you. I can see there is some external javascript being loaded on your site. I will need to login to your WP Admin to find the source of the injection. You can send login credentials directly to me: eli at gotmls dot net

      Reply
  • Janet Robinson
    On February 11, 2013 at 11:37 am, Janet Robinson said:

    Hi, donated hoping you can give me a hand. Found 2 non-wp files that were eval base 64 ridden and trashed them. Hosting had a problem a while back and I think that’s when it happened. Your scan is showing quite a few others that are warnings but I don’t know if they’re legitimate or not. Do you think you could take a look? I’ve been blocking IP addresses for days. Thank you for your plugin – I donated!

    Reply
    • Anti-Malware Admin
      On February 11, 2013 at 11:45 am, Anti-Malware Admin said:

      Thanks for your donation. I’d be happy to look at it for you.

      You can send me your WP Admin login credentials: eli at gotmls dot net

      or you can just send me an screenshot and I’ll tell you what I can if you don’t want to give out your credentials.

      Reply
  • Marcio Soares
    On February 9, 2013 at 2:37 pm, Marcio Soares said:

    Hello Eli
    Excellent Plugin.
    I did a scan and it occurred to me: http://pastebin.com/WXiaEfX6
    Should I be concerned?
    I do not know how to proceed.
    What should I do?
    Thank you.

    Reply
    • Anti-Malware Admin
      On February 9, 2013 at 4:58 pm, Anti-Malware Admin said:

      Most of that looks ok and your site does not seem to be infected. The only files in that list that I don’t know about are the one in “phplist”.

      I wouldn’t be concerned unless you have any specific symptoms.

      Reply
  • kunal pandey
    On February 9, 2013 at 9:18 am, kunal pandey said:

    Hello I do want to use your plugin.
    But the problem is my client site is not running at all it is not even allow me to open the admin panel in this case can you please let me know how can i cleaned up my client site i need to done it asap.

    Please send me suggestion.

    Thanks

    Reply
    • Anti-Malware Admin
      On February 9, 2013 at 9:51 am, Anti-Malware Admin said:

      I can see that your server is sending a 500 error on every page. I can help you get your site working again and install and run my Anti-Malware plugin but I will need to start by fixing the login page.

      I need FTP access to to get started and I may need cpanel access to view the log files too.

      You can email me directly: eli at gotmls dot net

      Reply
  • Warren
    On February 4, 2013 at 8:00 am, Warren said:

    Hi Eli
    So we updated the definitions and your plugin found the problems and cleared them immediately. Our exchange rate is a bit of a bastard, but you had better believe I will be back at the end of the month to donate. This is the single most useful plugin I’ve come across. Really lovely. Thanks so much.

    Warren

    Reply
  • Steven H
    On January 21, 2013 at 11:48 am, Steven H said:

    I am constantly amazed at the level of customer service that Eli provides for his plug-in. I have used his product on (3) separate wordpress sites, and cannot recommend it enough. Many thanks, Eli, for always being there to shrink my headaches away! Just made a donation – please keep it up!

    Reply
  • CW
    On January 18, 2013 at 8:04 am, CW said:

    Hello AMA

    I waited an hour for email to arrive but no joy? So tried to re-register but got “already registered” error message. Still nothing arrived. Shall i start from scratch?

    (no not in spam – yes – email address correct)

    Thanks

    Reply
    • Anti-Malware Admin
      On January 18, 2013 at 8:12 am, Anti-Malware Admin said:

      I’m not sure why you didn’t get it, it was in my Sent Folder. I just forwarded it to you again. Let me know if you still don’t get it.

      Reply
  • Greg Roth
    On January 14, 2013 at 3:26 pm, Greg Roth said:

    This plug in is outstanding. FIVE STARS! I made a small donation and will make more in the future. It is well worth the cost. In the 4 years that I have used WP, this may be one of the most valuable and essential plugins that I have installed.

    My site is a music news e-zine that is recognized on Google and Bing News. We cover local, national and global artists. We have readers all over the globe. If our site is down because of malware it damages our brand and reputation. In addition it denies fans coverage of some very talented music artists who work very hard practicing their craft.

    Nice to know that those of us that have had Malware issues have an ally and support in this area! Thank you, Thank you! Thank you Eli!

