wscript.exe : Files on flashdrives become shortcut when plugged in laptop

Last week, my friend plugged in her flash drive in my laptop and all the flash drive’s files became shortcut. The same happened to my flash drive the next day I used it in my laptop. The files were not actually missing, the shortcuts still direct to the flash drive’s file but it opens in another window. I’ve tried scanning for any viruses but it did not detect anything. I tried the system restore option of Windows but it didn’t work, too. What can I do? I can’t afford to lose the files so, as much as possible, I do not want to reformat my laptop. :-[

Thanks! :slight_smile:

and now the flash drive is infected and so is both computers…

to help you, we need some logs. instructions here. http://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes / OTL / aswMBR logs

Here are the logs. :slight_smile:

dont use any USB device before computer is cleaned…

malware experts are notified, it may take some hours before they are online so be patient

when computer is cleaned you should send your friend here to do the same with her computer :wink:

Hi,

As Pondus said, unplug USB and do not use it until I tell you so. We’ll clean it later…

Step 1.

Please download Anti-VBSVBE and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double click to run the tool and wait until it finishes.
[*]It will make a log named Anti-VBSVBE.txt. Please attach it to your reply.

============================================================

Step 2.

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Here are the logs from the two tools. but no addition.txt was created. I think some error happened.

FRST didn’t complete the scan…

Re-run it again, check Addition.txt and press scan. Attach both reports…

This appears when I run it.

Did you try to disable antivirus and to run FRST after…

Yes, but it still doesn’t work.

Forget FRST, we will continue with other tool…

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.


  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

Here is the log.

You’ve run ComboFix two times. Go to C:\Qoobox folder and attach all ComboFix reports (.txt files)

Good day Sir!
Here are all the text files I have found in the said folder. :slight_smile:

Ok, can you now download fresh FRST and try to scan. Delete all previous copies and download fresh new version on your Desktop…

It still doesn’t work. The same AutoIt error happens.

Can you attach the screen shot of FRST file you’re starting?

Here it is.

Is the name of executable exactly FRST64.exe when you run it?

Yes. I’ve tried it several times but it still didn’t work. What could be the problem?