Please help me! wscript.exe

Hello there!
Can you help me to fix wscript.exe?

http://i.imgur.com/sTp7SH3.png

I can’t access “Start Task Manager”. :‘( :’(

http://i.imgur.com/HxY3yID.png

You see in the picture. the black rectangle.

  • pagefile.sys = VIRUS
  • hiberfil.sys = VIRUS
  • $RECYCLE.BIN = VIRUS

I put my friend’s usb to my computer then my pc got slow.

Please help me! :((

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Here FRST.txt

The FRST scan is only partial, could you re-run it

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

THEN

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

FRST.txt
Addition.txt

MCShield-AllScans.txt

I still need the main FRST log as I am getting just fragments

Where? :o

You should have and FRST,txt file on the desktop attach that

Here.

Let me know what problems remain after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-32617649-587432352-3770057819-1001\...\Run: [iFunBox Price Watch] => C:\Program Files (x86)\iFunbox 2013\iFunBox2013.exe /tray HKU\S-1-5-21-32617649-587432352-3770057819-1001\...\Run: [AdobeBridge] => [X] HKU\S-1-5-21-32617649-587432352-3770057819-1001\...\Run: [Df5serv] => Wscript.exe //e:VBScript "C:\Users\richard\Documents\df5srvc.bfe" HKU\S-1-5-21-32617649-587432352-3770057819-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Df5serv] => Wscript.exe //e:VBScript "C:\Users\richard\Documents\df5srvc.bfe" Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Refresh.lnk ShortcutTarget: Refresh.lnk -> C:\Windows\Mango Skin Pack\Tools\Refresh.cmd (No File) HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Before = http://tuvaro.com/ws/?source=4c3f95e5&tbp=homepage&toolbarid=base&u=742a4636000000000000002511c2a5ab URLSearchHook: HKLM-x32 - Default Value = {74198672-5F7D-4FE9-A611-4AC1D5A66A15} URLSearchHook: HKCU - Default Value = {74198672-5F7D-4FE9-A611-4AC1D5A66A15} SearchScopes: HKCU - ÛŸÆîZ§’2¹Þpv¨IÍá*X(Ž2s(ÛÎÀJºÔÓµ± vË°!×—(ä¼48иpatm6êo^Mp`Ëõ÷_i£w˜¾!„Áû†x¢8€ÙjÀÿþ ´Ñ;áa´[¦†8 º~RÙxœòÜ8'£-)x­ä­ URL = BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> H:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll No File BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> H:\Program Files (x86)\Internet Download Manager\IDMIECC.dll No File FF Plugin HKCU: xyzgl-plugin@xyz-soft.com -> C:\Program Files (x86)\Alfheim\npxyzgl.dll No File CHR Extension: (Funmoods) - C:\Users\richard\AppData\Local\Google\Chrome\User Data\Profile 17\Extensions\bbjciahceamgodcoidkjpchnokgfpphh [2013-05-31] CHR Extension: (Funmoods) - C:\Users\richard\AppData\Local\Google\Chrome\User Data\Profile 18\Extensions\bbjciahceamgodcoidkjpchnokgfpphh [2013-06-01] CHR Extension: (Funmoods) - C:\Users\richard\AppData\Local\Google\Chrome\User Data\Profile 26\Extensions\bbjciahceamgodcoidkjpchnokgfpphh [2013-07-14] S3 X6va017; \??\C:\Windows\SysWOW64\Drivers\X6va017 [X] S3 xhunter1; \??\C:\Windows\xhunter1.sys [X] U3 aswMBR; \??\C:\Users\richard\AppData\Local\Temp\aswMBR.sys [X] 2014-10-19 00:29 - 2014-10-19 00:29 - 00007247 _____ () C:\Windows\system32\rad67BD5.tmp 2014-10-18 23:51 - 2014-10-18 23:51 - 00007247 _____ () C:\Windows\system32\radAF845.tmp 2014-10-18 23:04 - 2014-10-18 23:04 - 00007247 _____ () C:\Windows\system32\rad6455F.tmp 2014-10-18 22:55 - 2014-10-18 22:55 - 00007247 _____ () C:\Windows\system32\rad8E652.tmp 2014-10-18 21:57 - 2014-10-18 21:57 - 00007247 _____ () C:\Windows\system32\rad19FD4.tmp 2014-10-18 20:45 - 2014-10-18 20:45 - 00007247 _____ () C:\Windows\system32\rad63DC5.tmp 2014-10-18 20:44 - 2014-10-18 20:44 - 00007247 _____ () C:\Windows\system32\radEC9D3.tmp 2014-10-18 20:44 - 2014-10-18 20:44 - 00007247 _____ () C:\Windows\system32\radD4EC4.tmp 2014-10-18 20:44 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radDED51.tmp 2014-10-18 20:44 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radC6CA3.tmp 2014-10-18 20:44 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radC4B8B.tmp 2014-10-18 20:43 - 2014-10-18 20:43 - 00000744 _____ () C:\Windows\SysWOW64\AdvancedInstallers.lnk 2014-10-18 20:43 - 2014-10-18 20:43 - 00000734 _____ () C:\Windows\SysWOW64\AI_RecycleBin.lnk 2014-10-18 20:43 - 2014-10-18 20:43 - 00000724 _____ () C:\Windows\system32\AdvancedInstallers.lnk 2014-10-18 20:43 - 2014-10-18 20:43 - 00000716 _____ () C:\Windows\SysWOW64\0409.lnk 2014-10-18 20:43 - 2014-10-18 20:43 - 00000696 _____ () C:\Windows\system32\0409.lnk 2014-10-18 20:43 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\Tasks\dekstop.ini 2014-10-18 20:43 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\SysWOW64\dekstop.ini 2014-10-18 20:43 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\dekstop.ini 2014-10-18 20:43 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system\dekstop.ini 2014-10-18 20:43 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\Minidump\dekstop.ini 2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\dekstop.ini 2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\richard\dekstop.ini 2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\Public\dekstop.ini 2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\Default\dekstop.ini 2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\ale\dekstop.ini 2014-10-18 20:42 - 2006-02-04 19:30 - 00011330 __RSH () C:\ProgramData\Microsoft\Windows\Start Menu\dekstop.ini 2014-10-18 20:41 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\Public\Documents\dekstop.ini 2014-10-18 20:41 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\Public\Desktop\dekstop.ini 2014-10-18 20:41 - 2006-02-04 19:30 - 00011330 __RSH () C:\ProgramData\dekstop.ini 2014-10-18 20:40 - 2006-02-04 19:30 - 00011330 _RSHC () C:\Program Files\dekstop.ini 2014-10-18 20:40 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\dekstop.ini 2014-10-18 20:40 - 2006-02-04 19:30 - 00011330 __RSH () C:\Program Files\Common Files\dekstop.ini 2014-10-18 20:40 - 2006-02-04 19:30 - 00011330 __RSH () C:\Program Files (x86)\dekstop.ini 2014-10-18 20:35 - 2014-10-19 00:29 - 00000000 _____ () C:\Windows\system32\Serv60d.dll 2014-10-18 20:35 - 2014-10-18 20:35 - 00007247 _____ () C:\Windows\system32\radFF515.tmp 2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radFBC28.tmp 2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radE8DED.tmp 2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radC1B4E.tmp 2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radAAE3D.tmp 2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\radA3B79.tmp 2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\rad94B75.tmp 2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Windows\system32\rad556F0.tmp 2014-10-18 20:35 - 2006-02-04 19:30 - 00011330 __RSH () C:\Users\richard\Documents\df5srvc.bfe 2014-10-18 20:41 - 2013-03-03 00:13 - 00000000 ____D () C:\ProgramData\boost_interprocess C:\Users\richard\Documents\df5srvc.bfe EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

I don’t know which one is. Sorry T^T

FRST: Fixlog.txt
I’m going to sleep now.

Let me know of any problems when you wake :slight_smile:

Im here now. My problem is i can’t access “Start Task Manager” and my pc got slow.
the virus is trojan horse/cantix/jenxcus.

I go to folder options > view > advance settings. and i tick “Show hidden files, folder, and drives”
“Desktop.ini” file is virus.

http://i.imgur.com/8KqFgLv.png

http://i.imgur.com/Rf1U8jR.png

I can’t access folder :o

Desktop.ini is legitimate, but the ones I deleted dektop.ini were malware

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

ComboFix

Are you able to access those folders now ?

  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

File:: c:\windows\system32\radA73DA.tmp c:\windows\system32\rad679E4.tmp c:\windows\system32\rad9592B.tmp c:\windows\system32\rad574C5.tmp c:\windows\system32\Serv60d.dll c:\windows\system32\radB0DD6.tmp c:\windows\system32\rad04A58.tmp

Folder::
c:\programdata\TweakBit
c:\program files (x86)\TweakBit

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.