Jump to content

Recommended Posts

Hi guys,

I recently booted windows and I say windows update running.

Since I have it controlled (no automatic updates) I thought this was strange.

I thought that it might be some forced update from MS or something so I went to the controllpanel inorder to check what was installed.

It says silverlight.

But I know that I do not have silverlight on my computer, so why would it update something..it does not have.

So I ran eset (swedish version)

I found this:

 

Logg
C:\Documents and Settings\All Users\Piriform Ltd\CCleaner\2.0.0.0\اسم  مجلد اختار  اي  اسم  لا  يهم\windowsupdate.vbs - VBS/Kryptik.ET trojan - rensad genom borttagning [1]
C:\Documents and Settings\All Users\Piriform Ltd\CCleaner\2.0.0.0\اسم  مجلد اختار  اي  اسم  لا  يهم\ccsetup500.exe = NSIS = PF-Toolbar-W78.exe - är OK
I manually removed Piriform Ltd and sub dictonaries after that.

I used google translate inorder to translate "اسم مجلد اختار اي اسم لا يهم" and it turns out that it is "Chose any folder name does not matter \ name"

So my suspension is that a script kid used a tool for the infection. Somebody in a rush since they did not name the folder either.

How can this been transmitted? I have never seen anything like it. Have you?

Link to comment
Share on other sites

Here's one write-up on it: hxxp://www.cookingsystems.net/completely-remove-update_windows-vbs-vbskryptik-bk/ . It can also be spread via an infected USB drive.

 

To be safe, I would run an Eset "in-depth" scan on your boot drive. Run the scan as administrator. Also recommended is like scan on any USB drive you have recently used on the PC.

Link to comment
Share on other sites

I have run a deep scan now and it seems to be cleaned. I also searched in the places in regedit. Should I assume that it is cleaned and can continue using the computer?

Link to comment
Share on other sites

Should I assume that it is cleaned and can continue using the computer?

Appears so. From what you posted, Eset caught the .vbs malware upon file creation by signature detection. So malware was not allowed to run creating further infection.

 

The question is how access to C:\Documents and Settings\All Users\ directory was allowed. In Win 10, access to C:\Documents and Settings is locked down. Check your UAC settings and make sure they are set to default recommended levels. Or as I recommend, set UAC to its highest level. Yes, you will receive more prompts but the added security is worth the minor inconvenience.  

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...