IP Logger VBScript Detected by Malwarebytes (help needed)

Hi kyb3878, welcome to TenForums.

I would try to determine how that script is run. Try searching the registry for that filename. Also see what Autoruns shows: https://docs.microsoft.com/en-us/sys...loads/autoruns

It could be called by another script or Exe, so a search of the disk for other recently added scripts or exes could be useful.

With enough determination it will be possible to reveal its secrets, but if you just want to get rid of it, a Windows reset would be in order. The reset option that keeps your files should be safe, as it doesn't keep programs. The "cloud install" option is usually the most efficient.

But if you prefer to sleuth it out, we'll be here to help.

Thank you for the advice LesFerch, couple hours ago I run Roguekiller incase this was part of a rootkit and found some malicious files that could be related to my problem. Quarantined them. In 10 hours or so I'll know if it solved the problem and I'll give your methods a try if it didn't.
Also a friend of mine recommended TronScript to me, any opinions on that one ?

Hi,

You can additionally setup ProcMon to monitor disk I/O in your Temp folder. If it comes back in time, you may get the culprit then.

Code:

Run procmon.exe

Click the "magnifying glass" button on toolbar or disable "Capture Events" from the File menu (Ctrl-E).

Click the "Clear" toolbar button or "Clear Display" from the Edit menu (Ctrl-X).

To narrow the types of events to be captured... On the right of the toolbar buttons... Select only the file cabinet so Process Monitor will only show file system activity. 

From "Filter" menu, Select "Filter..." 

Press the "Reset" button if it is enabled.

In the filter fields, select "Path" "is" and then type into the entry field the local disk you want to monitor. e.g. "c:\Windows\Temp" 

Select "Include".

Click "Add".

Click "Apply".

Click "OK".

Click the "magnifying glass" button on toolbar or enable "Capture Events" from the File menu (Ctrl-E). 

Wait until the script get created in the specified directory and find in the log windows the executable who wrote it.

kyb3878 said:

TAlso a friend of mine recommended TronScript to me, any opinions on that one ?

I've never run Tron, but I'm impressed with the thorough documentation and it appears to have a good user community. However, I think it's still best to use specific tools, such as Autoruns and Procmon (thanks @MaloK) to try to determine what's going on. If you run out of time or patience to investigate the issue, then at that point, running Tron could be useful or, at least, an interesting exercise, as long as you follow the recommendations in the documentation (i.e. back up any critical data).

However, IMO, once a machine has been compromised, the only practical cure is a Windows reset. In the past, this was understandably avoided as a complete up to date install of Windows 7 could take pretty much a whole day (much babysitting of countless updates with MANY reboots). Today a reset of Windows 10, complete and up to date, takes less than an hour. As mentioned earlier, choose the option to keep your files and choose the cloud install option, which will use the latest source files, so you don't have to wait for a bunch of updates. If the system isn't clean after that, you can choose the reset option where you don't keep your user files.

How much backup you need to do, before doing any of these steps, depends on how much local data you have that's not in the cloud. If you have all your important data in the cloud, then you're in a nice position to do a Windows reset any time without worrying about backups.

RogueKiller did the job everyone, thanks for the advice!

kyb3878 said:

RogueKiller did the job everyone, thanks for the advice!

Glad to hear that worked! Consider a full Windows reset if you have any doubts about the security of your computer. It would also be a good time to change your online passwords (strong auto-generated passwords are a good idea).