Infection Logs, please help - wscript.exe

Viruses and worms
1

Hello Avast team,

I read your thread about the wscript virus (http://forum.avast.com/index.php?topic=53253.0) and have included my logs for your perusal. If I could get some assistance it would be greatly appreciated! I’ve attached all the necessary logs with this post.

Cheers,

knicknack

2

Hi,

I
ve notified someone for you. THnanks

3

thank you!

4

Hi,

Do not use USB memory devices while cleaning is in progress. We shall use MCShield tool to remove all malware from USB but when host mashine be clean.

Malware Fix

Please download Anti-VBSVBE and save it to your desktop.

Note: There is two versions, 32bit and 64bit.You need to run the version compatibale with your system.

[*]Double click to run the tool and wait until it finishes.
[*]It will make a log named Anti-VBSVBE.txt. Please attach it to your reply.

FRST Scan

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

5

Hi, thanks for the quick reply.

I’ve attached the latest logs as requested. Let me know if you need anything else.

  • Knicknack
6

Hi,

Please download fresh Anti-VBS/VBE tool ( x64bit version ) and re-run he tool and post here the logfile.

Then, re-run FRST, just hit the Scan button and post me fresh FRST.txt logreport.

PS: no not use USB mem devices yet …

7

Hi there,

Avast alerts have ceased. Let me know if all is well!

-knicknack

8

Hi, you have more user_accounts, therefore mawlare is active there as well.

FRST’s FixList

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start (Microsoft Corporation) C:\Windows\System32\wscript.exe C:\Program Files\IB Updater C:\Users\ASTOSM~1\AppData\Local\Temp\roof.vbs HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\Run: [roof] - wscript.exe //B "C:\Users\ASTOSM~1\AppData\Local\Temp\roof.vbs" <===== ATTENTION HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {64eab9b6-5e58-11e3-a3d4-7845c40e50ca} - F:\HTC_Sync_Manager_PC.exe HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {64eab9b7-5e58-11e3-a3d4-7845c40e50ca} - G:\TL-Bootstrap.exe HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {9a3b58a5-c998-11e2-82eb-7845c40e50ca} - F:\LaunchU3.exe -a HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {b91fa839-7e32-11e2-9e49-7845c40e50ca} - F:\HPLauncher.exe HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {cb27cd91-d6d4-11e2-8f12-7845c40e50ca} - F:\VZW_Software_upgrade_assistant.exe HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {fff6308f-1b9a-11e3-9a60-7845c40e50ca} - F:\Handset_USB_Driver.exe SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?publisher=VertiTechnologyYB&dpid=VertiTechnologyYB&co=GB&userid=c86387f9-37ff-131d-da67-c1f4e9428428&searchtype=ds&q={searchTerms}&installDate=18/10/2013 SearchScopes: HKLM-x32 - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?publisher=VertiTechnologyYB&dpid=VertiTechnologyYB&co=GB&userid=c86387f9-37ff-131d-da67-c1f4e9428428&searchtype=ds&q={searchTerms}&installDate=18/10/2013 SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = http://mystart.incredibar.com/?a=6PQR03IkR6&loc=skw&search={searchTerms} Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} - No File Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} - No File CHR HKLM\...\Chrome\Extension: [dlnembnfbcpjnepmfjmngjenhhajpdfd] - C:\Program Files\IB Updater\source.crx [2013-09-10] CHR HKLM-x32\...\Chrome\Extension: [dlnembnfbcpjnepmfjmngjenhhajpdfd] - C:\Program Files\IB Updater\source.crx [2013-09-10] U3 aswMBR; \??\C:\Users\ASTOSM~1\AppData\Local\Temp\aswMBR.sys [X] AlternateDataStreams: C:\ProgramData\Temp:D1B5B4F1 CMD: DEL %TEMP%\*.* /F /S /Q End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

FRST’s Scan

Re-run FRST, just hit the Scan button and post me fresh FRST.txt logreport.

9

ignore this comment …

10

Here you go

11

Cool. Now post me fresh FRST.txt logreprot. :slight_smile:

12

Ah ;D reading comprehension is not my strong suit.

13

Hi,

This looks good. Now we shall check your USB deivices in antempt to clean malware from USB from all.

FRST’s FixList

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {64eab9b6-5e58-11e3-a3d4-7845c40e50ca} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {64eab9b7-5e58-11e3-a3d4-7845c40e50ca} - G:\TL-Bootstrap.exe
HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {9a3b58a5-c998-11e2-82eb-7845c40e50ca} - F:\LaunchU3.exe -a
HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {b91fa839-7e32-11e2-9e49-7845c40e50ca} - F:\HPLauncher.exe
HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {cb27cd91-d6d4-11e2-8f12-7845c40e50ca} - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-56981888-196162964-2650871854-1000\...\MountPoints2: {fff6308f-1b9a-11e3-9a60-7845c40e50ca} - F:\Handset_USB_Driver.exe
CMD: ipconfig /flushdns
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

MCShield’s Scan

Please download MCShield from one of the following links:

MCShield -Official download link

[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Tell me how the things are going now? 8)