One thing to do is to see what Google has to say about your site. Enter this URL with your site in place of example.com:

[google.com...]

is it possible for a virus to exist on a web page iteself?

It is possible for javaScript to automatically download one from the page (or attempt to).

Things to look for might be some javaScript or an iframe inserted in the page.

If you have checked the page's source HTML and nothing has been changed then your guess about the user having a scareware problem may well be correct.

But check very carefully.

...

Yes I did notice that the main indez.html page was last updated on May 5 2009 and I know I havent updated it - I downloaded the file and there was a script at the bottom of the page with a bunch of text in it - I deleted it and re-uploaded file - now I just have to figure out how it got there

now I just have to figure out how it got there

Your site has been compromised.

At the very least you should:

Check your computer for viruses and malware
Change your site access passwords
Check any scripts on the site for vulnerabiities
Check for any hidden files
Check for any other external modifications
Restore a clean copy of the site
Monitor carefully

If someone has write access to your site you have a serious problem.

...

[edited by: Samizdata at 6:56 pm (utc) on May 13, 2009]

You probably have other files on there as well that have been compromised and with a VPS the stakes go up, it will most likely happen again unless you find out where they got in.

Look up all the scripts you use at [secunia.com...] .

Regardless of what you find at Secunia, also upgrade all your scripts to their latest versions.

Get the timestamp from the defaced file and examine your access logs to see what requests were being made to your site at exactly that time. That can show you which page they attacked and what method they used to get in.

Also check FTP logs for unauthorized activity.

[edited by: SteveWh at 7:51 pm (utc) on May 14, 2009]

It is also possible that a .jpg image has embedded files in them that can get executed.

Do you allow people to post images in a forum or in ads?

I have the same problem as the OP. I had a line of javascript inserted into every page on my website which, apparently then downloads a trojan onto that person's computer. I reposted my pages (on my local computer the source code is not affected) and changed my ftp password as my hosting company suggested. I did that but the code has returned. I am now flagged by google as a site with malware. I am a real novice at this and am not sure whether there is something I can do/should have done or whether it is the hosting company with perhaps out of date servers. If I change hosts, is the problem likely to continue? Any help very gratefully received.

this WebmasterWorld thread might have some useful tips:
How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]

Virus on a webpage is possible. You need to scan the file and re-upload in your server.

Check all your logs to see how access was gained then take measures to close that access. Server configuration apparently not secure. Also check for script and database vulnerabilities. If you allow user input sanitize it! Accept nothing except EXPECTED input, deny everything else.

Thanks for the input everyone - I did determine it to be the main index page that had an unidentified line of scripting at the bottom. I have since replaced, changed the ftp password - removed the saved password from my ftp program. Also I run a VPS and updated the config file as a recoomendation from my hosting company and so far all is well