Author Topic: wscript.exe infected shortcut virus  (Read 64733 times)

0 Members and 1 Guest are viewing this topic.

zrex030

  • Guest
Re: wscript.exe infected shortcut virus
« Reply #15 on: December 08, 2013, 05:29:34 PM »
OTL Fix after reboot log

zrex030

  • Guest
Re: wscript.exe infected shortcut virus
« Reply #16 on: December 08, 2013, 05:35:41 PM »
# AdwCleaner v3.014 - Report created 08/12/2013 at 17:33:22
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Dragan - DRAGAN-PC
# Running from : C:\Users\Dragan\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Program Files (x86)\OApps
Folder Deleted : C:\Program Files (x86)\SimilarSites
Folder Deleted : C:\Program Files (x86)\WebCake
Folder Deleted : C:\Users\Dragan\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Dragan\AppData\Roaming\ExpressFiles
Folder Deleted : C:\Users\Dragan\AppData\Roaming\SimilarSites
Folder Deleted : C:\Users\Dragan\AppData\Roaming\WebCake
File Deleted : C:\Users\Dragan\AppData\Local\funmoods.crx
File Deleted : C:\Windows\Tasks\AmiUpdXp.job
File Deleted : C:\Windows\System32\Tasks\AmiUpdXp
File Deleted : C:\Windows\System32\Tasks\Express FilesUpdate

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
Key Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WebCakeIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\esrv.funmoodsESrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.funmoodsESrvc.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd.1
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Api.1
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Layers
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Layers.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS
Key Deleted : HKLM\SOFTWARE\a53dfd8b268b913
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7169BBB3-3289-4696-B35D-4A88BCF6FB12}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BB975E58-E769-4E5A-BA12-B765BC559FF3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F511AFDB-726E-4458-90E7-1ECB97406544}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0AFD55C8-ADF8-4A33-A6E1-DEDB7A36AEB4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EFDF368C-8DD9-4E05-87CD-16AA5CB03CB8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0AFD55C8-ADF8-4A33-A6E1-DEDB7A36AEB4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{52DB1893-8A90-4192-AEDE-08E00B8F8484}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\BabSolution
Key Deleted : HKCU\Software\DataMngr
  • Key Deleted : HKCU\Software\DataMngr_Toolbar

Key Deleted : HKCU\Software\ExpressFiles
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\ExpressFiles
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\Software\SafetyNut
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}
Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\movies~1\safety~1\x64\safety~2.dll

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v25.0.1 (en-GB)

[ File : C:\Users\Dragan\AppData\Roaming\Mozilla\Firefox\Profiles\t40gefcs.default\prefs.js ]


-\\ Google Chrome v28.0.1500.72

[ File : C:\Users\Dragan\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [8077 octets] - [08/12/2013 17:31:08]
AdwCleaner[S0].txt - [7816 octets] - [08/12/2013 17:33:22]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7876 octets] ##########

zrex030

  • Guest
Re: wscript.exe infected shortcut virus
« Reply #17 on: December 08, 2013, 05:48:08 PM »
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Home Premium x64
Ran by Dragan on ned 08.12.2013 at 17:38:31,86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-743841737-3555611461-1389555401-1001\Software\sweetim
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskToolbarNRO_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskToolbarNRO_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskToolbarNRO_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskToolbarNRO_RASMANCS



