Wscript.exe virus

Viruses and worms
1

Hi guys!
Same problems of others users. An infected pendrive with the wscript.exe virus (?) passed through our 3 pc’s.
We quickly deleted the process from the task manager.
Now: on my pc (Win 8) apparently nothing happened but 2 new unknown applications appeared in my service start list (“ce8” and “93c2”); on the pc with XP, control panel disappeared and clicking on it the pc says “Operation canceled. On the computer some restrictions are activated. Contact the system administrator” and ADWcleaner can’t run because the AV recognize it as a virus and the pc says, “Impossible to access the file. Probably you do not have the necessary permissions”; on the last pc (Win 7) some folders disappeared in the program folder and ADWcleaner can’t run because of the same problem of the XP one.

We downloaded the suggested programs, run them and the logs are attached.

Last, can I do something for my pendrive?

I know it’s a lot of things but please…help us!

Thanks in advance and excuse my poor english…

ps: in this post I attach just the three Win 8 logs. I’ll attach the others logs in another post.

2

I attach the Win 7 logs.

3

I attach 2 log of Win XP. On XP OTL freeze while “scanning firefox settings”…

Thanks again.

4

Hi kartenzi,

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

MCShield install on both computers

—> Next

– > For Win8 fix

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKU\S-1-5-21-1416104784-3735682885-2125862280-1001\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
O4 - HKLM..\Run: [bywifi] C:\Program Files (x86)\Bywifi\bywifi.exe (bywifi.com)
O4 - HKU\S-1-5-21-1416104784-3735682885-2125862280-1001..\Run: [ce8] C:\Users\G6-2234SL\AppData\Roaming\d8\ce8.js ()
O4 - Startup: C:\Users\G6-2234SL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93c2.js ()
O9 - Extra Button: Bywifi: Video Downloader - {09E90109-A9AA-4980-BCEF-76F8D924E902} - C:\Program Files\Bywifi\bywifici.exe File not found
O9 - Extra 'Tools' menuitem : Bywifi: Video Downloader - {09E90109-A9AA-4980-BCEF-76F8D924E902} - C:\Program Files\Bywifi\bywifici.exe File not found
O33 - MountPoints2\{a70adf0b-a6d1-11e2-be78-28924a47c64f}\Shell - "" = AutoRun
O33 - MountPoints2\{a70adf0b-a6d1-11e2-be78-28924a47c64f}\Shell\AutoRun\command - "" = "G:\autorun.exe" 

:files
C:\Users\G6-2234SL\AppData\Roaming\d8
C:\d981
C:\Users\G6-2234SL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93c2.js
C:\Users\G6-2234SL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js

:commands
[CREATERESTOREPOINT]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

→ For Starter OTL fix

:OTL
O4 - HKLM..\Run: [bywifi] C:\Program Files\Bywifi\bywifi.exe (bywifi.com)
O4 - HKU\S-1-5-21-896558980-977426591-2796425657-1000..\Run: [07570] C:\Users\Betty\AppData\Roaming\11411\07570.js ()
O4 - HKU\S-1-5-21-896558980-977426591-2796425657-1000..\Run: [bywifi] C:\Program Files\Bywifi\bywifi.exe (bywifi.com)
O4 - Startup: C:\Users\Betty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\511.js ()
O4 - Startup: C:\Users\Elena\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\511.js ()
O9 - Extra Button: Bywifi: Video Downloader - {09E90109-A9AA-4980-BCEF-76F8D924E902} - C:\Program Files\Bywifi\bywifici.exe (TODO: <Company name>)
O9 - Extra 'Tools' menuitem : Bywifi: Video Downloader - {09E90109-A9AA-4980-BCEF-76F8D924E902} - C:\Program Files\Bywifi\bywifici.exe (TODO: <Company name>)

:files
C:\Users\Betty\AppData\Roaming\11411
C:\109f6
C:\Users\Betty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\511.js
C:\Users\Betty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js


:commands
[CREATERESTOREPOINT]
[emptytemp]
5

Thank you for the immediate reply!
Pendrive log attached.
Now we’ll follow your instructions for the two pc’s. We’ll let you know.
I wait instructions for the XP pc.

6

Win 8 pc & Win 7 apparently fixed.
How do we know if the virus has gone?
Thanks again Argus!

I attach the Win 8 final log.

7

Win 7 log attached.
Thanks!

8

E:\autorun.inf.vir – > Remove this file from the flash drive, right click delete

On both computers do the following:

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

* When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

I wait instructions for the XP pc.

Also run the DDS program.

9

Win 8 DDS logs attached.

10

Win 7 DDS logs attached. Thanks!

11

Win XP DDS logs attached.
I deleted the autorun file on the pendrive but it looks still infected…

12

Here is the missing DDS Win 7 log.

13

Win8 is clean.

Windows7 fix

Please download OTM and save it to your desktop.

[*] Double click on OTM.exe to launch a tool;
[*]Paste the following code under the “Paste Instructions for Items to be Moved” line;



:files
c:\program files\bywifi
c:\users\betty\appdata\roaming\11411
c:\users\betty\appdata\roaming\microsoft\windows\start menu\programs\startup\5b155.js
C:\109f6

:reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{C4743D3E-20D7-4B52-84F2-5E4E277B2D82}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"07570"=-

:commands
[emptytemp]

[*] Click on MoveIt! button;
OTM may ask to reboot the machine. Please do so if asked.

[*]Copy/Paste the contents under the Results line here in your next reply.

[i]Note:It will also create a log in the C:_OTM\MovedFiles
- open the newest .log file present, and copy/paste the contents of that document back here in your next post.
[*]

.

14

OTM fix rof XP

:files
c:\programmi\bywifi\bywifi.exe
c:\documents and settings\enzi\dati applicazioni\c59

:reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"bywifi"=-
"d38"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bywifi"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{09E90109-A9AA-4980-BCEF-76F8D924E902}]

:commands
[emptytemp]


Please rerun DDS for XP and Starter

15

OTM log win 7

16

Win xp: OTM & DDS log attached.

17

Again for XP


:files
c:\documents and settings\enzi\dati applicazioni\c59
c:\documents and settings\enzi\dati applicazioni\c59\*.js
C:\c4a
c:\programmi\da9

:reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d38"=-

:commands
[Reboot]
18

DDS logs win 7

19

Win7 is OK.

20

Win XP logs attached