infected wscript.exe i think!

Viruses and worms
1

Hi anybody that can help!! i recently caught a virus through my thumbdrive at a printing shop and i am not sure if my computer is infected with it. Avg detected it as autorun.inf in the thumdrive and i have used panda usb vaccine to vaccinate it. the software recreates another autorun file such that the virus cannot recreates itself. I have been researching how to solve this problem and i thought that my computer might be not be clean such that the virus keeps replicating itself even after i delete it. i have installed malwarebytes and did a full scan. the program have found a few threats mainly pup.optional.opencandy. and i clean it using the program. but now i am afraid that my computer is still infected with a virus because when i tried opening malwarebytes, it did not open. i tried opening regedit too . it did open but closes immediately. i cannot access msconfig too. but able to access control panel and cmd. Only when i end wscript.exe from processes in task manager then i can open malwarebytes , regedit etc…

Ill be attaching the 2 logs one of which is the quick scan and the other full scan.

help would be greatly appreciated :D!!

2

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

* When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

3

hi i have done an otl scan and the scan u asked me to do . here are the logs . thanks for the time!

4

Start and DDS scan.

5

hi im sorry for the separate replies. i can only reply to you by Friday … sorry im in the army and i cant bring electronic devices in. appreciate your help will be back.

here are the files from the scan :smiley:

6

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2971372773-117361708-1786041707-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2971372773-117361708-1786041707-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2971372773-117361708-1786041707-1001\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-2971372773-117361708-1786041707-1001\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: [Setwallpaper] c:\programdata\SetWallpaper.cmd File not found
O4 - HKLM..\Run: [SessionLogon] C:\ExpressGateUtil\SessionLogon.exe File not found
O4 - HKU\S-1-5-21-2971372773-117361708-1786041707-1001..\Run: [72e6] C:\Users\Grace Po\AppData\Roaming\64f06\72e6.js ()
O4 - Startup: C:\Users\Grace Po\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22.js ()


:files
C:\Users\Grace Po\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22.js
C:\Users\Grace Po\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Grace Po\AppData\Roaming\64f06
C:\656b

:commands
[CREATERESTOREPOINT]
[EMPTYJAVA]
[emptytemp]

.
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

7

hi argus. here is the log for the fix. and does it matter if I killed the wscript process before doing all the scans?

8

OK, how’s your computer behaving now?

Re- run DDS and attach DDS.txt.

9

Flash drive looks clean.

10

Argus my computer is doing fine now. i can open malwarebytes as usual. and mcshield would not auto close during startup. everything is back to normal.
Thanks alot for your help argus!!! is there a way to see if my computer is really clean? cause im quite scared that there are other viruses in my computer…
and how can i clean up the files i have use for this whole cleaning up process?

11
is there a way to see if my computer is really clean?

Worm:VBS/Dunihi.A – > It is an infection that you had, system is clean now.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

12

thanks alot argus for your help!

13

Cheers :wink: