I downloaded the entire website to my local hard drive and it did pick up one virus located in skin1/index2.php which I have deleted. No other viruses on there.
I also searched all of the file's contents for reference to some of the code left behind (I searched for the string "rkjswrf23lhsf2") where the code was left behind on the hacked pages and found them in the following files. :
aatig\1.php
aatig\xle.php
I'm no expert in SQL, but looking into those files, they seem to make references to the actual SQL database:
$ot1 = array("<js1ey3452nbds>", "<rkjswrf23lhsf2>", "<pwfcwdfesvf>", "<efskert3sewrt>", "<adsttnmq1>");
$ot2 = array("<aoe4dell231rr>", "<ysgksf02hk91ls>", "<lqwrssbvodf>", "<dsfdl456khwwe>", "<sdioyslkjs2>");
$mpt = "";
$drs = "";
Anyone know what this aatig folder is?? I dont believe this is part of X-Cart?? Renaming the folder did nothing and the unwanted code still shows up..do I need to go into the SQL database to remove it manually?