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\ytd video downloader"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader"
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{064C3A29-7861-42AB-89B9-C3A41CF96186}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{10FE5D7C-5717-482E-9FCE-F9C4AE4C22E8}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{2726A777-07EE-4CEF-8DAC-7C96B21FA7C8}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{503A87D1-361B-4312-8A6E-AC824C1ABD94}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{538E927D-770E-41C6-AE3E-0985FA5310AB}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{5490B44A-6B52-428F-961E-FF02F8D884D3}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{5D6E52A5-3796-484D-AF9A-B067FD63CABD}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{5F94030A-FFFB-4A27-AFAA-2E89EC15BB07}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{68A6926F-D625-434E-9BFC-067EE6B5ABE9}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{7776E668-8D7B-443B-982F-11C2EAFF0012}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{7B81DAC1-42BB-4E85-96AA-2FAF82B71489}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{7E15A2A1-ECC0-4A4B-85C8-9CC4F7F4A85B}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{8502ED0F-3269-48A6-A64E-FF648451B761}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{9064C9D1-8150-4100-B9E5-1208CB5D666C}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{9E9B8C2C-66C4-43EC-B874-93B0310BD138}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{DF22DE71-AB2D-4FB9-AAAF-23287821A219}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{E06C8CE5-1EBF-42BE-9AA6-6D65E83F7171}
Successfully deleted: [Empty Folder] C:\Users\Dragan\appdata\local\{EFB7ED80-750E-429A-8131-DF267FDE12B0}



~~~ FireFox

Emptied folder: C:\Users\Dragan\AppData\Roaming\mozilla\firefox\profiles\t40gefcs.default\minidumps [2 files]



~~~ Chrome

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Policies\Google [Blacklisted Policy]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on ned 08.12.2013 at 17:46:43,08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

zrex030

  • Guest
Re: wscript.exe infected shortcut virus
« Reply #18 on: December 08, 2013, 05:52:15 PM »
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 2.8.3.24 / DB: 2013.12.8.1 / Windows 7 <<<


8.12.2013 17:51:28 > Drive G: - scan started (DRUG DRAGAN ~15194 MB, NTFS flash drive )...


>>> G:\New folder.lnk - Malware > Deleted. (13.12.08. 17.51 New folder.lnk.904247; MD5: ce076b3044d654c85275a0beb31fba41)

>>> G:\New folder (2).lnk - Malware > Deleted. (13.12.08. 17.51 New folder (2).lnk.900016; MD5: f5446c6497a98fc3e36819e8d9274447)

>>> G:\WinUsbDriver.vbs - Malware > Deleted. (13.12.08. 17.51 WinUsbDriver.vbs.210912; MD5: 80e49685d1ac8a3623dd78779820ae5a)

> Resetting attributes: G:\New folder < Successful.

> Resetting attributes: G:\New folder (2) < Successful.


=> Malicious files   : 3/3 deleted.
=> Hidden folders    : 2/2 unhidden.

____________________________________________

::::: Scan duration: 1sec ::::::::::::::::::
____________________________________________

zrex030

  • Guest
Re: wscript.exe infected shortcut virus
« Reply #19 on: December 08, 2013, 06:02:33 PM »
OTL Final log

zrex030

  • Guest
Re: wscript.exe infected shortcut virus
« Reply #20 on: December 08, 2013, 06:03:38 PM »
Waiting for next instructions ...  ;D

Machiavelli

  • Guest
Re: wscript.exe infected shortcut virus
« Reply #21 on: December 08, 2013, 08:28:14 PM »
I have posted instructions to my instructor. But while he is looking at my beautiful fix you can answer me one question: How is your PC running? Any issues?

zrex030

  • Guest
Re: wscript.exe infected shortcut virus
« Reply #22 on: December 08, 2013, 08:41:44 PM »
Pc is running fine  :),and no more appearing shortcuts on flash drive   :) ...

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: wscript.exe infected shortcut virus
« Reply #23 on: December 08, 2013, 08:51:09 PM »
Quote
As Mach is in Germany, It might be a while till he gets online. Please be patient
From where do you know that I'm from Germany?


Your profile. Unless you lied about that. Same way I know MOST removers are from the UK somewhere like Essex
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: wscript.exe infected shortcut virus
« Reply #24 on: December 08, 2013, 08:55:18 PM »
Not every remover is from the UK. Jeffce is from the United States i think.

Im from germany too.

