My pendrive got infected (all files and folders where converted into shortcuts) as well as my laptop. Since then, Avast is giving me pop-ups every 30 sec about blocking wscript.exe trying to contact a malicious webpage. I have performed an Avast scan and found nothing. I also did a Spybot scan who was able to detect this wscript but not fix it. By reading on google, I also tried MBAM but it didn’t find anything. Out of desperation here are the steps I took:
1- formatted my pendrive (the virus should be gone)
2- turned off the wscript.exe process with task manager
3- unchecked wscript.exe in the startup tab using msconfig
4- deleted the registry desktop.vbs which was located in windows/currentversion/run
Since then, the popup is gone but my fear is that the virus is still there and will probably infect every usb hardware I will use in the future or create further damage on my laptop.
I’ve seen a lot of forum thread here of people having a similar problem and the steps required for cleaning this mess seems quite complicated to perform without help. Thus…HELP!!!
Ok…Performed a scan with MCshield and found nothing (see log attached)
Aslo used OTL and attached the 2 logs.
Will wait for your comments/suggestions on how to proceed
Thanks
[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
How are the thing now, do you still get a warning?
As for the warning, as I mentioned in my first post, I was able to block them by blocking the startup of wscript using msconfig (see attached screenshot)…But I guess that if I check it back again, wscript will start again and I will get back the warning messages!
checked the entry and restarted the cpu and everything seems perfect. I went to check the processes and no wscript running. The desktop.vbs registry entry did not appear and finally, the command line in msconfig disappeared. Thanks alot, you did a wonderful job helping me.
As a last question, since I downloaded all these programs to check for viruses/malwares, what should I keep installed according to you? Currently, I have avast, spybot, MBAM and MCshield
About Avast, MBAM and MCShield, you can keep 'em all. Avast is your main realtime protection, MBAM can be used sometimes to scan for Unwanted software, and MCShield for USB protection :). Three layered defense
Please download DelFix by “Xplode” to your Desktop.
Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt) Note: The report will also be stored on C:\DelFix.txt
