When you find malicious code in your site it is often a line of javascript inserted into the bottom of almost every .js file on the account that used character code escapes to make it harder to detect. It is most often also embedded in many of the otherwise blank index.html pages within the subdirectories of your Joomla install. It is often difficult to pinpoint the reason either a Joomla exploit (iframe) or if the violators had the account password.

This type of infection is much more common with the password however. For that reason, you should follow these steps:

1. Scan your local computer, the clients computer, and any computer from which you have accessed the account using an up to date virus scanner such as http://malwarebytes.org CRITICAL!
2. Update the cPanel/FTP password with a password that is not easily guessable. Use 12-digits and something like example (!) &G5s#!K-|%H1
3. Submit your site for a rescan using your Google Webmaster account. If you do not already have an account please follow the instructions on this page to obtain one: http://www.google.com/support/webmasters/bin/answer.py?answer=45432
4. Read the information provided below about this type of viral infection and how to further prevent it.

What are malicious iframes and what causes them?

! Over the years hackers found it hard to trick people into visiting suspicious sites so they're now targeting legit sites and using them to infect unknowing customers. In most cases an FTP account's password is obtained through key logging malware, then legit website files are modified to distribute the malware and gather more passwords. If your PC has been infected with one of these trojans, your bank account, email accounts, and FTP accounts may no longer be secure.

What to do if you find malicious iframes on your PC?

1. Use the following online vulnerability scanner and ensure your software is up-to-date: http://secunia.com/vulnerability_scanning/online/?task=load
2. Download antivirus and fully scan your PC for malcious files. Here are some free online scanners:
   * http://housecall.trendmicro.com
   * http://www.bitdefender.com/scan8/ie.html
   * http://www.kaspersky.com/virusscanner
   * http://support.f-secure.com/enu/home/ols.shtml
3. Update all passwords that may have been obtained. Do not use old passwords, generate new ones (see above)
4. Upload older versions of the files or contact support for assistance removing the malicious iframes.

Prevention measurements

• Ensure you use the latest browser version
• Disable javascript if possible
• Use Firefox with addon "noscript" (!)
• Download and install some free antivirus software, make sure it stays updated
• Use http://www.avg.com.au/index.cfm?section=avg&action=onlinescan to test suspicious links you are given in emails or find online.

Others

BACKUP & DOWNLOAD (!) your site and database! Use either your cPanel features or use Joomlapack (http://www.joomlapack.net)....whatever you use: BACKUP!