OAD_Comscore_NoID2.js from secure-ds.serving-sys.com

Dear Experts,

I have a client whose 2 PCs got infected.

When they go to yahoo webpage in Singapore -> Finance -> Currency Converter, there is a pop up at the bottom of the page.

Do you want to open or save OAD_Comscore_NoID2.js from secure-ds.serving-sys.com?

I went into Control Panel, Internet Add-Ons, Registry.

Malware scan also did detect it.

Any idea on how to stop this?
LVL 1
Anonymous KHIT EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
spyhunter can remove it for you
otherwise start computer in safe mode with networking
Any further reference to <random> means that the name will be a random value

start taskmgr.exe and stop all processes run as a user except for taskmgr.exe
start regedit.exe
and remove

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "DS.SERVING-SYS.COM " = "%AppData%\<random>.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "DS.SERVING-SYS.COM " = "%AppData%\<random>.exe"

run explorer go to view settings and show hidden and protected files
Then remove infected files  
%AppData%\<random>.exe
%CommonAppData%\<random>.exe
C:\Windows\Temp\<random>.exe
%temp%\<random>.exe
C:\Program Files\<random>
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Anonymous KHIT EngineerAuthor Commented:
Hi! David,

I did the spyhunter scan and it found nothing.
0
Anonymous KHIT EngineerAuthor Commented:
In the registry, those that you mentioned are not found.
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

David Johnson, CD, MVPOwnerCommented:
ok then try sysinternals autoruns and start hunting.
0
Anonymous KHIT EngineerAuthor Commented:
Hi!

I tried the auto run, all looks normal.

Is there anything in particular I should look for or filter?

I typed DBS.serving and random in the filter but nothing is found

Spy hunter needs to be paid but it is not finding anything that needs attention
0
David Johnson, CD, MVPOwnerCommented:
As I said <RANDOM> represents a random name and is not the name of the executable
Download a trial of Hitman Pro https://www.hitmanpro.com/en-us/hmp.aspx and share the results.
0
Anonymous KHIT EngineerAuthor Commented:
I used ESET online scanner also cannot find anything
0
Anonymous KHIT EngineerAuthor Commented:
Hi! David,

Is there any software where I can remotely scan the user's PC and input the results here? I do not want to disrupt the user by accessing the PC to do installation and scanning.
0
David Johnson, CD, MVPOwnerCommented:
The user is using a compromised computer. All of the tools require administrative access and be run on the affected computer.
When you ran autoruns did you run as an administrator AND did you also check the box to submit files to virustotal?
0
Anonymous KHIT EngineerAuthor Commented:
Are you talking about under the Autorun Scan options, put a tick against Check VirusTotal.com and put a tick for Submit Unknown Images?
0
David Johnson, CD, MVPOwnerCommented:
Exactly
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Spyware

From novice to tech pro — start learning today.