wscript.exe - Shortcut virus

Pretty much the same as in this thread:

http://forum.avast.com/index.php?topic=142075.0

My brother was careless and plugged in the USB flash drive that was previously used at a university computer which was infected with the “shortcut” virus as well as autorun.inf (Which I believe have sorted/solved).

we need logs from Malwarebytes / OTL / aswMBR. http://forum.avast.com/index.php?topic=53253.0

then follow instructions from argus

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

.

USB not touch.

Took me a while but here’s all five reports (one more in the next reply, only four can fit per reply).

Cheers

And here’s the last one.

Hi AnthonyAT33

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


HKLM\...\Run: [WinUsbDriver] - C:\Users\Antonic\AppData\Local\Temp\WinUsbDriver.vbs [172340 2013-12-02] () <===== ATTENTION
HKCU\...\Run: [WinUsbDriver] - C:\Users\Antonic\AppData\Local\Temp\WinUsbDriver.vbs [172340 2013-12-02] () <===== ATTENTION
MountPoints2: {1e9da82c-627f-11e3-b8ee-00116706af20} - H:\NokiaPCIA_Autorun.exe
URLSearchHook: HKCU - (No Name) - {08d6b0b4-c132-470d-a8e2-aa2e9c3851c9} -  No File
SearchScopes: HKLM - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031607
SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031607
SearchScopes: HKLM - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.searchboxes.info/?l=1&q={searchTerms}&pid=625&r=2013/07/27&hid=2155573400&lg=EN&cc=RS&unqvl=28
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031607
Toolbar: HKCU - No Name - {08D6B0B4-C132-470D-A8E2-AA2E9C3851C9} -  No File
Toolbar: HKCU - No Name - {56CF4856-ECB4-4E46-A897-A378821F97B9} -  No File
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "WebSearch");: user_pref("browser.search.order.1,S", "WebSearch");
FF Keyword.URL: hxxp://websearch.searchboxes.info/?pid=625&r=2013/07/27&hid=2155573400&lg=EN&cc=RS&unqvl=28&l=1&q=
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Antonic\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF SearchPlugin: C:\Users\Antonic\AppData\Roaming\Mozilla\Firefox\Profiles\0n7kqvcq.default\searchplugins\conduit.xml
FF SearchPlugin: C:\Users\Antonic\AppData\Roaming\Mozilla\Firefox\Profiles\0n7kqvcq.default\searchplugins\WebSearch.xml
CHR DefaultSearchKeyword: websearch
CHR DefaultSearchProvider: WebSearch
CHR DefaultSearchURL: http://websearch.searchboxes.info/?l=1&q={searchTerms}&pid=625&r=2013/07/27&hid=2155573400&lg=EN&cc=RS&unqvl=28
CHR Plugin: (Unity Player) - C:\Users\Antonic\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR Extension: (Skype Click to Call) - C:\Users\Antonic\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.10.0.9560_0
C:\Users\Antonic\AppData\Local\Temp\WinUsbDriver.vbs
C:\Users\Antonic\jagex_cl_runescape_LIVE.dat
C:\Users\Antonic\random.dat

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

.

Remove AutorunRemover not necessary.

Note: I had to disable Avast! in order to run the FRST fix.

How do I clean up my USB flash without it infecting my PC again? Will MC2Shield do the trick?

Thank you for the help so far.

Here’s both logs.

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

B C:\Users\Antonic\AppData\Local\Temp\WinUsbDriver.vbs;f
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run];r
"WinUsbDriver"=*;r
C:\Users\Antonic\AppData\Local\Temp;fs
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run];r
"WinUsbDriver"=-;r
[HKEY_USERS\S-1-5-21-3890698553-2694546652-243682274-1000\Software\Microsoft\Windows\CurrentVersion\Run];r
"WinUsbDriver"=-;r
emptyalltemp;
autoclean;
emptyclsid;
ipconfig /flushdns >> %temp%\log.txt;b

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

I had it run three times because I never got the log file to pop up indicating that it finished the first two times, so here’s three logs.

Order of logs goes as:

  1. zoek-results2013-12-17-131748
  2. zoek-results2013-12-17-154901
  3. zoek-results

Cheers

Rerun FRST.

Here’s the FRST log.

Cheers

It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Here’s the FRST Fixlog.txt

Cheers

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Here is the log of all the scans.

Cheers

OK rerun FRST and attach here log.

Here it is.

Your system is clean 8)

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

Thank you very much for all your help. :slight_smile:

Hello,

I found this thread researching the exact same issue. I have the wscript.exe shortcuts everywhere on my PC…I don’t know how I got it as I’m extremely careful, this would be my first virus in 14+ years of using a PC. Anyway, I followed this post’s instructions and hopefully you’re still around to help. Here are the two logs from FRST64. I don’t know how to attach files so these are my dropbox links

FRST.txt
Addition.txt