2 clients (call them Client R and Client B) reported users of their websites complaining about their anti-viruses detecting a trojan called: CoinHive.js. This seem to be a bitcoin mining malware, that starts threads when a user accesses the website to use processing power and generate bit coin.
After a lot of analysis, and after MalwareBytes (and other anti-malware software) scan returned no virus/trojan hits, we ended up downloading the published websites locally and scanning them with Autopsy.
Client R's website returned various hits. Some were false positives, others were straight and plain, the injected coin mining script. What fixed the issue was manually removing the scripts from the files, and deleting the server cache: C:\Windows\Temp
Client B's website returned no hits. But when entering the website and inspecting element, the bit coin mining script still seems to appear at the bottom of the html markup and our Mcaffee still detects it (for some reason it detects it in Internet explorer but not Chrome???).
We also scanned all other websites on the same server and no other website seems to contain the script: we thought perhaps the fact that Client B's website is infected was due to another website injecting the script into it.
I found 2 tools: Anti Web Miner and No Coin but they both seem to have to do with the client users accessing the website and nothing to do with the hosting server.
Where could the script be injected from? What can we try? Is there some kind of executable or anything else we can look for manually?