PERRYGOGAS 1 Posted May 18, 2019 Share Posted May 18, 2019 I have found this infection and I have all the symptoms described here: hxxps://blog.yoocare.com/how-to-remove-jsscrinject-b-virus-step-by-step/ Nod32 cannot find it. I found it with WiperSoft. How can I remove it? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 18, 2019 Administrators Share Posted May 18, 2019 "JS/ScrInject.b virus is a highly dangerous virus." This must be a joke since it's rather the opposite. It's a very generic detection that may trigger false positives at times. By the way: wipersoft_setup_1_1_1100.exe » INNO » {app}\wipersoft.exe - a variant of Win64/WiperSoft.A potentially unwanted application The website in question is also blocked as scam and it indeed resembles tech support scams. Link to comment Share on other sites More sharing options...
PERRYGOGAS 1 Posted May 18, 2019 Author Share Posted May 18, 2019 15 minutes ago, Marcos said: "JS/ScrInject.b virus is a highly dangerous virus." This must be a joke since it's rather the opposite. It's a very generic detection that may trigger false positives at times. By the way: wipersoft_setup_1_1_1100.exe » INNO » {app}\wipersoft.exe - a variant of Win64/WiperSoft.A potentially unwanted application The website in question is also blocked as scam and it indeed resembles tech support scams. I have all these symptoms: slow internet, very slow Chrome, Facebook running very slow... What can I do? Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted May 19, 2019 Most Valued Members Share Posted May 19, 2019 On 5/18/2019 at 12:05 PM, PERRYGOGAS said: I have all these symptoms: slow internet, very slow Chrome, Facebook running very slow... What can I do? Firstly I'd reccomend a speed test to see what speed your net is. Might be just slow in general. You could try also reinstalling chrome, clearing its cache, history etc If a dodgy AV has found an infection there's a high chance its could be a false positive. Many dodgy AVs will detect non existent viruses to trick you into buying with some even installing the virus to make you buy Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted May 19, 2019 Most Valued Members Share Posted May 19, 2019 On 5/18/2019 at 2:05 PM, PERRYGOGAS said: I have all these symptoms: slow internet, very slow Chrome, Facebook running very slow... What can I do? Try to add uBlock Origin to your browser and most of these should be blocked from the adblocker(uBlock) because it would prevent them from loading in the first place If you are really paranoid about Javascript in websites and want to prevent them from loading unless you instruct your browser to load them then add also uMatrix. Link to comment Share on other sites More sharing options...
PERRYGOGAS 1 Posted May 20, 2019 Author Share Posted May 20, 2019 19 hours ago, peteyt said: Firstly I'd reccomend a speed test to see what speed your net is. Might be just slow in general. You could try also reinstalling chrome, clearing its cache, history etc If a dodgy AV has found an infection there's a high chance its could be a false positive. Many dodgy AVs will detect non existent viruses to trick you into buying with some even installing the virus to make you buy I run Superantispyware and the problem seems fixed for now. We will see. Thanks for the info! yes I know about the dodgy antispyware applications. Link to comment Share on other sites More sharing options...
PERRYGOGAS 1 Posted May 20, 2019 Author Share Posted May 20, 2019 19 hours ago, Rami said: Try to add uBlock Origin to your browser and most of these should be blocked from the adblocker(uBlock) because it would prevent them from loading in the first place If you are really paranoid about Javascript in websites and want to prevent them from loading unless you instruct your browser to load them then add also uMatrix. I have the "AdBlock" extension to Chrome. But I will try that too! Thanks! Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted May 20, 2019 Most Valued Members Share Posted May 20, 2019 2 hours ago, PERRYGOGAS said: I have the "AdBlock" extension to Chrome. But I will try that too! Thanks! uBlock Origin should be better and run more light , better than the Adblock versions when you add uMatrix , a lot of things will stop working in websites or websites will start looking broken , like even in this forum , if you use it , all of the things that do use Javascript will be stopped unless you allow them. It helps because if you visit a dodgy website it won't be able to throw all of the malicious JS at you. Link to comment Share on other sites More sharing options...
