Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Can't find source of this javascript malware


  • Please log in to reply
3 replies to this topic

#1 mud329

mud329

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 02 December 2017 - 07:29 AM

Hello, I'm running Windows 7 and found that I could not load the front end for a Raspberry PI I use in the home. All other computers here can access it, I'm only having a problem on this one machine. It gets to a "connecting" screen and just hangs.

 

I used the developer console in Chrome and found a couple of suspicious javascript calls that happen when I try to access the PI, these calls don't show up when I look at the console on any other clean/working machine. Here is an example:

https://cdn.optitc.com/jquery.min.js?u=default&f=2&s=500,400,50,50

That domain is not one I recognize at all so I believe it could be related to malware. Things I've tried:

 

- searched the registry for that domain and can't find it (may be encoded?)

- Malwarebytes, TDSSkiller, and HitmanPro trial do not find any infection.

- Cleared cache, cookies, history

- Tried Chrome in safe mode or incognito (in case it was an extension), still get the javascript calls

- Uninstall and reinstall Chrome

 

I have no idea why these javascript calls are only happening on 1 machine and can't find where they are coming from.

 

Edit to clarify: the javascript calls to this suspicious domain happen with other sites too, I just happened to notice them when I could no longer access the UI on my raspberry PI.


Edited by mud329, 02 December 2017 - 07:46 AM.


BC AdBot (Login to Remove)

 


#2 mud329

mud329
  • Topic Starter

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 02 December 2017 - 11:55 AM

This now appears to be solved. For future readers with similar issues, this is what did it for me:

 

1. I found some info online about people with javascript malware who had inaccessible folders in c:\windows\users\[user]\AppData\Local. Sure enough, I had a strangely named folder created a couple days ago when I started having my problems, and had no permission to access it and couldn't take ownership of it. So booted to a USB with linux and deleted the folder.

 

2. Found a strangely named lhfsdf.sys file in c:\windows\System32\drivers. It was also created around the same time as the folder above. Deleted the file. Searched that name in regedit and deleted two keys that referenced it.

 

3. Rebooted the computer, cleared cache and all seems well now.


Edited by mud329, 02 December 2017 - 03:53 PM.


#3 anealkhimani

anealkhimani

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 05 July 2018 - 09:33 AM

It seems I've caught the same bug as you have.

I've run tons of adware/malware apps to try to quash it but cannot seem to get my browser(s) back to not grabbing the same optitc.com javascript.

I too found strange folders in my AppData/Local folder.  I did the same as you by booting from a linux usb drive and deleting the folders.  When I returned to Windows, they came back.

I eventually was able to kill that using some app and at least that is gone now.  Unfortunately, I don't see a lhfsdf.sys file on my system.  The calls to optitc.com still show up in all my browsers (Chrome, Edge, IE 11).

 

Where did you find the info online that lead you to find the fix?  I'm coming up blank for searches for optitc.com (except for this thread actually)

 

Thanks for any help.



#4 mud329

mud329
  • Topic Starter

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 07 July 2018 - 09:26 PM

Hi, the key for me was finding that .sys file in my drivers folder that was date stamped similarly to the rogue folder I couldn't delete. So while you couldn't find a file with the exact same name as mine, I'm betting there is a file in your drivers folder (or some other system folder) that is creating the calls to optitc.com. Look for strangely named files that don't seem to have any legitimate purpose when you google the name. Worst case, rename the file from its current name so you can rename it back if it ends up being a valid file.

 

Getting rid of that strange .sys file and the registry keys that went along with it helped kill the bad behavior on my machine. Good luck!






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users