We keep getting an alert about a Trojan when we click on one link on our website…

File name: C:\Documents and Settings\myname\Local Settings\Temporary Internet Files\Content.IE5\HS2HR24F\specialty_list[2].htm
Malware name: HTML:IFrame-CG [trj]
Malware type: Trojan Horse
VPS version: 090407-0, 04/07/2009

On the Server that delivers this we have removed this file, changed the domain name and changed the filename. I confirm in the logs that the correct file is now being delivered. We have deleted all temporary files from IE.

This message still occurs. The IP of the server remains the same.

And the link is ?
Change the http on the URL to hXXp so the suspect link isn’t active, avoiding accidental exposure.

What is the site about, e.g. if a forum or php driven, etc. then thee is a possibility that the version of the software used to manage content may be vulnerable and exploited to inject code into the page.

[deleted]

Not sure what you mean by changing it to hXXp though.

Thanks

Actually, looking at the page there is a very suspicious onload specified in the body tag. I removed the link from the previous post until I get that taken out - don’t want anybody clicking on it…

See e.g. below in how to modify your post, changing the http to hXXp to avoid accidental exposure, thanks.

I have got the alert clicking the speciality list link from the home page and I can’t see anything obvious, not an iframe in sight, nor can I see any script tag that might use obfuscation to hide something like an iframe tag.

Though the onload within the body tag would be suspect if you didn’t place it there.

I have uploaded the temp file that avast alerts on as a possible false positive.

The idea of changing the url path is so it isn’t active, clickable so none can click it accidentally and be exposed.
e.g. hXXp://accleads.quickcreative.net/specialty_lists.htm note it isn’t displayed as a clickable url but a human can change the XX back to tt to investigate the suspect link.