Thread replies: 38
Thread images: 2
Thread images: 2
File: scripts.png (15KB, 1408x87px) Image search:
[Google]
15KB, 1408x87px
So my parents told me that everytime they turned on the pc (it runs Windows 7) a black empty command line would show for a few seconds on the desktop, and I tried to understand what could cause this.
So I went to msconfig and saw 2 strange programs, the second one is a js file that I can't find in its path, the other one seems to be a powershell script (the bottom image shows the full script )
So from what I can understand, the first one is a script that downloads the js file, while the second one runs it.
Obviously I disabled them from running on startup and the black command line is gone, should I be worried? How can I check if I am infected by a virus or something?
I also tried checking the registry keys in the programs' path but couldn't find anything
>>
Yes you're infected because Windows is malware
https://www.gnu.org/proprietary/malware-microsoft.en.html
Solution: install Gentoo
>>
use junkware removal and adware cleaner. scan with malwarebytes and hitman. still cant clean it? scan with kaspersky removal.
>>
>>62056404
>hostel in ramallah
>>
>>62056533
Yup I was pretty worried too when I saw it, I freaked out, I tried to connect to the website with an ubuntu machine but it says file not found when I connect to the url in the script, but the homepage works
>>
>ramallah
pajeet's out to get you
>>
>>62056404
Coglione, usa combofix o passa a Gentoo
>>
>>62056620
E' il pc dei miei, io uso linux gia da un po, comunque da 1 a 10 quanto sono fottuto?
>>
>>62056404
>second one is a js file that I can't find in its path
C:\Windows\System32 ist standard path
thank me later
>>
>>62056668
No I mean msconfig tells me the path where it should be but it's not there, also nothing in C:\Windows\System32
>>
>>62056404
same anon as >>62056668
do the following:
>look how they got infected
>look up the downloads folder
>look up browser history
>lecture them (important!)
>tell them how to browse safe
>tell them what sites are safe to download
>backup inportant files
>reininstall windows
>configure windows to use a guest accoutn everytime(pretty hardcore, but nice idea)
>>62056700
msconfig is a nice place to look for autostart but you should look up the registry too
i think it was like:
local machine
or
local user
\Software\Microsoft\Windows\Current-blabla\Run
or RunOnce ..
dunno if this is the correct path, but i think so
>>
>>62056752
>>62056700
do you know msconfig ?
>>
>>62056768
>>62056752
>>62056700
ok i looked it up
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
i was right (feelsniceman.jpg)
>>
>>62056752
Thanks for the help man, the registry path is
HCKU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
But there are only 2 values one is from the antyspyware that I installed (Spybot Search and Destroy) and the other one is a default key with a non set value, the type is REG_SZ
Also sorry for my English
>>
>>62056793
>>62056831
I mean this is the path that I find in the msconfig relative to the 2 scripts
>>
>>62056840
can i please see what the js does ?
im the same anon, and im a wannebe hacker / security researcher
>>
>>62056840
>>62056878
just post the code
>>
>>62056886
>>62056878
That's the point I can't find the js file in the path where the powershell script should save it, niether in the one that I can read in the msconfig menu
I guess someone could try running the powershell script in the image I posted to see if it downloads the file without running it
>>
>>62056878
Also I tried looking for the js file name online and it seems like its a trojan known also as JS.Dropper.KA
>>
Fucking install Linux on it so your parents won't botnet their PC in 2 seconds
>>
>>62056918
>>62056975
i tested this right know.
the server does indeed response with a 404 and the malicious script on this site got deleted.
the following happened:
>http://hostelinramallah.com/ was vulnerable
>hacker dildoswaggins69* found the vulnerability
>didoswaggins69* uploaded a 'command and control' script on the website with the name l3.php
for reference: https://en.wikipedia.org/wiki/Command_and_control_%28malware%29
>http://hostelinramallah.com/l3.php
>he infected a high amount of computers with a virus that requests a js file from this php script
>in theory the js script can command all infected computers to ddos a specific service on the internet
for reference: https://en.wikipedia.org/wiki/Denial-of-service_attack
>your computer was a 'zombie' of a 'botnet'
for reference: https://en.wikipedia.org/wiki/Zombie_(computer_science)
>the provider that hosted http://hostelinramallah.com contacted the owner of the site about this
>the owner removed l3.php and the js file
>fast forward sometime
>you found the now useless msconfig entry
>you are asking this when its way too late
>>
>>62056878
>>62056886
Seems like I found it, the filename is the same and it's labeled as malicious
https://malwr.com/analysis/ZjM5NzgzODlhYjNhNGNiZWExMTEwZmJhMmIwMzQ4OGQ/
Does anyone understands what it does?
