wscript.exe problem

I found a similar topic : https://forum.avast.com/index.php?topic=142075.0
But solving the problem is different in every case…?
I would appreciate it if someone helped me. :cry:

I plugged in my usb drive and I first noticed my pc slowed down suddenly. Then I realized all my files had a few kilobytes, some of the word documents had an ‘application’ icon instead of a MS Office one. The second time I plugged in the usb drive both the original files AND the shortcuts appeared. For example:

My pdf appears as if it is an image:
http://puu.sh/aMJ1N/58c2351639.png
http://puu.sh/aMIWH/c2d01c275b.png
But also as a PDF document… (but the icon is transparent…?)
http://puu.sh/aMIZz/909c75e423.png
And what the hell is this? ???
http://puu.sh/aMJ6B/6353eede82.png

https://forum.avast.com/index.php?topic=53253.0

Hello! Well, I scanned with Malwarebytes Anti-Malware and everything is ok according to them.
I started scanning with Farbar but I’ve been seeing “Application errors: 14039” for an hour. The scan doesn’t seem to stop. The ‘x’ button does nothing. I think i’m going to force close it soon…

I don’t see any way of attaching those texts files… must be because I’m new here.

logs so far:

I don't see any way of attaching those texts files... must be because I'm new here.
below the box you write in ..... [b]Attachments and other options[/b]

Oh, thank you, Pondus! edits

Hi there the USB is probably infected

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM\...\Run: [39740771_2 (scrambled)] => wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\39740771_2 (scrambled).vbe" <===== ATTENTION HKU\S-1-5-21-2117982335-1953125690-2862676845-1000\...\Run: [39740771_2 (scrambled)] => wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\39740771_2 (scrambled).vbe" <===== ATTENTION Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39740771_2 (scrambled).vbe () C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\39740771_2 (scrambled).vbe C:\Users\Admin\AppData\Local\Temp\39740771_2 (scrambled).vbe BHO: Visual Bookmarks -> {D5FEC983-01DB-414a-9456-AF95AC9ED7B5} -> No File BHO-x32: Visual Bookmarks -> {D5FEC983-01DB-414a-9456-AF95AC9ED7B5} -> No File FF user.js: detected! => C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7ccseq2u.default\user.js EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

FINALLY

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Hello there! I applied the FRST fix.
But right after the fix a file opened: 39740771_2(scrambled).vbe

Continue with MCShield and Adwcleaner please then produce a fresh FRST scan

MCShield solved the problem i guess.
Problem is: that vbe file opens after every restart.

Could you now run a fresh FRST scan so that I can locate the vbe start point

I scanned with FRST but it freezes at “Application errors: 14039”. The log is overwritten? It’s the same FRST.txt? Do i need to post that?

Lets try this first and then run FRST after that

Download Anti VBS/VBE to your desktop

[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[
]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report

Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run

Log says the vbe got deleted parties hard
I’ll run FRST soon.

EDIT: Same freezing as before… force closed again…
EDIT 2: I’m now trying to run it with antivirus disabled, maybe it works… ?

OK big boy time

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I disabled my antivirus but Combofix still says it is open… How to exit?

I’ll just uninstall it to be sure :-\

You can ignore that and accept the warning if you have disabled it

This Combofix thingy added IE to my desktop and made it a default browser… :stuck_out_tongue: meh
I added the log :3 Thank you for the help so far!

No weird vbe anymore.

Looks like antivbs killed it properly :slight_smile: Any further problems

Nope. Everything’s fine I think. Thank you very much! :3