Auctiva President Jeff Schlicht said the Trojan-Clicker pops up ads on Asian sites. He believes the malware remains resident in system memory and continuously or regularly attempts to connect to specific websites in order to inflate the visit counters for those specific pages.
He said Auctiva immediately took the infected servers out of rotation, wiped the Operating Software on those servers, and reloaded them and put them back online around 3 pm on Saturday. While the servers were offline, the site ran slower but is now back to normal speed.
Attempting to visit the site continues to result in a pop-up warning, "This web site at www.auctiva.com has been reported as an attack site and has been blocked based on your security preferences." Schlicht said while Google is quick to identify such problems, it's slow to remove the warning after the problem is resolved. "Hopefully we can get that taken care of soon," he said of the Google warnings.
He added, "The safest thing to do for users now is to make sure they have their virus detection turned on and updated to be safe. Of course they should be doing that anyway. We've fixed the issue and been going through every server, around 200, and running detection and haven't found anything."
The site StopBadware.org has resources on removing malware.
Update 2/23/09: The home page of Auctiva currently displays this message:
Our web site, auctiva.com, was infected by malware on 2/19/09. Since that time we have been working 24/7 to remove the malware from our servers.
During the most recent evaluation of the situation, we determined that the best course of action would be to temporarily take auctiva.com offline. Once we are confident that we have completely removed the malware, we will bring auctiva.com back online.
During this time your Auctiva Checkout, scheduled listings, and images, templates and scrolling gallery in listings on eBay will remain available. However, the supersize images function will not work.
Please visit our Community Forums for on-going updates http://community.auctiva.com/eve/forums/a/frm/f/1081020411.