    I will share the link to your plug in with some of my peers!

    Greg Roth
    Founder / Chief Contributor – Seattlemusicinsider.com

    Reply
  • Steven H
    On January 5, 2013 at 8:59 am, Steven H said:

    Thank you so much Eli for not only creating this plugin….but also your diligence to go beyond the call of duty to find a new hidden definition. I’ll definitely be adding this to other wordpress sites and checking in regularly.

    Reply
  • Jeff
    On November 10, 2012 at 6:03 am, Jeff said:

    Hey Eli, just dropped by to make my monthly donation. Your plugin is so valuable to me on a month in / month out basis that it seemed only fair to make monthly donations for covering my back.

    Can’t wait for this plugin to run automatically.

    Mahalo

    Jeff

    Reply
    • Anti-Malware Admin
      On November 10, 2012 at 7:13 am, Anti-Malware Admin said:

      Thanks again!

      I have Cron Jobs on my ToDo list. First I need to get it to run independent of WordPress, so it can scan even when WordPress is not working.

      I should have that automatic scan feature ready for testing by the end of the month. Would you be interested in BETA testing?

      Reply
  • Tommi
    On November 2, 2012 at 2:05 pm, Tommi said:

    Eli, Get these Fresh Comments on Top, We just made another $50.00 Donation and will make another $50.00 donation in 3 – 5 days.

    This expanded protection is critical, and you have been a blessing.

    I hope people realize the time and effort you have put in and learn to appreciate its value with contributions

    Reply
  • Edward
    On October 21, 2012 at 5:48 am, Edward said:

    Great work Eli,

    This is now a standard plugin for all sites, wouldn’t be without it.
    We look forward to your continued malware protection, detection and removal advancements. Keep it up!

    Reply
  • Tony
    On October 19, 2012 at 1:14 am, Tony said:

    Hi, i’m infected with Pharma Hack… Just got into a lot of blogs and howtos…. Here is the thing: I was infected using wordpress 3.4.1… Just updated to 3.4.2 and all things got right again…… I’m kinda reinfected… But i can’t find any infected file using find|grep|etc… I can’t find anything in the database tables too… It’s just affecting my rss, rss2, atom feeds…. Don’t know what to do anymore…

    I try to use your plugin to see if it could help me find anything, but, no….

    Do you have any idea what could i do??? without having to reinstall all the site… because my site is kinda heavy modified by hand in various files…

    If you want to see my files and database, send me an email….

    Thanks

    Reply
    • Anti-Malware Admin
      On October 19, 2012 at 7:24 am, Anti-Malware Admin said:

      I’m happy to help you with this infection and I’m sure we can get it cleaned up.

      The first thing I see is that it doesn’t appear that you have registered my plugin on your site yet. You should do this first and then download the latest Definition Update from the Scan Setting page in your WP Admin.

      Then you can run a Complete Scan to see if it finds any “Known Threats”. If you need any help with any of this just let me know what I can do.

      Reply
  • Tessa Tuates
    On October 17, 2012 at 6:53 am, Tessa Tuates said:

    Found 20 Potential Threats. How will I remove this threats?

    Reply
  • Edward
    On October 15, 2012 at 1:32 pm, Edward said:

    why is the scan omitting the htaccess files

    Found 0 .htaccess Threats 250 Skipped Files

    Reply
    • Anti-Malware Admin
      On October 15, 2012 at 1:43 pm, Anti-Malware Admin said:

      My guess is that the files it skipped were not .htaccess files at all. If you click on “250 Skipped Files” it will show you a list of the files that were skipped.

      If you have any more questions please don’t hesitate to ask. It might help to send me a screenshot too.

      Reply
  • Archie Lopez
    On October 13, 2012 at 3:39 am, Archie Lopez said:

    how to remove / repair the “eval” potential threats? at JS

    thank you!

    Reply
    • Anti-Malware Admin
      On October 13, 2012 at 7:20 am, Anti-Malware Admin said:

      “Potential Threats” are usually ok and should not be removed. They are there just to help you find possible exploits when you cannot get your site completely clean. When I find new Threats I add them to my definitions of “Known Threats”.

