Hi,
Thank you for reaching out and for providing detailed information about the incident. We understand the urgency of the situation and apologize for the inconvenience this has caused.
If you have a clean and verified backup from before the compromise, we recommend restoring that backup first. After confirming the website is clean, update both the System - Helix3 Framework and Helix3 - Ajax plugins to the latest version (v3.1.2). This is the safest and most reliable recovery approach.
If you do not have a clean backup available, please follow these steps:
- Go to Site Template Styles → Your Template → Template Options → Custom Code → Custom JavaScript.
- Check the Custom JavaScript field for any suspicious or unknown JavaScript code. If you find any injected code, remove it and save the changes. This should remove the malicious message if it was injected through the template settings.
- Update both the System - Helix3 Framework plugin and the Helix3 - Ajax plugin to the latest version (v3.1.2).
If the update is not available through your Joomla Update Manager, you can download the latest Helix3 package from the following page and install it manually via Extensions → Install:
https://www.joomshaper.com/joomla-templates/helix3
Please note that when updating Helix3, some template settings—such as the logo, Custom CSS, and other template configuration options—may need to be reconfigured manually afterward. We recommend taking screenshots or exporting your current template settings, if possible, before performing the update.
If the website has been compromised beyond the injected JavaScript, we also recommend performing a full security audit of the Joomla installation, including checking core files, third-party extensions, administrator accounts, and the hosting environment to ensure no additional malicious files or backdoors remain.
Best regards