Having had my server taken down by a particularly nasty piece of malware that resulted in my having to reformat and reinstall from scratch, I discovered that the said malware had also edited all my webpages.  Basically it had added:

{iframe src="http://ZieF.pl/rc/" width=1 height=1 style="border:0"> (modified slightly of course so as to render it harmless)

- to the bottom of every webpage.  Fortunately my site was only up for five minutes before my realising this (I noticed my web-browser - which fortunately is Firefox with http://noscript.net/" mce_href="http://noscript.net/" title="NoScript">NoScript plugin - connecting to the ominous website), so I was able to take it down before any unsuspecting visitors got hijacked.

So... My choices were to restore from backup, or come up with another solution.  I avoided the backup as my previous backup was a couple of days old, and I'd actually done a few bits of work that I didn't want to have to do again.  So I wrote the simple script attached that will go through a whole filesystem (from the point you specify) and search all web files (htm, php, html, asp) for the offending code.  If found, it is removed and normality restored.

I don't know if the malware affects other files, I don't have aspx or similar, and it didn't seem to affect any Perl files that I could see.  The script can easily be modified to take into account more file types though.

The script creates a log of all affected files it finds, you just need to set two variables in the file (the log file and the start folder).  It will confirm both these options when it runs.

Important Note

I have just been informed that at least one AV product identifies my script as a virus.  I can only presume that this is because my script contains the zief.pl iframe injection code in order to search and remove it.  The script certainly is not a virus, and full source is of course viewable (it is vbs, not vbe) so anyone can check it to reassure themselves.

Please also note that there is no point in running the script if your system is still infected.  If the virus is still present on the system, then it will simply reinject the code as soon as my script has modified the files.  In fact, the reason I realised my system was still infected was because this was happening - at which point I reinstalled from scratch.

' Script written by David Barrett
' Copyright 2009
' http://www.cedit.biz/
' This script is licensed under the Creative Commons
' Attribution 2.5 Licence
' http://creativecommons.org/licenses/by/2.5/
' 
' You are free to use it for both personal and
' commercial purposes, so long as full attribution
' is given to the author (David Barrett).
'
' This notice must not be removed
'
'
' Fix ZieF.pl injection

force_cscript

dim strSourceFolder, strLogFile, strSearchText
strSourceFolder="f:\" 
strLogFile="d:\log.txt" 
strSearchText="<" & "iframe src=""strSearchText=strSearchText" target="_blank">http://Zi"
strSearchText=strSearchText & "eF.pl/rc/"" width=1 height=1 style=""border:0"">"
arrExtensions=Array("htm","php", "asp", "html")

strConfirm= "About to check and repair files starting from:" & chr(10) & chr(13) & strSourceFolder
strConfirm=strConfirm & chr(10) & chr(13) & "Log file: " & strLogFile
strConfirm=strConfirm & chr(10) & chr(13) & chr(10) & chr(13) & "Continue?"

if msgbox(strConfirm,4,"Confirm")6 then wscript.quit

dim objFSO, objF, objLog, objShell,dicExtensions

set objFSO=CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("WScript.Shell")
set dicExtensions = CreateObject("Scripting.Dictionary")

dim i
for i=0 to UBound(arrExtensions)
    dicExtensions.Add arrExtensions(i),arrExtensions(i)
next

set objLog=objFSO.CreateTextFile(strLogFile,1)
set objF=objFSO.GetFolder(strSourceFolder)
RecursiveScan objF
objLog.Close
set objLog=Nothing
set objF=Nothing
set objFSO=Nothing
set objShell=Nothing

sub RecursiveScan(objFolder)
    ' Runs command if file is found in folder
    dim objFile, objSubFolder
    dim strRunCmd, objExecObject
    dim objTS, strFile, strExt, strFileName
    
    on error resume next
    For each objFile in objFolder.Files
        strExt=Mid(objFile.Name, InStrRev(objFile.Name, ".")+1)
        if dicExtensions.Exists(strExt) then
            ' This is a file to check
            set objTS=objFile.OpenAsTextStream(1)
            strFile=objTS.ReadAll
            objTS.Close
            if err.number=0 then
                if InStr(1,strFile,strSearchText)>0 then
                    ' Doctored file... remove the text
                    i=InStr(1,strFile,strSearchText)
                    strFile=Left(strFile, i-1) & Mid(strFile, i+len(strSearchText))
                    strFileName=objFile.Path
                    objLog.WriteLine "Contaminated file: " & strFileName
                    wscript.echo  "Contaminated file: " & strFileName
                    objFile.Delete true
                    set objTS=objFSO.CreateTextFile(strFileName,true)
                    objTS.Write strFile
                    objTS.Close
                end if
            else
                Err.Clear
            end if
        end if
    next

    for each objSubFolder in objFolder.SubFolders
        RecursiveScan objSubFolder
    next
end sub

sub force_cscript
    dim args : args=""
    dim i, wshshell
    If right(lCase(wscript.fullname),11)= "wscript.exe" then
        for i=0 to wscript.arguments.count-1
            args = args & wscript.arguments(i) & " "
        next
        set wshshell=createobject("wscript.shell")
        wshshell.run wshshell.ExpandEnvironmentStrings("%comspec%") & _
            " /c cscript.exe //nologo """ & wscript.scriptfullname & """" & args 
        set wshshell=nothing
        wscript.quit
    end if
end sub