      See my FAQs

      Reply
  • lee bennett
    On October 10, 2012 at 12:41 am, lee bennett said:

    Ive been running your plugin for a few months now and its cleaned up lots of my site’s.
    this morning a couple of my sites have been blacklisted by google for a malware .
    the plugin says its clean .the infected files are all java script exploits ,because im on shared hosting its infected about 12 sites.
    I dont know if your plugin could be updated to include this but it would be great if it could .
    here are the details:
    http://labs.sucuri.net/db/malware/mwjs-iframe-injected515?v4

    Reply
    • Anti-Malware Admin
      On October 10, 2012 at 7:00 am, Anti-Malware Admin said:

      If you want to send WordPress Admin credentials to my email (wordpress at ieonly dot com) then I can get my plugin on that site to scan all the site at once. I will also look Through the “Potential Threats” to see if there are any malicious scripts that are not being identified correctly.

      Reply
  • Jeff
    On October 7, 2012 at 1:51 am, Jeff said:

    Eli, I just love the “quick scan” feature.

    Thank you for your continue efforts. You are a rare breed.

    Jeff

    Reply
    • Anti-Malware Admin
      On October 7, 2012 at 9:09 am, Anti-Malware Admin said:

      Thanks, There’s more to come. I’m working on a white-list feature now that should be ready by the end of the month. This will eliminate a lot of the benign scripts from coming up in the “Potential Treats” section.

      Reply
  • Review Crew
    On September 21, 2012 at 8:38 am, Review Crew said:

    Just wanted to stop by and let people know Eli is the real deal. I own and operate Reviewboard Magazine (Reviewboard.com) and we are in a weird spot in the food chain when it comes to product reviews. Because we do reviews on just about everything consumer related we fall into the mainstream consumer publication category of which we are actually the 2nd most popular in the United States. Go figure. We ended up getting a web STD and google crippled our website by putting up the malware stop page and listing our website as a malware site. Our advertising was stopped (Adsense) and things came to a crashing halt.

    NO ONE knew how to fix this situation properly and we tried. I posted here and ELI responded within a few hours. I trusted him and gave him admin access to our website and he did not disappoint. This man is a saint. He fixed the issue I was having with his plugin, he removed all the malware issues, and we were able to submit a request for review with google… it was successful and we are now back in action.

    Without Eli we would have had to rebuild our web server VMs, our database VMs and cut, copy and paste every article we had to make sure we didn’t have any malware. This would have taken a month and hurt us badly. I can’t tell you how grateful I am to Eli and his plugin. We are forever in his debt. If you haven’t donated for this plugin, you should really go do that now. His time is worth every cent, and we will be donating regularly to help his efforts here.

    Reply
    • Anti-Malware Admin
      On September 21, 2012 at 8:55 am, Anti-Malware Admin said:

      Wow, what a great review, thanks a lot!

      Donations feed my family but this stuff feeds my soul (or maybe my ego) ;-) but it really feels good to know how much I am helping people, Thanks!

      Reply
  • Kamal
    On September 20, 2012 at 9:32 pm, Kamal said:

    Can you explain what is this?
    Your great plugin found this as a critical issue(vulnerability) I am just a basic WP user, so i have no idea what these codes are. I automatically fixed the issue using your plugin but these codes are same in look as it was before Using your plugin. I am using a Theme where i found this issue

    here is the path /public_html/wp-content/themes/nobeliumful/library/prelude.php
    please advice!

    Here is the codes

    Reply
    • Anti-Malware Admin
      On September 20, 2012 at 9:41 pm, Anti-Malware Admin said:

      The codes you are trying to post will not come through on a comment.

      The easiest way for me to help you is if you can send me admin credentials for you WordPress site to my email address.

      It may take 10-12 hours for me to get to it at this point.

      Reply
      • Kamal
        On September 20, 2012 at 9:54 pm, Kamal said:

        Thank You so much for a quick reply.
        I have jus uploaded a snapshot of the codes there.

        The image is not in its best resolution but it is enough for you to understand the problem/issue

        I really appreciate your help and support. Millions of Thanks

        here is the link
        http://ifovr.com/wp-content/uploads/2012/09/knownissue1.gif

        Reply
        • Anti-Malware Admin
          On September 21, 2012 at 7:32 am, Anti-Malware Admin said:

          I see this is a file that has already been cleaned by my plugin. Although this line of code is very cryptic and was, no doubt, a setup for malicious injection, it is missing the eval() statement at the end that would have executed this code, so it is now harmless. It’s like a bee without it’s stinger or a gun without bullets.

