I think that your problem is on a module. The most popular modules that use this code are:
-
Autson Skitter Slideshow (mod_AutsonSlideShow)The malicious code is located in the "tmpl" folder, in the php file(s).
-
Share This for Joomla! (mod_JoomlaShare This)The malicious code is located in
mod_JoomlaShare This.php.
-
VirtueMart Advanced Search (mod_virtuemart_advsearch)The malicious code is located in
mod_virtuemart_advsearch.php.
-
AddThis For Joomla (mod_AddThisForJoomla)The malicious code is located in
mod_AddThisForJoomla.php.
-
Plimun Nivo Slider (mod_PlimunNivoSlider)The malicious code is located in the "tmpl" folder, in the php file(s).
Using Autson as an example, go to your file explorer and enter this path: /modules/
mod_AutsonSlideShow/tmpl/
default.php Edit the .php file (the name of this file is shown above, near the name module in this post )and look for this javascript tag and you should see this amount of code:
<script language="JavaScript">
function dnnViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
</script>Delete this code. If you don't feel confident to do it you can create a copy of the original file in case in goes wrong.
Normally, at last line, is the link to the developer website and antivirus detect it like unwanted Pub. Know, go to the last line of the file and delete this tag:
<p class="dnn">By A <a href="http://www.autson.com/" title="web design company">Web Design</a></p>in autsonImageSlider module example. Proceed the same way to the other modules.
Save it, and enjoy.
Hope it was usefull.