Hi,
Including Avast, I've tried three different ant-virus software and each one has either deleted or quarantined the infected web pages.
If I restore the infected files with clean ones from my desktop, they work fine, sometimes for over a week, then the javascript is injected.
Avast only picks them up during my weekly scan.
To remove the code, I download my entire website directory and do a "find all" in Dreamweaver for the code "<script>var t="
That will find all the infected files, which are index, default and login webpages.
Each time an injection is made, it loads from a different website (you can see a "loading data from xxxxxx.com" in the browser).
I'm quite good with javascript and have been able to pick it apart and see the webpage it is loading. The webpage it loads displays a 404 not found error, but within the source code it's clearly a fake 404 page full of very complex javascript which I haven't even attempted to pick apart.
What I find strange is that when I remove the javascript (which is always placed at the very bottom of the page, outside of any tags or code) it doesn't instantly come back when I run the site.
But also, I'm not storing my websites in the inetpub folder. They're in a completely different folder. So something must be interacting with IIS7 or my computer is being scanned for specific webpages with different extensions (I've had ASP, ASPX, HTM and HTML webpages infected).
I said before that I remote desktop on from work to browse. I was using Firefox for a long time. And after I discovered this I removed Firefox and all it's settings and preferences. I now only have Chrome and IE installed (IE asks you to verify every webpage, which is annoying so I don't use it).
I also occasionally used it for USENET, and would scan any download for viruses and scan any keygens with both Avast and STOPzilla. If no viruses were found I would run it (I was looking at different types of rtmp streaming software). I used newzbin.com to find the software.
I've since uninstalled anything I've downloaded, removed the USENET client (newsbin 64bit, which I have a legitimate license for, as I do for everything else except the rtmp streaming software I was experimenting with).
I've removed all software from the server except VMware workstation (which is legit), the anti virus software, chrome, PowerISO (offical trial version just used for mounting) FileZilla Server (freeware) and FlashFXP (again a legit install/license).
I still have Malwarebytes running and the log for blocking the IP 95.168.190.200 is now into the thousands!
windows Firewall is obviously enabled, but I've removed all inbound/outbound records from software I've removed. IIS is disabled and has been for a while, I will search how to clear the Java cache (DONE) and leave a clean copy of an aspx file in my websites directory (still offline) and see if it gets injected.
But of course any more help would be greatly appreciated!
Thank you again.