          I wrote this plugin to automatically remove the threats from any file without damaging the remaining code in that file. Sometimes this leads to leftover garbage in the code that is not pretty but, by itself, is not dangerous. Since there is nothing left, in this particular file of any worth, you can delete the files if you want to.

          Please let me know if you have any other question or any other files you want me to look at.

          Reply
  • Vanessa Roberts
    On September 19, 2012 at 7:23 am, Vanessa Roberts said:

    I have never, in all my experience on the internet, found a developer so dedicated and so helpful as Eli Scheetz.

    The service that accompanies the use of this plug in is unparalleled.

    I literally can not recommend his plug in enough.

    More than worthy of any donation you can make.

    My highest praise

    Reply
  • Jeff
    On September 14, 2012 at 11:02 am, Jeff said:

    Cleaned up a bunch of my sites and Eli goes well past the extra mile.

    More than glad to donate

    Reply
  • SB Beauty
    On September 11, 2012 at 5:13 pm, SB Beauty said:

    Hello

    After scanning I do not have any option to remove the malware.
    I already made my Donation.

    Thanks

    Reply
    • Anti-Malware Admin
      On September 11, 2012 at 5:25 pm, Anti-Malware Admin said:

      Thanks for the donation.

      I hope you have already read the FAQ about “Potential Threats”. If so, and you have some “Known Threats” (in red), then you could send me a screenshot of the scan results or an admin login to your site and I’ll take a look at it for you.

      Reply
  • Jeff
    On September 9, 2012 at 4:05 am, Jeff said:

    This plugin is a lifesaver for me….glad to donate. The donation is far less than the time and money I would spend to deal with malware myself.

    Thanks much

    Reply
  • Kamal
    On August 28, 2012 at 12:41 pm, Kamal said:

    Hello there. I need your help

    When I tried to run your plugin on my wp 3.4.1 multisite

    i got this error while scanning all plugins folders

    Warning: preg_match_all() [function.preg-match-all]: Compilation failed: missing ) at offset 66 in /home/mydominname/public_html/wp-content/plugins/gotmls/index.php on line 78

    Please help!

    Its not Network Activated

    Your plugin is activated on the main(root) site

    Thanks in advance

    Reply
    • Anti-Malware Admin
      On August 28, 2012 at 2:32 pm, Anti-Malware Admin said:

      Thank you for reporting this bug. I have released a new definition update that fixes this issue. Just click the “Download new definitions!” button in the admin and it should work correctly after that.

      Reply
  • Gianfranco
    On August 17, 2012 at 2:15 pm, Gianfranco said:

    H! guys I just wanted say thank you so much for this amazing plugin. I was opening all my files and doing a search and replace… That worked sometimes but other times will totally destroy the site and template. I like that you added the option to revert the changes. This plug just gets better by the day. I just wanted to drop by and tell you that I will donate as soon as I get all my websites back and running. I will add all my websites and give you a good donation.

    I also made a video for those who have issues login in the admin because of malware. This will help you access the admin and also help you get all your files back up and running.

    If you go to YouTube and type Google Malware warning you will find my 4 part video on how to. https://www.youtube.com/watch?v=GMABgT2Dnas

    Again thank you for the effort and time put into the plugin. Its well appreciated.

    Reply
  • Howard Berry
    On August 12, 2012 at 6:16 am, Howard Berry said:

    Hi, have been using your plugin to clear the problem but it just returns within minutes so trying to find the back door. base64 decode is stated to be a problem but this is in your plugin. Should it be or do i need to delete this,

    Reply
    • Anti-Malware Admin
      On August 17, 2012 at 8:18 am, Anti-Malware Admin said:

      I updated definitions and expanded the search range on the site you gave me access to. It now searches starting in the public_html directory and finds the new threats that were previously undetected. I took the liberty of removing all the threats that were found within all sites in the public_html folder. Please let me know if your infection returns again. I am happy to continue working on this until you are completely clean.

