1

I'm unable to remove a Trojan from my computer (and also that of a colleague). I think it came from a compromised Drupal website which had 5 malicious PHP scripts (now removed).

I have run several anti-virus scans on my computer (Panda, AVG, Malware Bytes, HijackThis, and RKill), emptied my IE cache completely, installed all of the important windows 8.1 updates, and run "sfc /scannow" to check my windows system files.

However, when I open the previously compromised website in Internet Explorer, it returns a garbled set of characters that is much longer than this example:

<div id="mozxnfsbmtzz" style="position: absolute; top: -1333px; left: -1818px">bccfbh dwbzahc. (and so on) </div>

If I open this website in Safe Mode, I don't have a problem.

AVG has found a JS-Redir trojan (often txt files in the AppData../InetCookies directory), however after removing it - it keeps coming back.

I've repeatedly checked the various windows processes that are running, and also reviewed the Pandora Process Monitor to see what websites are being open - and found nothing suspicious.

I'm running Windows 8.1 in Administrator Mode.

I'm pretty sure there is a malicious service that is running which keeps reintroducing the virus into my computer, but I haven't been able to detect it.

I'm wondering what I can do, short of reinstalling Windows?

I am considering some kind of plan where I start off booting with the bare minimum of windows services, and keep adding services until the virus comes back.

  • Reinstall Windows after formatting the drive. – Deer Hunter Feb 25 '16 at 02:11
  • No, I think this belongs on [Superuser](https://www.superuser.com). – Mark Buffalo Feb 25 '16 at 03:36
  • We have a standard question this will get closed as a dupe of. I'd suggest though, maybe the site is still somewhat compromised. – Journeyman Geek Feb 25 '16 at 03:39
  • Ok. So maybe this is on the wrong website. I'm checking out the sysinternals set of tools for analyzing windows processes. Even if I fix it for myself by formatting the hard drive, I need a general fix for other people that is easier to apply. So I really want to identify the malicious service(s). http://www.howtogeek.com/school/sysinternals-pro/lesson6/all/ – Aaron Kreider Feb 25 '16 at 04:30
  • @AaronKreider - reinstalling is the easiest fix, all others are potentially snake oil. – Deer Hunter Feb 26 '16 at 14:08
  • It turns out that the virus was very new so only a couple of anti-virus companies had added in the past week to their scans (and most hadn't added it at all). Since then, I've been able to identify it and I also found an additional source of infection that was stopped. Using websites like virustotal.com is useful to test a file or url against many virus checkers. – Aaron Kreider Mar 03 '16 at 00:12

0 Answers0