I just found another page that said that the attack happened in 2 places for them. The first was that there was an .htaccess page and an index.html that both had redirects located not in their web root, but in their secure web root folder (https.) This changes for every provider, but of all the sites I’ve found that were affected with these particular baddies they all seemed to be hosted by MZIMA.net:
http://www.google.com/safebrowsing/diagnostic?site=AS:25973

I’m assuming you have an https folder. Remove the index.html and .htaccess file and lock it down with an htusers file.