Malware/Spyware Removal

How do I get rid of scrinject.b.gen?
Who is Participating?
chongbenkeeAuthor Commented:
I will live with the problem for now. Thanks all for trying.
Try this guide:

Out of curiosity, how did you know you had it and what A-V are you using?
chongbenkeeAuthor Commented:
I have view the particular log. Did not follow thru because I need to clean ("delete?") some system files. I did start the chat.... but the support personnel requested direct access to my web server. A bit worry on that.... especially it is our 1 and only Corporate Web and Application server. Cannot afford to "damage"it.

It actually added "hyperlink script" in a text field in my MS SQL Server database.

It was detected by ESET NOD 32. For some unknown reasons, only ESET is "more" aware of this malware.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

malwarebytes in safemode
@masteripper - I think this is a question about a server based situation. If true, no one should be using ComboFix on it (workstation OS only).

@chongbenkee - Please give us some more details about the platform OS and what steps you have taken. Until we know more about your situation, we can only make guesses about what steps you should take.
chongbenkeeAuthor Commented:
I have asked around and search for solution in the net. Couldn't find a specific "removal tool" yet. Personally, the "acceptable" options are by teesupport and cleanpc, but.... teesupport need to access my Web server whilst cleanpc system do not support Win2000.

I have installed Malwarebytes in both my Web and Database servers. The malware was not detected in both Win 2K servers.

Additional clarification :
- Only detected by ESET.  No issue for non-ESET users.
- Once detected, user access to our in-house system (develop in VB+Asp+C++) terminated.
- The only "infection" detected thus far is that a commom script ".......<script..................." is inserted at the end of all the contents in some of the fields in one of our table. Our temporary solution is to use sql command to periodically detect the changes and automatically removed the inserted ".......<script...................". It works well thus far. I will try to get the exact script inserted and post it asap.
- Install Malwarebytes in both Web and Database servers because we are not sure which server is infected.

It is still manageable becos we only have a few ESET users, and the "detected" infection thus far is only the insertion of the script into a few "non-critical" fields.

Hope someone out there can help to sort this out sooner than later. Thanks in advance.
this sql insertion could mean there is an infected machine somewhere on your network - or sql ports are open to the outside world
Download Malwarebytes Anti-Malware and save it to your desktop.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install.
When the installation begins, follow the prompts and do not change the default settings.
When installation has finished leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found to install. Press the OK button to close that box and continue.
If you encounter any problems while downloading the definition updates, manually download the updates and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Exit MBAM when done.
Post your log file when done.

Thanks to Bleeping for the detailed instructions on how to install Malwarebytes
Sudeep SharmaTechnical DesignerCommented:
>>>> it is our 1 and only Corporate Web and Application server

Is the Server/Web Site published to be accessed from outside????

If it is then it might be a possibility that the hackers have gained access through the website and might have exploited the server through SQL Injection, then uploaded the shell, then uploaded files and lastly executed the files (malware/virus ...etc) to insert the text.

Further could you post the logs or screenshot of logs from the ESET as well?
chongbenkeeAuthor Commented:
The problem is temporary managed using the SQL command, eg. the "addtional" script appended to the data is automatically detected and deleted. No harm done thus far.

Meanwhile, still dreaming of a "fast and easy" solution to kill scrinject.b.gen!!

Also, Mozilla, Chrome, Safari, etc will prompt a similar warning message (attachment), but not I.E. Still trying to "remove" our url from Google "Safe Browsing" security list.
Sudeep SharmaTechnical DesignerCommented:
Also, Mozilla, Chrome, Safari, etc will prompt a similar warning message (attachment), but not I.E. Still trying to "remove" our url from Google "Safe Browsing" security list.

Is there any website which is publicly available which we can analyze?

chongbenkeeAuthor Commented:
The script detected by Google Webmaster :
<script src="" target="_blank" onmouseover="'red'" onmouseout="'#A24015'" style="text-decoration: none; color: #A24015; FONT-SIZE: 11px; FONT-FAMILY: 'arial'">

However, the "script" is currently automatically detected and deleted via our sql command (stored procedure), set to run hourly. In other words, Google Webmaster will not find the script anymore unless the crawling was done during the hourly gap.  

The "attack" seems to "slow down"......... the previous attack was on 1 Sept 2012.
chongbenkeeAuthor Commented:
No cure form now. Been too long. Will re-look into this only if necessary.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.