WScript virus

Can anyone please help me remove the wscript virus? i’ve followed the instructions as given in http://forum.avast.com/index.php?topic=53253.0
Not sure if the virus has been removed completely. I’ve attached the log files.

I’m on it …

@abarmecha

Is that the latest Malwarebytes log? Post me the first Malwarebytes log, as I need to see what MBAM has been addressed. Use Logs tab in MBAM GUI Windows to find the first MBAM.txt log. Post it here.

As for OTL log …I’ll have to look at it from the different side.

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Yes, that was the latest MBAM Log. I’m attaching the first one along with FRST Logs.
Really grateful for the prompt reply. Thank you very much.

Hi,

C:\Windows\system\SYS.VBS (Worm.AutoRun) -> Quarantined and deleted successfully. C:\Windows\system\SYST.VBS (Trojan.Downloader) -> Quarantined and deleted successfully.

Ah, I shall need sample of that. Please find Quarantine from Malwarebytes.

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

%AppData%\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine

[*] then click OK (or press Enter ).

There, in Quarantine folder you should find the SYS.VBS and SYST.VBS files.
Files in Quarantine are random named (eg. 0696849701.data or 0696849701.guar ). These files are inactive and they can not be run by double-clicking.

Pack it for me the Quarantine folder or just its contents please and upload it here:
http://www.wikisend.com

Paste me download link here. I’ll need these files for some future testing, I would appreciate it.

Malwarebytes has done practically important part of the his job. FRST doesn’t show active malware.
But FRST shows some inactive remnants. We shall clean that via FRSTScript lines using FixList and we will additionaly clean all temp files using TFC.


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
C:\ProgramData\Downloader.exe
C:\Users\ACER\AppData\Local\Temp\*.exe
CMD: ipconfig /flushdns
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

And then …

Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

PS: Do not attach your USB memory devices until I tell you so.

Hi,
I’ve followed all the steps as you’ve asked me to.
I’m attaching the fixlog.txt file.

Thank You.

Looking good. Thank you for samples. I have them. You may edit your post if you will to remove download link.

The nature of this worm is spread via USB devices. It’s time to check them now when host system is clean.

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Hi,
I’ve attached the MCShield log report.
Thank You.

You are malware free. Posted logs are now appear cleans and show no signs of active infection.

Good workman always cleans up after himself.
The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.


To help AntiVirus to protect your computer and speed it up, I recommend that you download, install and keep the following free programs:

  1. Keep Malwarebytes Anti-Malware, update it regularly or from time to time and run a Quick Scan weekly.
    Malwarebytes will detect and remove all traces of known malware. MBAM isn’t AntiVirus and it can NOT replace it.

  2. Keep MCShield Anti-Malware, the tool will be updated regularly and perform auto-checking for malware to each attached USB memory device.
    MCShield, has been designed as a lightweight scanner that’s smart enough to catch even new worms and work in fully automatic removal mode.

  3. It’s recommended to delete Temporary Files every once in a while. Run the tool and click on the Start button and TFC will begin to clean. Then restart the computer.
    Temp File Cleaner aka TFC by OldTimer
    TFC is small & usefull utility that shall clean up temp files from all userprofiles and system folders.

Hi,
That’s great. All credit goes to you . Really grateful for all your help.
Thank You and keep up the good work! :slight_smile: