wscript.exe virus

Viruses and worms
1

My laptop and computer got infected from a friends memory card and even his pc too got infected. I tried several programs to remove this, but no help at all and the system goes very slow. please let me know how to remove this virus?

Regards
Suresh

2

This thing is so wide spread these days…getting harder and harder to detect for most AV companies :o

Follow this guide and attach the logs here:
http://forum.avast.com/index.php?topic=53253.0

3

Hi there first run this programme before the other scans

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

4

hi
Thanks for your replies,
I don’t have memory card box at the moment and I may get it by tomorrow morning, however I can check it on my laptop later.
here is the log file


>>> MCShield AllScans.txt <<<



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 2.7.4.23 / DB: 2013.10.11.1 / Windows XP <<<


10/21/2013 8:31:59 PM > Drive C: - scan started (no label ~20 GB, NTFS HDD )...



=> The drive is clean.


10/21/2013 8:31:59 PM > Drive D: - scan started (no label ~20 GB, NTFS HDD )...



=> The drive is clean.


10/21/2013 8:31:59 PM > Drive E: - scan started (no label ~35 GB, NTFS HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 2.7.4.23 / DB: 2013.10.11.1 / Windows XP <<<


10/21/2013 8:37:35 PM > Drive C: - scan started (no label ~20 GB, NTFS HDD )...



=> The drive is clean.


10/21/2013 8:37:37 PM > Drive D: - scan started (no label ~20 GB, NTFS HDD )...



=> The drive is clean.


10/21/2013 8:37:40 PM > Drive E: - scan started (no label ~35 GB, NTFS HDD )...



=> The drive is clean.
5

OK could you now continue with the other scans please. Keep McShield and it will protect you from USB/Memory card type viruses

6

You mean to follow the link in second post of this thread?
I already run the roguekiller and removed the files that are found, but the pc c shows slow only.

7

Yes, follow the link in reply #1. Attach your logs that result from running these programs:

  • AdwCleaner
  • Malwarebytes
  • OTL
  • aswMBR.exe

As essexboy has already joined, he is the malware expert who will assist you. Once you have the attached logs in place, things will move along from there.

8

here is my OTL of laptop and I am posting all the things that affected to laptop.

9

Adwcleaner report

10

Mbam report

11

Is this the one with the Wscript infection ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www2.delta-search.com/?babsrc=HP_ss&mntrId=EC72001C26EA880D&affID=120695&tsp=4989
IE - HKCU\..\URLSearchHook: {b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14} - C:\Program Files\BitTorrentControl_v12\prxtbBitT.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www2.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=EC72001C26EA880D&affID=120695&tsp=4989
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3225826&CUI=UN40950444531464179&UM=1
FF - prefs.js..extensions.enabledAddons: %7Bc2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294%7D:1.1
[2012/06/08 15:21:45 | 000,002,352 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O33 - MountPoints2\{29ce268c-7105-11e2-89f4-001b38070c5f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cmd.eXE /Q /C eXplORER.EXE . & Start /I /B "" jaVAW.EXE -classpath "RECYCLER\S-7-2-46-4022908439-4094827537-2065423204-9376\wow.ACA" a
O33 - MountPoints2\{d7c8e92b-96b3-11e1-a576-806d6172696f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
[2013/10/01 23:36:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\suresh.BHAVANI\Application Data\PriceGong
[2013/09/29 23:12:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\suresh.BHAVANI\Local Settings\Application Data\CRE
[2013/09/29 23:11:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\suresh.BHAVANI\Local Settings\Application Data\Conduit
[C:\WINDOWS\$NtUninstallKB61682$] -> Error: Cannot create file handle -> Unknown point type

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

12

here is the log file of combofix
while it was running asked me to install microsoft console update. however it is done automatically by 2 clicks.

13

I can see no sign of the wscript infection, how is the computer behaving

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.

14

I tried to run as administrator, but their is no admin in user accounts. The one on my name is the only admin. Should I make an account of administrator?
Here is the log file.

15

The admin part only relates to Vista and better. How is the computer running now ?

16

That was laptop and running good only, but when i refresh the desktop icons were flashing.
My Pc gone very slow and tomorow i will post those log files of my PC.

17

here are some log files of my PC.
DNS values are changing when Killing with Roguekiller.

18

So this is the desktop ? And the other was the laptop.

I will need an OTL log for the desktop

19

here is my desktop OTL files

20

No sign of it there either… Although you have used an infected USB at some stage

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O33 - MountPoints2\{819bb0c2-2e93-11e3-a719-00e04c681114}\Shell\AutoRun\command - "" = G:\RECYCLER\autorun.exe
O33 - MountPoints2\{819bb0c2-2e93-11e3-a719-00e04c681114}\Shell\Explore\command - "" = G:\RECYCLER\autorun.exe

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.