wscript.exe virus

[endlasuresh]

My laptop and computer got infected from a friends memory card and even his pc too got infected. I tried several programs to remove this, but no help at all and the system goes very slow. please let me know how to remove this virus?

Regards
Suresh

[true indian]

This thing is so wide spread these days...getting harder and harder to detect for most AV companies

Follow this guide and attach the logs here:
http://forum.avast.com/index.php?topic=53253.0

[essexboy]

Hi there first run this programme before the other scans

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

[endlasuresh]

hi
Thanks for your replies,
I don't have memory card box at the moment and I may get it by tomorrow morning, however I can check it on my laptop later.
here is the log file

Code: [Select]

>>> MCShield AllScans.txt <<<



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 2.7.4.23 / DB: 2013.10.11.1 / Windows XP <<<


10/21/2013 8:31:59 PM > Drive C: - scan started (no label ~20 GB, NTFS HDD )...



=> The drive is clean.


10/21/2013 8:31:59 PM > Drive D: - scan started (no label ~20 GB, NTFS HDD )...



=> The drive is clean.


10/21/2013 8:31:59 PM > Drive E: - scan started (no label ~35 GB, NTFS HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 2.7.4.23 / DB: 2013.10.11.1 / Windows XP <<<


10/21/2013 8:37:35 PM > Drive C: - scan started (no label ~20 GB, NTFS HDD )...



=> The drive is clean.


10/21/2013 8:37:37 PM > Drive D: - scan started (no label ~20 GB, NTFS HDD )...



=> The drive is clean.


10/21/2013 8:37:40 PM > Drive E: - scan started (no label ~35 GB, NTFS HDD )...



=> The drive is clean.




[essexboy]

OK could you now continue with the other scans please.  Keep McShield and it will protect you from USB/Memory card type viruses

[endlasuresh]

You mean to follow the link in second post of this thread?
I already run the roguekiller and removed the files that are found, but the pc c shows slow only.

[mchain]

You mean to follow the link in second post of this thread?
I already run the roguekiller and removed the files that are found, but the pc c shows slow only.

Yes, follow the link in reply #1.  Attach your logs that result from running these programs:

• AdwCleaner
• Malwarebytes
• OTL
• aswMBR.exe

As essexboy has already joined, he is the malware expert who will assist you.   Once you have the attached logs in place, things will move along from there.

[endlasuresh]

here is my OTL of laptop and I am posting all the things that affected to laptop.

[endlasuresh]

Adwcleaner  report

[endlasuresh]

Mbam report

[essexboy]

Is this the one with the Wscript infection ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www2.delta-search.com/?babsrc=HP_ss&mntrId=EC72001C26EA880D&affID=120695&tsp=4989
IE - HKCU\..\URLSearchHook: {b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14} - C:\Program Files\BitTorrentControl_v12\prxtbBitT.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www2.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=EC72001C26EA880D&affID=120695&tsp=4989
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3225826&CUI=UN40950444531464179&UM=1
FF - prefs.js..extensions.enabledAddons: %7Bc2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294%7D:1.1
[2012/06/08 15:21:45 | 000,002,352 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O33 - MountPoints2\{29ce268c-7105-11e2-89f4-001b38070c5f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cmd.eXE /Q /C eXplORER.EXE . & Start /I /B "" jaVAW.EXE -classpath "RECYCLER\S-7-2-46-4022908439-4094827537-2065423204-9376\wow.ACA" a
O33 - MountPoints2\{d7c8e92b-96b3-11e1-a576-806d6172696f}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
[2013/10/01 23:36:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\suresh.BHAVANI\Application Data\PriceGong
[2013/09/29 23:12:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\suresh.BHAVANI\Local Settings\Application Data\CRE
[2013/09/29 23:11:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\suresh.BHAVANI\Local Settings\Application Data\Conduit
[C:\WINDOWS\$NtUninstallKB61682$] -> Error: Cannot create file handle -> Unknown point type

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[endlasuresh]

here is the log file of combofix
while it was running asked me to install microsoft console update. however it is done automatically by 2 clicks.

[essexboy]

I can see no sign of the wscript infection, how is the computer behaving

Please download Junkware Removal Tool to your desktop.

• Right-mouse click JRT.exe and select "Run as Administrator" the tool will open and start scanning your system
• please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• post the contents of JRT.txt into your next message.

[endlasuresh]

I tried to run as administrator, but their is no admin in user accounts. The one on my name is the only admin. Should I make an account of administrator?
Here  is the log file.

[essexboy]

The admin part only relates to Vista and better.  How is the computer running now ?