Wscript.exe virus detected

hi… yesterday i took my usb flashdrive to school and today i started gettin virus messages on my pc(yes i use my flash drive alot) they all accuse the file Wscript.exe… it happens nonstop when i enter my desktop… i tried several online antiviruses and read about fixes on the avast forum… nothing helped so far… i dont know what to do anymore :cry:

Follow this guide and attach the requested logs: http://forum.avast.com/index.php?topic=53253.0

For USB Viruses i can recommend MCShield: mcshield.net

im sorry about the long time responses… my internet connection its 100 kb download speed only… but i will be posting at least 3 times a day… i already tried using mcshield and it didnt worked… my flashdrive its clean ( i dont know how) but my pc still infected… im updating antiviruses right now and i will upload the Malwarebytes Anti-Malware log file soon as i finish the update

More then 1 AV is not recommended. It will slow your computer down.

Also, please also attach OTL, MCShield & Malwarebytes. Sometimes we can see what you don’t. Thanks!

Malwarebytes just blocked the virus when i restarted…then the virus came back disabled malware and destroyed explorer.exe and my whole pc stoped working… now i have to use taskmanager to delete the virus as soon as i start and enter desktop… anyway here are the log files from Malwarebytes and mcshield

EDIT: Just scanned using OTL… he stopped working while scanning firefox files… now i just found out that my firefox its not working… apparently whenever OTL scan his files i get a BSOD…

try run OTL from safe mode…

Try this programme instead

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

here are the 2 logs from Farbar Recovery Scan Tool also OSL doesnt work even on safe mode…and i checked my firefox he freezes whenever i try to open any website( i will delete it using revo uninstaller),but im using google chrome so its not a big deal…

by the way my sister managed to use this pc while i was asleep… i think the other pc its starting to get some random wscript on taskmanager(2 of them) but avast or mcshield just scanned and nothing appeared…

I found it :slight_smile:

Surprised that MCShield didn’t though

Firefox is corrupt so do a full uninstall of that

Download the attached Fixlist.txt to the same location as FRST
Run FRST and press Fix
On completion a log will be generated please post that

just uninstalled firefox using revo… i cleaned even the registry leftovers

and here is your log 8)

how is the computer behaving now ?

just restarted the cpu… same thing… windows open… mc shield and avast block the virus… and then the whole pc freezes in the process… the only way to make it work again its restarting the cpu… im trying not to use any passwords or codes from emails,facebook,steam,hotmail and other things… :-\

OK me use da big boy :slight_smile:

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

ok so the combo fix program did his work until he restarted the system… after that it froze on the " finishing report please dont open or use any program while combo fix its doing his work" thing… i waited like 15 mins and the cpu use was 2% only… i rebooted my cpu and now its back to normal… and he didnt saved any log

OK could you now run OTL as it should work with firefox gone

ok here are is the OTL log

edit: i just noticed that the last time i restarted my cpu the two wscript processes were gone,just gone… and the avast or the mcshield didnt accused any viruses… my pc did not stopped working… maybe its fixed? that combofix program deleted a few files from C:\ maybe he deleted the virus?

Nope parts of it are still there, fingers crossed this will kill all elements of it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKU\S-1-5-21-872251298-2058480501-4578285-1000..\Run: [fce] C:\Users\Dino Vieira\AppData\Roaming\eaf7\fce.js ()
O4 - Startup: C:\Users\Dino Vieira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1a.js ()
[2014/03/24 17:31:19 | 000,000,000 | -HSD | C] -- C:\Program Files\f5ff
[2014/03/24 17:31:19 | 000,000,000 | -HSD | C] -- C:\eb40
[2014/03/24 17:31:19 | 000,000,000 | -HSD | C] -- C:\Users\Dino Vieira\AppData\Roaming\eaf7
[2014/03/24 18:00:58 | 000,048,226 | ---- | C] () -- C:\Users\Dino Vieira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1a.js
[2014/03/24 18:00:58 | 000,048,226 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\a1a.js

:Files
C:\Users\Dino Vieira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Dino Vieira\AppData\Roaming\eaf7

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

there you go(again restarted the cpu no virus alerts no shortcuts on my pendrive and mcshield say its clean)

OK how is it behaving now ?

no more random viruses alerts… the processes called Wscript are gone (im using taskmanager to check), no more shortcuts… i think thats it…

by the way in case i have to use that school cpu again and my flashdrive gets the virus what should i do?

if the virus is on the flashdrive how can i clean it without it passing to my cpu?