sanmarco

I guess its a programm on the computer. It is a programm downloaded when it links and open to this apartment-mall website. I try two pc in a internetcafe, both time it downloaded a so calling “load.exe” from aparment-mall.cn onto the destop. This happened in the background during the browser try to open my website. At the third pc than I avoided to open my infected website. It was working sucessful when i deleted the files with my ftp programm. I used a ftp programm working from a memory stick. But also I deleted all the wordpress tables in my database to make sure there is nothing stored too. Because i was not sure. They went useless anyway as i use now textpattern.
My guess is that this load.exe “knows” when you enter per ftp into your webspace. As soon you delete or rewrite the files it rewrites it again.
I was also not able to delete this load.exe from the desktop or drag it into the recycle bin. Therefore my theorie that its the programm ON the computer. Hope this info can help you guys.

Sanmarco

hi, I had the same problem, the hack by apartment-mall. Its only affecting all php and all html files. I delete them one time than they got rewritten! The safe way to do it. Dont ope your website where the hack messed everything up because it will put an load.exe on your desktop. If you than try to delete all php and html files this application rewrite it. I had this problem. Went to another pc, use the ftp programm to delete the php and html files or just overwrite them with the clean ones from my back up. Now its ok. Make sure you check all your directories!! Also may check your chmod status, if it is on 777 so thats may the loophole where the hack goes in and mess everything up. My chmod was on 777.

Yes its alwys only writing the i-frame thing below in the last row!
sanmarco