wscript.exe CMD:Downloader-A[Trj]

Avast keeps popping up with “We’ve moved wscript.exe to your Virus Chest because it was infected with CMD:Downloader-A[Trj]”. However, when I go to open the Virus Chest it is not there. Upon doing some research it appears that wscript.exe just executes scripts and that it may not actually be the culprit, but that some script hidden somewhere is. Is there a way to find and fix the problem? It is very annoying because every once in awhile avast keeps popping up with the same message.

Attach your basic diagnostic logs. (MBAM and FRST)
Instructions: https://forum.avast.com/index.php?topic=194892

Same issue here. Only one from 70 pcs has this problem. wscript.exe is not moved to virus chest. When manually scanning the file: everything is ok.

post screenshot of messages given by avast

upload and test detected file here www.virustotal.com
post link to scan result here

Same Problem, but not with Avast, but AVG.
Maybe it has something to do with the latest Win10 Update?

https://www.virustotal.com/#/file/1405f3fd5668c5357e374a918abd21e8d8408b2eda99af9ce593a702da1cc2aa/details

here
https://www.virustotal.com/#/file/1405f3fd5668c5357e374a918abd21e8d8408b2eda99af9ce593a702da1cc2aa/details

Hi,

download the autoruns from here https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and go to tasks page. Look for task which spawns wscript. It may have name staring with Yahoo.

Delete that task and you will get rid of this.

Regards,
PDI

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
HKU\S-1-5-21-190997800-793472769-704079342-1001\...\Run: [Chromium] => c:\users\james h\appdata\local\chromium\application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
HKU\S-1-5-21-190997800-793472769-704079342-1001\...\Run: [GoogleChromeAutoLaunch_56BF14DC357D46019116C6AEB12514A3] => C:\Users\James H\AppData\Local\chromium\Application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
HKU\S-1-5-21-190997800-793472769-704079342-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03082018141008683\...\Run: [Chromium] => c:\users\james h\appdata\local\chromium\application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
HKU\S-1-5-21-190997800-793472769-704079342-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03082018141008683\...\Run: [GoogleChromeAutoLaunch_56BF14DC357D46019116C6AEB12514A3] => C:\Users\James H\AppData\Local\chromium\Application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
HKU\S-1-5-21-190997800-793472769-704079342-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03082018141011547\...\Run: [Chromium] => c:\users\james h\appdata\local\chromium\application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
HKU\S-1-5-21-190997800-793472769-704079342-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03082018141011547\...\Run: [GoogleChromeAutoLaunch_56BF14DC357D46019116C6AEB12514A3] => C:\Users\James H\AppData\Local\chromium\Application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
CHR DefaultSearchURL: Default -> hxxp://srch.bar/{searchTerms}
CHR DefaultSuggestURL: Default -> hxxp://srch.bar/?s={searchTerms
CHR HKU\S-1-5-21-190997800-793472769-704079342-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-190997800-793472769-704079342-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03082018141008683\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-190997800-793472769-704079342-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03082018141011547\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
2018-02-23 19:49 - 2018-02-23 19:49 - 000000000 ____D C:\Users\James H\AppData\Local\Tempzxpsignc9f8f84924cf4c3f
2018-02-23 19:49 - 2018-02-23 19:49 - 000000000 ____D C:\Users\James H\AppData\Local\Tempzxpsigna26cdefbbce2620d
2018-02-23 19:37 - 2018-02-23 19:37 - 000000000 ____D C:\Users\James H\AppData\Local\Tempzxpsign2a4029801a85d14a
2018-02-23 19:36 - 2018-02-23 19:36 - 000000000 ____D C:\Users\James H\AppData\Local\Tempzxpsign883d8fe3d2a64569
VirusTotal: C:\PROGRA~2\COMMON~1\5AD405~1\updane.exe
C:\Windows\Tasks\{3EE428BA-73C5-4799-B10D-B638BA77CBF3}.job
Task: {7447D0E5-4C55-4450-A83E-347F6CD7CAC7} - \Yahoo! Powered mitoc -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\{3EE428BA-73C5-4799-B10D-B638BA77CBF3}.job => C:\PROGRA~2\COMMON~1\5AD405~1\updane.exe
Task: {E41588E2-6916-44F1-94CF-3CF751EFFB4E} - System32\Tasks\{3EE428BA-73C5-4799-B10D-B638BA77CBF3} => C:\PROGRA~2\COMMON~1\5AD405~1\updane.exe
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`28hfm [0]
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`29hfm [0]
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.