      Reply
  • Kamal
    On August 3, 2012 at 1:47 pm, Kamal said:

    I just sirted it . I just saw an option there to scan only the THEME folder. Thanks once again.

    Reply
    • Anti-Malware Admin
      On August 4, 2012 at 6:39 am, Anti-Malware Admin said:

      Thanks, I’m glad you found it. I’m posting this answer here anyway so that others can find it too if they have the same questions.

      To scan just the Theme folder just click on the linked option “wp-content” under “Scan What:” and check the box by “themes”. This specialized scan setting does not save, so after the scan is performed it returns to the option to scan the whole wp-content folder.

      Also, I would be interested to hear why you would want to scan only the themes folder. If you want to tell me more you can email me directly at registrations at gotmls dot net.

      Reply
  • Kamal
    On August 3, 2012 at 1:40 pm, Kamal said:

    What a great plugin.!!

    I just want a help. Is there any way to SCAN only the THEME folder in /wp-content/themes ??

    Please advice.

    Regards

    Reply
  • daniel preece
    On August 1, 2012 at 10:31 pm, daniel preece said:

    will donate tomorrow

    thxs danny

    Reply
  • TrinityCross
    On August 1, 2012 at 10:43 am, TrinityCross said:

    Hello there,

    Your plugin is a fantastic piece of work and really saves me alot of time trying to locate all these viruses people like to put on your website. While your plugin works well and keeps fixing the problem. The hacker keeps being able to change a line in the /wp-config.php file.

    Could I suggest that that you potentially make the plugin fix problems automatically without having to keep pressing auto repair. Because it consumes alot of your time when you keep getting the same problem every other day and then having to sign in to do the same process over and over again.

    Maybe allowing users to have the plugin (option) to fix the problem automatically without having to constantly approve it. If a potential problem arises, you can do the same as you currently do with the plugin which is revert to the previous settings.

    Reply
    • Anti-Malware Admin
      On August 1, 2012 at 11:08 am, Anti-Malware Admin said:

      Thanks you for the complement and the suggestion. I have that idea already on my To-Do-List. I am wanting to add some kind of cron job to run automated scans and email the results to the admin. Right now I am working on making the scan process more robust. If I have enough time and some good donations I should be able to work that feature in by the end of the month though.

      However, a better answer to your problem would be to stop the attacks. If you are removing all the threats and they are coming back the next day I would suspect that we have overlooked a vulnerability on your site. I would love have the opportunity to investigate why you continue to get re-hacked. If you want me to look at it for you just email directly (I will need your WP admin credentials and FTP access would help to).

      Reply
    • marfu
      On September 22, 2013 at 7:09 am, marfu said:

      the scan can’t run completely, stuck in 33% and the the scree send error message like this
      Content Encoding Error

      The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.

      Reply
      • Anti-Malware Admin
        On September 22, 2013 at 8:52 am, Anti-Malware Admin said:

        Have you tried the Complete Scan or just the Quick Scan?

        If you still can’t get it to work you can give me you WP Admin login and I’ll get in there and figure out what’s causing that error.

        Reply
  • Rich
    On July 24, 2012 at 7:20 am, Rich said:

    Great Plugin… Been using it for a little bit and will donate in a few.. The only problem is I get the wordpress sites clean, however days or sometimes hours later they are re-infected.. What else can I do to get them clean and prevent re-infection?

    Thanks!

    Reply
    • Anti-Malware Admin
      On July 24, 2012 at 10:15 am, Anti-Malware Admin said:

      It sounds like my plugin is doing a good job of removing the malicous scripts that it finds :-) but it doesn’t seem to be finding the vulnerability in your WordPress site that is allowing you to get hacked :-(

      I would love to take a closer look at it for you. If I can track down the source of the infection then I can add it to my definition file so that everyone who uses my plugin will benefit.

      Reply
  • Admin Lotto
    On July 23, 2012 at 5:05 pm, Admin Lotto said:

    Hi there, i give it a try on my infected website, it is work good, even when i try to hide it, this plugin still found it. now my question is, if i want to register multiple website with one account, how much the donation should be, and is it once registration and lifetime update? please advise. thank you

    Reply
    • Anti-Malware Admin
      On July 23, 2012 at 6:32 pm, Anti-Malware Admin said:

      Thanks for the complement. I am glad to hear that it worked well for you. As for how much to donate, I have not firmed that up yet, but my general thinking at this time is $10 per site (depending on your ability to pay and the number of sites you have). This is of course still completely up to you how much you give but thanks for asking.

