>>Usually, scripts that are dropped on to sites like yours redirect to other, malicious sites. These malicious sites may try to entice unsuspecting users to install trojans, spyware etc. or may attempt "drive-by" installation of such software by probing several known vulnerabilities in various Web browsers, that users may not have patched. In other words, just by visiting your site, your visitors' computers get turned into zombies or spambots. This will not do wonders for your reputation, so you need to address it RFN. A warning from Google like you had can easily be the kiss of death for a site - this is not an exaggeration.
>>
>>It could be that your account password(s) have been compromised - if so, change them, and make them strong passwords. If you use what could be a compromised password in other places you'd better change those as well.
>>
>>Also, you'll need to check all software used to build your site, from the bottom up - Windows, IIS, .Net/ASP.Net, and any 3rd-party libraries you're using (e.g. DotNetNuke). Make sure you're fully patched against security vulnerabilities with all these products.
>>
>>You might want to hire someone who is an expert in locking down a public website like yours, to make sure your attack surface is minimized and that best practices are in place.
>
>You are correct that the script that was dropped on my site was to redirect people to malicious sites. I use only one application to build my site: VS 2005. So if I am the culprit, I need to do a thoroughly check my PC for virus. Which I will do. I will probably buy a copy of SpyBoot and run it along with Avast.

If you have antivirus in place on your PC (i.e. Avast), and it was already catching the script, it's very unlikely that the source of the problem was your computer. Almost certainly it's either an external hacker or a bot/botnet that either cracked your site password(s) or that exploited a vulnerability in the software stack that makes up your site.

>
>I don't know of anybody who does what you are describing as 'expert in locking down a public website'. So I will have to deal with it myself. I applied to Google for reconsideration; hopefully they will read my message and do something soon. Because you are correct, it does great harm to my business.

Either you, or a security expert you hire, will need to audit the software stack your site uses and update/patch/reconfigure as required. Ask your host/ISP for a recommended expert. They may have one or more on-site; it's also in their best interest to help keep your site secure, as your host doesn't want to get a reputation as one that hosts malware. At the very least, if they don't have experts on-site they should be able to recommend someone.

>
>One question I have, what do you mean by "strong" password?

A password that is fairly long and can't be cracked by knowing things about you (e.g. wife/child/dog name) or via a dictionary attack (i.e. a password that's an English word in a dictionary).

Currently, Microsoft's minimum recommendation for a "strong" password is:

- password is at least 7 characters long
- at least one of those characters is a lower case letter e.g. abc
- at least one of those characters is an upper case letter e.g. ABC
- at least one of those characters is a digit e.g. 0 through 9
- at least one of those characters is a non-alpha, non-digit character such as @#%~!

These are the keys to your business! Make them strong!