Hi Pondus,

So the attack code is typically flagged for portal.php → htxp://www.cyberarmy.in/2011/01/portal-hacking-dnn-website-hacking.html
& “%3e%3c/script%3e” is being used in tracking code.
avast! Webshield detects JS;ScriptXE-inf[Trj] in the browser executable.

pol