So my parents told me that everytime they turned on the pc (it runs Windows 7) a black empty command line would show for a few seconds on the desktop, and I tried to understand what could cause this.
So I went to msconfig and saw 2 strange programs, the second one is a js file that I can't find in its path, the other one seems to be a powershell script (the bottom image shows the full script )
So from what I can understand, the first one is a script that downloads the js file, while the second one runs it. Obviously I disabled them from running on startup and the black command line is gone, should I be worried? How can I check if I am infected by a virus or something?
I also tried checking the registry keys in the programs' path but couldn't find anything
use junkware removal and adware cleaner. scan with malwarebytes and hitman. still cant clean it? scan with kaspersky removal.
Benjamin Martinez
>hostel in ramallah
Ryan Gomez
Yup I was pretty worried too when I saw it, I freaked out, I tried to connect to the website with an ubuntu machine but it says file not found when I connect to the url in the script, but the homepage works
Jace Allen
>ramallah pajeet's out to get you
Christopher Carter
Coglione, usa combofix o passa a Gentoo
Camden Torres
E' il pc dei miei, io uso linux gia da un po, comunque da 1 a 10 quanto sono fottuto?
Gabriel Perry
>second one is a js file that I can't find in its path C:\Windows\System32 ist standard path thank me later
Ian Bell
No I mean msconfig tells me the path where it should be but it's not there, also nothing in C:\Windows\System32
Thomas Hernandez
same user as do the following: >look how they got infected >look up the downloads folder >look up browser history >lecture them (important!) >tell them how to browse safe >tell them what sites are safe to download >backup inportant files >reininstall windows >configure windows to use a guest accoutn everytime(pretty hardcore, but nice idea) msconfig is a nice place to look for autostart but you should look up the registry too i think it was like: local machine or local user \Software\Microsoft\Windows\Current-blabla\Run or RunOnce ..
dunno if this is the correct path, but i think so
Joshua Peterson
do you know msconfig ?
Jeremiah Myers
ok i looked it up HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
But there are only 2 values one is from the antyspyware that I installed (Spybot Search and Destroy) and the other one is a default key with a non set value, the type is REG_SZ
Also sorry for my English
Chase Ross
I mean this is the path that I find in the msconfig relative to the 2 scripts
Cameron Phillips
can i please see what the js does ? im the same user, and im a wannebe hacker / security researcher
Logan Martinez
just post the code
John Stewart
That's the point I can't find the js file in the path where the powershell script should save it, niether in the one that I can read in the msconfig menu
I guess someone could try running the powershell script in the image I posted to see if it downloads the file without running it
Jayden Campbell
Also I tried looking for the js file name online and it seems like its a trojan known also as JS.Dropper.KA
Lincoln Ortiz
Fucking install Linux on it so your parents won't botnet their PC in 2 seconds
Oliver Clark
i tested this right know. the server does indeed response with a 404 and the malicious script on this site got deleted.
the following happened: >hostelinramallah.com/ was vulnerable >hacker dildoswaggins69* found the vulnerability >didoswaggins69* uploaded a 'command and control' script on the website with the name l3.php for reference: en.wikipedia.org/wiki/Command_and_control_(malware) >hostelinramallah.com/l3.php >he infected a high amount of computers with a virus that requests a js file from this php script >in theory the js script can command all infected computers to ddos a specific service on the internet for reference: en.wikipedia.org/wiki/Denial-of-service_attack >your computer was a 'zombie' of a 'botnet' for reference: en.wikipedia.org/wiki/Zombie_(computer_science) >the provider that hosted hostelinramallah.com contacted the owner of the site about this >the owner removed l3.php and the js file >fast forward sometime >you found the now useless msconfig entry >you are asking this when its way too late
Owen Myers
Seems like I found it, the filename is the same and it's labeled as malicious
>tripfagging from now on the site states i need to login to download the js file, but i dont want to the text as the bottom on the page is not hte js file
Nathan Torres
Says it takes personal information from the browser, which is a bit worrisome.
Remove it, confirm that it is removed, and then change all passwords (your parents' email, etc).
Then tell them to monitor their cr dt card spending, and acct balances though I doubt it's that bad.
Zachary Wilson
good advise, but i would reinstall the entire windows evertime it god infected. a infection is something that should never happen, and if it does then very rarely. And to reinstall windows very rarely is not very demanding
Ian Foster
ok i'm a securtyfag, so my standards are maybe to high
Brayden Brown
Yeah also I am not even sure if it's the same file that I was infected with, so now I disabled both scripts from autostart, looked for the registry keys but found nothing.
Should I use some anti-malware to scan everything and then call it a day? I don't know what else could I do to be sure to remove it
Xavier Roberts
security experts and security wannabes(me) hate anti-malware software. Its basically placebo to make the user feel like ,,i don't need to bother about security i have a nice antivirus" antivirus is snake-oil theguardian.com/technology/2015/jul/27/security-experts-keep-safe-online-password-manager-seven-things >However, antivirus software was vastly more favoured by non-experts than experts, and barely 60% of the experts actually used it. Users in the know said that “AV is simple to use, but less effective than installing updates,” and that the software “is good at detecting everyday/common malware. But nothing that’s slightly sophisticated”. In contrast, 70% of non-experts thought the advice to use AV software was likely to be “very effective”, and more than 80% of them had it installed. >So, while you shouldn’t uninstall your AV software, don’t get lulled into a false sense of security about it. Oh, and like everything else, always install the updates.
security.googleblog.com/2015/07/new-research-comparing-how-security.html >Meanwhile, 42% of non-experts vs. only 7% of experts said that running antivirus software was one of the top three three things they do to stay safe online. Experts acknowledged the benefits of antivirus software, but expressed concern that it might give users a false sense of security since it’s not a bulletproof solution.
And : 35% of experts and only 2% of non-experts said that installing software updates was one of their top security practices. Experts recognize the benefits of updates—“Patch, patch, patch,” said one expert—while non-experts not only aren’t clear on them, but are concerned about the potential risks of software updates. A non-expert told us: “I don’t know if updating software is always safe. What [if] you download malicious software?” and “Automatic software updates are not safe in my opinion, since it can be abused to update malicious content.”
Jackson Powell
Relax, you're only infected by the superiority of Windows.
Mason Foster
please: >nuke the current windows installation if windows 7: >install Microsoft security essentials (Antivirus Software)
>tell your parents how to use windows >they should only download from specific sites >they should not doubleclick email attachments from people they dont know >they should always watch on the sender adress e.g. paypall is not the same as paypal >they should always update windows, and other software
Kayden Gutierrez
>hould I use some anti-malware to scan everything and then call it a day? Noooo
Blake Brooks
That's a virus. Don't bother with malwarebytes or whatever bullshit they'll have you install. Just reinstall the operating system.
Camden Adams
>Should I use some anti-malware to scan everything and then call it a day Its a place to start, but it won't find any bugs that aren't in the AV's library.
Also run a checksum on the file, it looks like its in the director C:\USers\Ulss22. Don't forget to make sure hidden files are visible and then put that checksum into google, it should find out what viruses exactly it is. Looks like a botnet to me.
Oliver Ramirez
install gentoo
Chase Evans
have a fun trip on balestine :^)
Chase Nelson
sysadmin here
like said, I'd install the os again. Better yet, install linux or get a mac, if your family is retarded to get the pc infected.
Mason Kelly
Yes, your infection is called "windows 7" a very common virus well known for stealing the users data and using up significant amounts of resources. This should NOT be installed on anyone's computer.
One possible solution is to install the Linux distro of your choice, this will completely stop the virus.
