There is a virus which can be picked up by visiting infected sites which searches your computer for your website's ftp settings. If found, it adds a script called 'gifimg.php' into your image folder and also adds code to all your php and html pages.

The result is that loading your website will also load lots of 'invisible' links as well as attempting to load a copy of the virus onto the visitors computer. It can also alter your browser settings so that clicking on links after a Google search will take you to one of the hacker's websites, rather than the site you intended.

There are various versions of the script going my the names of gumblar.cn, martuz.cn and a latest incarnation links to thailocal.sru.ac.th.

If your site has already been indexed by Google and found to have infectious webpages, you can use Google search to find out which pages Google has found malscripts on by typing the following into the search bar:

site:yoursitehere.com

The Search Engine Results Pages (SERPs) will show you each page from your site and any pages that Google thinks has malscripts on them will display their warning “This site may harm your computer”.

To resolve this problem you will need to:

1. Delete all instances of gifimg.php which have been uploaded to your server

2. Upload clean copies of your webpages, or search through all your webpages to locate and delete the added code.

Typically a 'function' script has been added above the <HEAD> tags in your index.php/html pages containing the text 'base64_decode'

A link is added above the <body> tag to load a hidden script such as http://thailocal.sru.ac.th/Doc/app/edi8m/S9SD5F7D.php

Further hidden links to products may be added to the bottom of the page

3. Change your ftp password/s

If you find that your website has been infected and would like help to resolve the matter please do not hesitate to contact us.