Machiavelli is monitored by essexboy and he gets the instructions from him so it can take a while till you get an answer. ;)
« Last Edit: December 08, 2013, 09:30:52 PM by Steven Winderlich »
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37614
  • Not a avast user
Re: wscript.exe infected shortcut virus
« Reply #25 on: December 08, 2013, 09:05:24 PM »
Quote
Not every remover is from the UK. Argus is from the United States i think.
then you think very wrong   ;)


Machiavelli

  • Guest
Re: wscript.exe infected shortcut virus
« Reply #26 on: December 08, 2013, 09:28:53 PM »
Quote
Your profile. Unless you lied about that. Same way I know MOST removers are from the UK somewhere like Essex
Oh - OK. Alan, I sent a PM on GeeksToGo - because I'm not able to do it here.

Quote
Machiavelli is monitored by essexboy and he gets the instructions from him so it can take a while till you get an answer.
Nope.  I give a proposed fix for the user to my teacher(s) and Essexboy/Dakeyras say "Post!" or "Not Post!"

---

OTL Fix

  • Run OTL.
  • Copy (Ctrl+C) and Paste (Ctrl+V) all of the following text into the Custom Scans/Fixes box:


Code: [Select]
:Commands
[CreateRestorePoint]

:OTL
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\S-1-5-21-743841737-3555611461-1389555401-1001..\Run: [QuickDTV] C:\Program Files (x86)\Trident 5600 Device\6000RMT.exe File not found
O4 - HKU\S-1-5-21-743841737-3555611461-1389555401-1001..\Run: [WinUsbDriver] wscript.exe //B "C:\Users\Dragan\AppData\Local\Temp\WinUsbDriver.vbs" File not found

:Commands
[EMPTYTEMP]
  • Click the Run Fix button.
  • After your computer has rebooted, run OTL and click Quick Scan.
  • Copy and paste the contents of the log that it produces into your next post.
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

ESET Online Scanner

Please disable your AntiVirus before doing these steps!

  • If you have Win Vista / Win 7 / Win 8 please start IE as Administrator!
  • This will only work for Internet Explorer
  • Please download ESET Online Scanner from here
How to do this?

  • Visit this website here
  • You will see a screen like this:


  • Click Run ESET Online Scanner



  • A Window will open (see above) - please click on the link
  • A window will pop up - please download the file to your Desktop
  • When the download has finished please run the program (for Win Vista/ Win7 / Win 8 User please run it as Administrator)


  • Tick the box next to YES, I accept the Terms of Use then click on: Start
  • You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.


  • Make sure that the option Remove found threats is NOT checked.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Then click on Start
  • virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.



  • After the scan is finished please click on Finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
  • I want you to uninstall following programs (XP: Start > Control Panel > Add/Remove Programs |  Vista / Win7 / Win8: Start > Control Panel > uninstall a program):
    • ESET Online Scanner
Security Check

Download Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Question

How is the PC running? Any issues?

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: wscript.exe infected shortcut virus
« Reply #27 on: December 08, 2013, 09:32:30 PM »
Machiavelli is monitored by essexboy and he gets the instructions from him so it can take a while till you get an answer.
Nope.  I give a proposed fix for the user to my teacher(s) and Essexboy/Dakeyras say "Post!" or "Not Post!"


I cannot know that cause im not the student here. ;)
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: wscript.exe infected shortcut virus
« Reply #28 on: December 09, 2013, 09:22:00 PM »
Machiavelli is monitored by essexboy and he gets the instructions from him so it can take a while till you get an answer.
Nope.  I give a proposed fix for the user to my teacher(s) and Essexboy/Dakeyras say "Post!" or "Not Post!"


I cannot know that cause im not the student here. ;)

Mach is a student at G2G (GeekU) actually.

Just felt the need to post that. Mach, can you PM here now?
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Machiavelli

  • Guest
Re: wscript.exe infected shortcut virus
« Reply #29 on: December 11, 2013, 08:55:04 PM »
Any problems with the instructions above?