Instead of having a ton of quoted posts I will just number them based on the order of the post count.
Post #1
First your index files cannot get a virus, impossible, but your website could have been hacked to have a virus or maleware get installed. Of course, it would been nice to have screen shots of all this and of course a link to website to get a better idea whats going on.
As for breaking in, SQL injection, insecured scripts either from bad programming or improper CHMODing of them. XSS attacks could be another possibility or the fact your passwords were easy to guess.
Post #2
Xisto wouldn't do anything of the sorts, and so odds are your site got hack and was used as a portal for someone to upload malware, trojans and virus files. Then when a person visits that site or clicks on a link in that site, the attack will commence. As for the origin odds are your site got hacked somehow from one of the various methods and I doubt a keylogger would have been necessary if the website used a common enough script or coding that can be easily cracked.
Post #3
No, you cannot transmit a virus from your computer to your hosting account as the coding to infect PC's and hosting accounts is quite different in terms of setting it up. Even if you are infected with a virus/trojan/spyware youor security software should have picked it up if it is current or you actually use such security soft.
Besides, reinstalling your computer because of an virus would be a last resort if your security software can get rid of it, and even then it would have to be a brand new virus to get that far.
Password managers wouldn't matter with a keylogger as a keylogger is used to record your key strokes and so it wouldn't even matter that you have that password manager encrypted with a password.
Since you dected a trojan on your computer I can reassure you that it wouldn't transmit to your site, it would be kind of pointless to do so.
Post #4
That is the first think you want to do is clean up your computer of any viruses, but the best removal method is to go into safe mode and have your System Restore points turned off before cleaning. As some like to hide in there and even though you cleaned it out it could show up again.
As for the website itself, usually a backup is a good idea, however, depending on when you made that back your not really solving the problem. However, since I don't know what your website looks like it is hard to say what would be best to properly secure your website.
Post 5
If you did have the conficker virus, it would be next to impossible to clean your computer because of what conficker does. You wouldn't be able to patch your system because Windows Update would be disabled and your security software wouldn't work. So I highly doubt you have the conficker worm on your computer and even then it wouldn't get uploaded to your website because that is not how the worm works.
As for your hosting, that would be tricky to say, of course the first thing I would suggest is not to use password generators. They maybe useful, however, it is best to make your own password by scratch for better security. Also, if your using databases, you want to use a very strong and seperate password as well and that will add another level of security. The reason for that is your don't want to use the same password over and over again because if they find out that is the only password you use, your hosting is screwed.
post #7
Well odds are it was a XSS, SQL injection or a script kiddie who knows those specific scripts well. Again a computer virus will not affecting your hosting account it would be the other way around.
Post #8
Heck you should had reported the problem to xisto support right away and hopefully you did that during this 21 post bonaza. As they need to know this to help better protect their servers and of course block that IP and even report it as well.
Post #11
Odds are they used that site to cover their tracks as they hack your site and booby trap with malware/spyware/trojans and stuff like that.
Post #12
You need to change your passwords ASAP and also remove the scripts that your using. My suggestion would be to start your website over, and not use whatever scripts your using or find better scripts that are better secured. Of course, the best thing to do is to keep on changing your passwords until the attacks stop and by changing passwords I mean not using generators as odds are they might know what generator your using.
Post #14
It all depends on the scripts that your using, and if your using databases along with those scripts as well, and the only sure way to prevent SQL injections is strong passwords and making your scripts unreadable to outside sources, and Chmodding everything properly.
Post #16
Of course they wouldn't be known, but odds are the designers of fluxbb have created a lot of places to get into the software and mess everything up. SQL Injections are possible just because of the lack of security the designers put into there software or that there are too many security holes in the coding it self. Now that I know what is causing all the problems, my suggestion would be to drop that forum and go with something more secured like PHPBB or SMF or AEF and a lot of your problems will go away.
Post #20
#1 correct
#2 unlikely but even then running exe through a hosting account is quite tricky
#3 impossible, they would have to hack the fluxbb website, then upload their own version of the infected forum for that to be possible. Most computer viruses do not work like that and would be kind of stupid to so if they wanted to infect the computer with their goodies.
#4 a possibility
Post #21
#3 the point of running a infected website is not for the owner to dectect that anything is wrong and so while the site could have been running normally for you, odds are your computer was compromise with a silent download through the website ie that trojan you have. As for google it would take more then a day then to have them block your website, however, depending on what browser your using it could difficult to tell if your site was compromise. As not all browsers use the same lists to block potential bad sites.
#4
the designers are ignorant because regardless if its current, most of the time they won't spot their own programmers errors until someone tells them. So odds they have not found either the SQL injection leak or not making sure to properly CHMOD the forum software.
As for the image your posted instead of typing it out for you,
here is a link to the reference all the key strokes and stuff. However, since I am not a big security expert I can't really tell you what is doing, for all I know it pick those to to be logged and stuff.
Post #22-23
Yeah it would have been good to have a link to this site and that way we could have had a better time trying to figure out what is/was wrong with your website and offer a better solution.
Comment/Reply (w/o sign-up)
The change was made last night around 10pm GMT+8 when i was not home, my passwords are really really hard to memorize even i dont know them. so how can someone break in.. 
