OAD_Comscore_NoID2.js from secure-ds.serving-sys.com

Dear Experts,

I have a client whose 2 PCs got infected.

When they go to yahoo webpage in Singapore -> Finance -> Currency Converter, there is a pop up at the bottom of the page.

Do you want to open or save OAD_Comscore_NoID2.js from secure-ds.serving-sys.com?

I went into Control Panel, Internet Add-Ons, Registry.

Malware scan also did detect it.

Any idea on how to stop this?
LVL 1
Anonymous KHIT EngineerAsked:
Who is Participating?
 
David Johnson, CD, MVPOwnerCommented:
spyhunter can remove it for you
otherwise start computer in safe mode with networking
Any further reference to <random> means that the name will be a random value

start taskmgr.exe and stop all processes run as a user except for taskmgr.exe
start regedit.exe
and remove

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "DS.SERVING-SYS.COM " = "%AppData%\<random>.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "DS.SERVING-SYS.COM " = "%AppData%\<random>.exe"

run explorer go to view settings and show hidden and protected files
Then remove infected files  
%AppData%\<random>.exe
%CommonAppData%\<random>.exe
C:\Windows\Temp\<random>.exe
%temp%\<random>.exe
C:\Program Files\<random>
0
 
Anonymous KHIT EngineerAuthor Commented:
Hi! David,

I did the spyhunter scan and it found nothing.
0
 
Anonymous KHIT EngineerAuthor Commented:
In the registry, those that you mentioned are not found.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
David Johnson, CD, MVPOwnerCommented:
ok then try sysinternals autoruns and start hunting.
0
 
Anonymous KHIT EngineerAuthor Commented:
Hi!

I tried the auto run, all looks normal.

Is there anything in particular I should look for or filter?

I typed DBS.serving and random in the filter but nothing is found

Spy hunter needs to be paid but it is not finding anything that needs attention
0
 
David Johnson, CD, MVPOwnerCommented:
As I said <RANDOM> represents a random name and is not the name of the executable
Download a trial of Hitman Pro https://www.hitmanpro.com/en-us/hmp.aspx and share the results.
0
 
Anonymous KHIT EngineerAuthor Commented:
I used ESET online scanner also cannot find anything
0
 
Anonymous KHIT EngineerAuthor Commented:
Hi! David,

Is there any software where I can remotely scan the user's PC and input the results here? I do not want to disrupt the user by accessing the PC to do installation and scanning.
0
 
David Johnson, CD, MVPOwnerCommented:
The user is using a compromised computer. All of the tools require administrative access and be run on the affected computer.
When you ran autoruns did you run as an administrator AND did you also check the box to submit files to virustotal?
0
 
Anonymous KHIT EngineerAuthor Commented:
Are you talking about under the Autorun Scan options, put a tick against Check VirusTotal.com and put a tick for Submit Unknown Images?
0
 
David Johnson, CD, MVPOwnerCommented:
Exactly
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.