Final Update.
EditPlus came in very handy.
Logged in as Administrator, did the same search, dragged html, asp, aspx, & js files onto EditPlus a hundred or so at a time, did Search->Replace for the iframe string.
Did Replace All with the All Files option selected, then File -> Close All.
Worked first time in most cases. Some wouldn't save as they reported as read-only. Most cases I just had to remove the read-only attribute, a couple I had to change permissions on.
What's scary is that the virus can chuck text into files that are read-only. owned by the system, with just read & execute permissions for everyone else (if that).
I would have assumed that if the virus kicked off because of something I ran, it would have run with my effective permissions.
So despite the NTFS permissions system, Vista's UAC (which gets in MY way all the time), Windows Defender, Windows Firewall, AVG, & several other things the OS is supposed to do to protect OS files, this virus ran through the system doing whatever it liked at whatever elevation it liked.
We're doomed.... Doooomed I tell y'...
Paul