PERRYGOGAS 1 Posted May 20, 2019 Author Share Posted May 20, 2019 53 minutes ago, Rami said: uBlock Origin should be better and run more light , better than the Adblock versions when you add uMatrix , a lot of things will stop working in websites or websites will start looking broken , like even in this forum , if you use it , all of the things that do use Javascript will be stopped unless you allow them. It helps because if you visit a dodgy website it won't be able to throw all of the malicious JS at you. Great! thank you! Nightowl 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 20, 2019 Share Posted May 20, 2019 Referring to the first two postings in this thread, browser ad and JavaScript blocking extensions and the like would not have prevented this activity. It appears something was installed manually. It could have be standalone software. If it was then the following were applicable: 1. The software was installed prior to Eset being installed. 2. Eset's PUA protection was/is not enabled. 3. Eset's PUA detection was ignored and the poster allowed the software installation. Another possibility is the poster either explicitly or inadvertently installed a browser extension that contains the javacript code being detected. PERRYGOGAS 1 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted May 20, 2019 Most Valued Members Share Posted May 20, 2019 But isn't that detection the ScriptInject is coming from a hijacked router/website/browser ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 20, 2019 Administrators Share Posted May 20, 2019 5 minutes ago, Rami said: But isn't that detection the ScriptInject is coming from a hijacked router/website/browser ? It can be virtually any html code. Sometimes it could be even FP so without further investigation it's impossible to tell. In case we're unable to reproduce the detection, we will be able to tell more only by checking files in user's quarantine. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted May 20, 2019 Most Valued Members Share Posted May 20, 2019 Ok I understand , thank you both Marcos and ITman Link to comment Share on other sites More sharing options...
PERRYGOGAS 1 Posted May 20, 2019 Author Share Posted May 20, 2019 2 hours ago, itman said: Referring to the first two postings in this thread, browser ad and JavaScript blocking extensions and the like would not have prevented this activity. It appears something was installed manually. It could have be standalone software. If it was then the following were applicable: 1. The software was installed prior to Eset being installed. 2. Eset's PUA protection was/is not enabled. 3. Eset's PUA detection was ignored and the poster allowed the software installation. Another possibility is the poster either explicitly or inadvertently installed a browser extension that contains the javacript code being detected. 1 hour ago, Marcos said: It can be virtually any html code. Sometimes it could be even FP so without further investigation it's impossible to tell. In case we're unable to reproduce the detection, we will be able to tell more only by checking files in user's quarantine. Running Superantispyware the problem is resolved. I do not know what exactly it was as it detected some 488 adware etc but now Chrome runs smoothly and fast. It is bad that Eset NOD32 could not detect it as I run a thorough in depth scan... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 20, 2019 Administrators Share Posted May 20, 2019 Please provide logs and quarantine from the mentioned app so that we can check what it detected. Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 20, 2019 Share Posted May 20, 2019 On 5/18/2019 at 6:16 AM, PERRYGOGAS said: I found it with WiperSoft. As far as this software goes, it's a PUA: Quote What is WiperSoft?The Malwarebytes research team has determined that WiperSoft is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog. https://forums.malwarebytes.com/topic/240472-removal-instructions-for-wipersoft/ Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 20, 2019 Administrators Share Posted May 20, 2019 It is very strange that running SAS made a difference since according to the logs it removed only 12 xml files under C:\USERS\P\APPDATA\LOCAL\PACKAGES\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\AC\#!001\MICROSOFTEDGE\USER\DEFAULT\DOMSTORE\ and 482 tracking cookies under C:\USERS\P\APPDATA\LOCAL\PACKAGES, C:\USERS\GUEST ON P...L\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\AC\#!002 and in Firefox SQLight db C:\USERS\P\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\95KO6UBP.DEFAULT\COOKIES.SQLITE. Ie. something that is not subject to detection primarily by AV products. Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 20, 2019 Share Posted May 20, 2019 57 minutes ago, Marcos said: and in Firefox SQLight db C:\USERS\P\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\95KO6UBP.DEFAULT\COOKIES.SQLITE. Ie. something that is not subject to detection primarily by AV products. No problem accessing that file as limited admin in Win 10. Link to comment Share on other sites More sharing options...
Recommended Posts