Due to the nature of what was found, I doubt you have it all. This malware is usually well hidden.
You should install and also have your client install at least one anti-malware program and run it to scan your and her computer(s).
These two are good ones and won't interfere with any installed anti-virus program. They also do not interfere with each other. I would do full scanns with scan with both as nothing can find or catch every malware program.
Once your and your clients computers are clean or scan clean, then follow what is below to properly clean and remove traces of the malware and repair the clients site.
It is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.You must state what version of Joomla you were using when when the site became hacked. This can make a difference as to how we approach your individual situation.
[ ] Run the Forum Post Assistant / FPA
Instructions available here
and are also included in the download package.
[ ] Ensure you have the latest version of Joomla
. Delete all files in your Joomla installation, saving a copy of the configuration.php file.
Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories
More detail can be found in the security Checklist 7 link below.
[ ] Review Vulnerable Extensions List
[ ] Review and action Security Checklist 7
to make sure you've gone through all of the steps.
[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.
[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.
[ ] Use proper permissions on files and directories. They should never be 777
, ideal is 644 and 755 and 444 for the configuration.php file.
[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).
[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.
[ ] Ensure you do not have anonymous ftp enabledNote: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.