I had the same problem, and I think I just fixed it. I deleted all of the .htaccess and .htaccess.mal files on my site. Somehow they wormed their way into every folder. They were redirecting broken links from the standard 404-error page to the home of the "Antivirus 2009" pop-up. Now that I deleted each and every one of the .htaccess and .htaccess.mal files, the problem seems to have disappeared.

[edited by: phranque at 9:59 pm (utc) on July 25, 2008]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]

I thought that it had disappeared, but I needed to contact my host server to have them clean my entire site. I will let you know if this works.

[edited by: phranque at 11:33 pm (utc) on July 25, 2008]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]

I encountered this as well this week, the search results for my site redirecting to the same "Antivirus 2009" page. My host said that it was a known problem and that they would take care of it. They did not however remove the .htaccess.mal files and the redirect was persisting; the tech support at the host seemed to think it was google's problem. So I'm really grateful to DXL and mas1484 for writing about their experiences.

Besides dropping redirect files for search engines in every directory, this virus also created a number of porn-keyworded files and directories under a subdomain "ckjoj", i.e. "ckjoj.[mydomain].com/domination/domination_0.html". I think my host may have cleaned these up as I can't find them myself.

So again, thanks.

I cleaned it up for one client, and then a few days later the .htaccess files were back. I was starting to wonder if someone had gotten into that host's servers, because I'm only seeing this problem for clients hosted with one particular company.

This happened on one of my personal websites. It's a site I hadn't updated in months. I had PHPBB2 running on there, but it was getting flooded with bogus bot signups, and I hadn't gotten around to adding CAPTCHA to it.

I wonder if that might have something to do with how it happened, but yeah, definitely, the site was completely broken. Hardly any of the links would work. What raised an alarm for me was when I got a password reset request email.

I went in and added a security question, changed the password to one I've never used before, and deleted everything off the site. I needed to redo it anyhow.

[edited by: phranque at 12:09 am (utc) on Aug. 7, 2008]
[edit reason] hosting specifics [/edit]

I noticed the other day that [my host] also did a manual reset for the passwords of any site that they deemed to have a relatively weak one. So it could be that someone had targeted their servers specifically, the number of sites that I've had to go in and fix has been on the rise as they are slowly reported to me by clients.

[edited by: phranque at 12:13 am (utc) on Aug. 7, 2008]
[edit reason] hosting specifics [/edit]

Most importantly, have you considered how those .htaccess files got in your domains? You can change your passwords and tighten up your site completely, but if someone has compromised that server, it will be back. It can be coming from another domain on that box that's hacked, or <shudder> someone has rooted the box.

My advice is to run away, find a new home for your sites, but that's just what I would do . . .

[edited by: phranque at 12:14 am (utc) on Aug. 7, 2008]
[edit reason] hosting discussion [/edit]