>>
>>62057047
>tripfagging from now on
the site states i need to login to download the js file, but i dont want to
the text as the bottom on the page is not hte js file
>>
>>62057047
Says it takes personal information from the browser, which is a bit worrisome.
Remove it, confirm that it is removed, and then change all passwords (your parents' email, etc).
Then tell them to monitor their cr dt card spending, and acct balances though I doubt it's that bad.
>>
>>62057099
good advise, but i would reinstall the entire windows evertime it god infected.
a infection is something that should never happen, and if it does then very rarely.
And to reinstall windows very rarely is not very demanding
>>
>>62057099
>>62057129
ok i'm a securtyfag, so my standards are maybe to high
>>
>>62057090
Yeah also I am not even sure if it's the same file that I was infected with, so now I disabled both scripts from autostart, looked for the registry keys but found nothing.
Should I use some anti-malware to scan everything and then call it a day? I don't know what else could I do to be sure to remove it
>>
>>62057155
security experts and security wannabes(me) hate anti-malware software.
Its basically placebo to make the user feel like ,,i don't need to bother about security i have a nice antivirus"
antivirus is snake-oil
https://www.theguardian.com/technology/2015/jul/27/security-experts-keep-safe-online-password-manager-seven-things
>However, antivirus software was vastly more favoured by non-experts than experts, and barely 60% of the experts actually used it. Users in the know said that “AV is simple to use, but less effective than installing updates,” and that the software “is good at detecting everyday/common malware. But nothing that’s slightly sophisticated”. In contrast, 70% of non-experts thought the advice to use AV software was likely to be “very effective”, and more than 80% of them had it installed.
>So, while you shouldn’t uninstall your AV software, don’t get lulled into a false sense of security about it. Oh, and like everything else, always install the updates.
https://security.googleblog.com/2015/07/new-research-comparing-how-security.html
>Meanwhile, 42% of non-experts vs. only 7% of experts said that running antivirus software was one of the top three three things they do to stay safe online. Experts acknowledged the benefits of antivirus software, but expressed concern that it might give users a false sense of security since it’s not a bulletproof solution.
And :
35% of experts and only 2% of non-experts said that installing software updates was one of their top security practices. Experts recognize the benefits of updates—“Patch, patch, patch,” said one expert—while non-experts not only aren’t clear on them, but are concerned about the potential risks of software updates. A non-expert told us: “I don’t know if updating software is always safe. What [if] you download malicious software?” and “Automatic software updates are not safe in my opinion, since it can be abused to update malicious content.”
>>
>>62056404
Relax, you're only infected by the superiority of Windows.
>>
>>62057299
please:
>nuke the current windows installation
if windows 7:
>install Microsoft security essentials (Antivirus Software)
>tell your parents how to use windows
>they should only download from specific sites
>they should not doubleclick email attachments from people they dont know
>they should always watch on the sender adress e.g. paypall is not the same as paypal
>they should always update windows, and other software
>>
>>62057155
>hould I use some anti-malware to scan everything and then call it a day?
Noooo
>>
>>62056404
That's a virus. Don't bother with malwarebytes or whatever bullshit they'll have you install. Just reinstall the operating system.
>>
>>62057155
>Should I use some anti-malware to scan everything and then call it a day
Its a place to start, but it won't find any bugs that aren't in the AV's library.
Also run a checksum on the file, it looks like its in the director C:\USers\Ulss22. Don't forget to make sure hidden files are visible and then put that checksum into google, it should find out what viruses exactly it is. Looks like a botnet to me.
>>
>>62056404
install gentoo
>>
>>62056404
have a fun trip on balestine :^)
>>
>>62056404
sysadmin here
like >>62057472 said, I'd install the os again. Better yet, install linux or get a mac, if your family is retarded to get the pc infected.
>>
>>62056404
Yes, your infection is called "windows 7" a very common virus well known for stealing the users data and using up significant amounts of resources. This should NOT be installed on anyone's computer.
One possible solution is to install the Linux distro of your choice, this will completely stop the virus.
>>
>>62056640
Over 9000 direi
Disperati
Thread posts: 38
Thread images: 2
Thread images: 2