My friend called me this morning and said that she went to publish a post and was given a screen in her WP Admin area that "looked like a wordpress page" telling her she needed to update in order to continue. The page had a "click here" link on it which she clicked.
After clicking on the link it showed a screen saying update complete. However, now when people visit her blog they are given the option to download a file (which through testing we've confirmed to be a trojan horse). The file name is xpl.wmf and in the download window it says that it comes from proffy209 DOT com (PLEASE do not visit that domain, we have not tested it for nutrality yet).
For your saftey I'd rather not post the link to her blog, however has anyone seen anything like this before and if so how did you fix it?
She's running WP 2.0, if you need more info please just ask as any help would be great. Thanks!