Jump to content
PERRYGOGAS

Removal of JS/ScrInject.b ???

Recommended Posts

I have found this infection and I have all the symptoms described here:

hxxps://blog.yoocare.com/how-to-remove-jsscrinject-b-virus-step-by-step/

Nod32 cannot find it. I found it with WiperSoft.

How can I remove it?

Share this post


Link to post
Share on other sites

"JS/ScrInject.b virus is a highly dangerous virus." This must be a joke since it's rather the opposite. It's a very generic detection that may trigger false positives at times.

By the way: 

wipersoft_setup_1_1_1100.exe » INNO » {app}\wipersoft.exe - a variant of Win64/WiperSoft.A potentially unwanted application

The website in question is also blocked as scam and it indeed resembles tech support scams.

 

Share this post


Link to post
Share on other sites
15 minutes ago, Marcos said:

"JS/ScrInject.b virus is a highly dangerous virus." This must be a joke since it's rather the opposite. It's a very generic detection that may trigger false positives at times.

By the way: 

wipersoft_setup_1_1_1100.exe » INNO » {app}\wipersoft.exe - a variant of Win64/WiperSoft.A potentially unwanted application

The website in question is also blocked as scam and it indeed resembles tech support scams.

 

 I have all these symptoms: slow internet, very slow Chrome, Facebook running very slow...

 

What can I do?

Share this post


Link to post
Share on other sites
On 5/18/2019 at 12:05 PM, PERRYGOGAS said:

 I have all these symptoms: slow internet, very slow Chrome, Facebook running very slow...

 

What can I do?

Firstly I'd reccomend a speed test to see what speed your net is. Might be just slow in general. You could try also reinstalling chrome, clearing its cache, history etc 

If a dodgy AV has found an infection there's a high chance its could be a false positive.  Many dodgy AVs will detect non existent viruses to trick you into buying with some even installing the virus to make you buy

Share this post


Link to post
Share on other sites
On 5/18/2019 at 2:05 PM, PERRYGOGAS said:

 I have all these symptoms: slow internet, very slow Chrome, Facebook running very slow...

 

What can I do?

Try to add uBlock Origin to your browser and most of these should be blocked from the adblocker(uBlock) because it would prevent them from loading in the first place

If you are really paranoid about Javascript in websites and want to prevent them from loading unless you instruct your browser to load them then add also uMatrix.

Share this post


Link to post
Share on other sites
19 hours ago, peteyt said:

Firstly I'd reccomend a speed test to see what speed your net is. Might be just slow in general. You could try also reinstalling chrome, clearing its cache, history etc 

If a dodgy AV has found an infection there's a high chance its could be a false positive.  Many dodgy AVs will detect non existent viruses to trick you into buying with some even installing the virus to make you buy

I run Superantispyware and the problem seems fixed for now.

We will see. Thanks for the info! yes I know about the dodgy antispyware applications.

Share this post


Link to post
Share on other sites
19 hours ago, Rami said:

Try to add uBlock Origin to your browser and most of these should be blocked from the adblocker(uBlock) because it would prevent them from loading in the first place

If you are really paranoid about Javascript in websites and want to prevent them from loading unless you instruct your browser to load them then add also uMatrix.

I have the "AdBlock" extension to Chrome. But I will try that too!

Thanks!

Share this post


Link to post
Share on other sites
2 hours ago, PERRYGOGAS said:

I have the "AdBlock" extension to Chrome. But I will try that too!

Thanks!

uBlock Origin should be better and run more light , better than the Adblock versions

when you add uMatrix , a lot of things will stop working in websites or websites will start looking broken , like even in this forum , if you use it , all of the things that do use Javascript will be stopped unless you allow them.

It helps because if you visit a dodgy website it won't be able to throw all of the malicious JS at you.

Share this post


Link to post
Share on other sites
53 minutes ago, Rami said:

uBlock Origin should be better and run more light , better than the Adblock versions

when you add uMatrix , a lot of things will stop working in websites or websites will start looking broken , like even in this forum , if you use it , all of the things that do use Javascript will be stopped unless you allow them.

It helps because if you visit a dodgy website it won't be able to throw all of the malicious JS at you.

Great! thank you!

Share this post


Link to post
Share on other sites

Referring to the first two postings in this thread, browser ad and JavaScript blocking extensions and the like would not have prevented this activity.

It appears something was installed manually. It could have be standalone software. If it was then the following were applicable:

1. The software was installed prior to Eset being installed.

2. Eset's PUA protection was/is not enabled.

3. Eset's PUA detection was ignored and the poster allowed the software installation.

Another possibility is the poster either explicitly or inadvertently installed a browser extension that contains the javacript code being detected.

Share this post


Link to post
Share on other sites

But isn't that detection the ScriptInject is coming from a hijacked router/website/browser ?

Share this post


Link to post
Share on other sites
5 minutes ago, Rami said:

But isn't that detection the ScriptInject is coming from a hijacked router/website/browser ?

It can be virtually any html code. Sometimes it could be even FP so without further investigation it's impossible to tell. In case we're unable to reproduce the detection, we will be able to tell more only by checking files in user's quarantine.

Share this post


Link to post
Share on other sites

Ok I understand , thank you both Marcos and ITman

Share this post


Link to post
Share on other sites
2 hours ago, itman said:

Referring to the first two postings in this thread, browser ad and JavaScript blocking extensions and the like would not have prevented this activity.

It appears something was installed manually. It could have be standalone software. If it was then the following were applicable:

1. The software was installed prior to Eset being installed.

2. Eset's PUA protection was/is not enabled.

3. Eset's PUA detection was ignored and the poster allowed the software installation.

Another possibility is the poster either explicitly or inadvertently installed a browser extension that contains the javacript code being detected.

 

1 hour ago, Marcos said:

It can be virtually any html code. Sometimes it could be even FP so without further investigation it's impossible to tell. In case we're unable to reproduce the detection, we will be able to tell more only by checking files in user's quarantine.

Running Superantispyware the problem is resolved.

I do not know what exactly it was as it detected some 488 adware etc but now Chrome runs smoothly and fast.

It is bad that Eset NOD32 could not detect it as I run a thorough in depth scan...

Share this post


Link to post
Share on other sites

Please provide logs and quarantine from the mentioned app so that we can check what it detected.

Share this post


Link to post
Share on other sites
On ‎5‎/‎18‎/‎2019 at 6:16 AM, PERRYGOGAS said:

I found it with WiperSoft.

As far as this software goes, it's a PUA:

Quote

What is WiperSoft?

The Malwarebytes research team has determined that WiperSoft is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog.

https://forums.malwarebytes.com/topic/240472-removal-instructions-for-wipersoft/

Share this post


Link to post
Share on other sites

It is very strange that running SAS made a difference since according to the logs it removed only 12 xml files under C:\USERS\P\APPDATA\LOCAL\PACKAGES\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\AC\#!001\MICROSOFTEDGE\USER\DEFAULT\DOMSTORE\ and 482 tracking cookies under C:\USERS\P\APPDATA\LOCAL\PACKAGES, C:\USERS\GUEST ON P...L\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\AC\#!002 and in Firefox SQLight db C:\USERS\P\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\95KO6UBP.DEFAULT\COOKIES.SQLITE. Ie. something that is not subject to detection primarily by AV products.

Share this post


Link to post
Share on other sites
57 minutes ago, Marcos said:

and in Firefox SQLight db C:\USERS\P\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\95KO6UBP.DEFAULT\COOKIES.SQLITE. Ie. something that is not subject to detection primarily by AV products.

No problem accessing that file as limited admin in Win 10.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...