      Reply
  • Rodrigo Muniz
    On July 16, 2012 at 12:06 pm, Rodrigo Muniz said:

    Hope you down aprove this comment, at least not until you can fix the XSS hole. The plugin has a security hole, see details:

    At index.php find the occurrence of “$_SERVER['REQUEST_URI']”
    This XSS vulnerability is exploitable, because input is not checked for html characters. To fix it we need to replace it with
    htmlspecialchars( $_SERVER['REQUEST_URI'] , ENT_QUOTES )

    Cheers from Brazil

    Reply
    • Anti-Malware Admin
      On July 20, 2012 at 10:57 am, Anti-Malware Admin said:

      This “hole” is fixed in my latest release. It was only exploitable by an WP Admin level user anyway, but I fixed it so that it would not show up as a vulnerability.

      Thanks for the heads-up!

      Reply
  • Fall Interacom
    On June 7, 2012 at 9:04 pm, Fall Interacom said:

    Great plugin. and have made a donation. this plugin can be a premium plugin with some costs because solves a lot of hacker attacks issues.

    Reply
    • Anti-Malware Admin
      On June 7, 2012 at 10:39 pm, Anti-Malware Admin said:

      Thanks. The more donations I get, the more time I spend making this plugin even better. I know I could make more money if I charge for this but then I wouldn’t help as many people. I always feel good when someone voluntarily pays like you did. Thanks for your support and tell your friends.

      Reply
  • T T
    On May 30, 2012 at 4:06 am, twintea said:

    Hello ,

    Just installed your Plugin and it did a thorough scan ..lots of yellows ; am sure most of them are legit files , no problem but the bottom line is felt relieved! Now I have a scan to alert real threats and it’s really simple to use yet compact and essential ! Thanks a lot for your hard work !

    Reply
  • mariusz wroblewski
    On April 18, 2012 at 2:17 pm, mariusz wroblewski said:

    hello, the scanner is working but I can not see anywhere the “Repair”

    Reply
    • Anti-Malware Admin
      On April 20, 2012 at 2:25 am, Anti-Malware Admin said:

      Thanks. You can only Repair “Known Threats” highlighted in RED. The “Potential Threats” in YELLOW are usually not malicious but you should still check them and if you can identify any malicious code you can send it to me and I’ll add it to the definitions as a “Known Threats”.

      Reply
      • Flash Buddy
        On January 30, 2013 at 3:13 am, Flash Buddy said:

        Those ‘Yellow’ threats are for the large part javascript files. Suggest:

        Scanned to determine if iframe or reditects are in the header of footer.
        Compare file size with known good copy.

        Reply
  • Vjatsheslav
    On April 13, 2012 at 3:53 am, Vjatsheslav said:

    Hey,

    There should be possibility to register multiple sites with one e-mail address. I have many websites, and I don’t want to open that many e-mail addresses. I got the same malware again, someone removed the plugin and installed the script again. Does it mean the virus is on a server, or it’s simply someone hacked my password?

    Thanks.

    Reply
    • Anti-Malware Admin
      On April 20, 2012 at 2:45 am, Anti-Malware Admin said:

      Thanks for the suggestion. I am working on the feature now to allow multiple keys to be registered under one email account and user.

      If you are getting re-infected it may be that your site still has a vulnerability that continues to be exploited or, if you are on a shared host, it could be another site on the same server is infecting your site.

      I can upgrade your registration to include a higher level directory. This may allow you to scan multiple sites on your server from one admin account. If you would like to try this please email your request to registrations at gotmls.net

      Reply
  • caporuscio tommaso
    On April 12, 2012 at 2:56 am, caporuscio tommaso said:

    Grazie per il vostro supporto prodotto ottimo.

    Reply
  • John Pentony
    On April 3, 2012 at 8:28 am, John Pentony said:

    Just donated moments ago. Great tool. Got my server compromised weeks ago, and heard this program can prevent much of that.

    Thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>