I got a virus from an infected Drupal website. I have Windows 8.1 in Administrator Mode.
The major sign of the virus is that if I open the website in question (which has now been disinfected) with Internet Explorer, I see a bunch of random characters and the source code includes some divs with obfuscated javascript.
I’ve ran several anti-virus scans (Avast, AVG, Panda), hijackthis, cccleaner, Malwarebytes, and Security Task Manager.
The only major thing they found were some InetCookies that were malicious and deleted. Since then, I’ve repeatedly emptied the Internet Explorer cache, run multiple scans (in safe mode, in bootup, in regular mode) and whenever I return to opening the website in IE it gives me the malicious code.
Eventually I ran tests with (sysinternals) Process Manager and was lucky to catch iexplore.exe writing some malicious registry keys in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
There are two standard keys: HRZR_PGYFRFFVBA and HRZR_PGYPHNPbhag:pgbe
(And if you do an internet search for them you will find other references to viruses).
And there are multiple random keys like
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}\Count
P:\Hfref\Nqzvavfgengbe\NccQngn\Ybpny\Grzc\Cebpzba64.rkr
or
Zvpebfbsg.Jvaqbjf.Furyy.EhaQvnybt
A smaller number of the keys are .yax files.
Now I can delete the keys, but when I reopen that website in IE, even if I am in Safe Mode (with Networking), they are created again.
I suspect a rootkit infection, but am unable to identify the cause.
I’ve spent a lot of time on this and would greatly appreciate any help.
I could post some logs - though I’m not sure if they are really useful.
My goal is to find the cause of this without having to reinstall Windows, as I want a solution that can be used by others who were infected that is easier than reinstalling.