If you website is attacked and you see malicious code being injected into the script. This article will help you find and get rid of this trojan/spyware
IFrame code injection by Virus/Trojan, Whats the solution? (Page 1 of 1)
Who is compromised?Your computer is compromised, don't blame you hosting company for this.
How does it work ?When you open a website (most probably in IE) which is infected with malicious code, your browser downloads malicious code (which is a trojan/spyware) from the URL specified in the iframe tag ( some times your browser also opens Acrobat Reader). Most of the anti-viruses don't detect this trojan, some only give a warning but don't block it. So when your computer is infected, a trojan residing in your computer steals your ftp passwords when you type them in your ftp program. Using these ftp accounts, the trojan scans all the directories on your ftp server and find files having any of following words in their name
Are you also infected?To check to see if your computer is infected. You can download HijackThis the free utility from TrensSecure's website. http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
HijackThis is a utility which quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan.After you have downloaded and performed a scan, locate the highligted entry shown in the image below
Click Here for full preview image
There could be other suspecious entries indicated by HijackThis, but the above entry is sure shot trojan which is infecting you websites.
How to remove this trojan?Fix all the suspecious entries indicated by HijackThis. If you find an entry ending with AcroIEHelper.dll then you computer is definitly infected with the trojan. Fix this with HijackThis and also remmove AcroIEHelper.dll from your computer. This file will be located in the Acrobat Reader directory. After deleting this file restart your computer and again scan with HijackThis, if you again find this entry and you are unable to remove it. Then you should install a fresh copy of Windows.