Author Topic: Wscript.exe virus detected  (Read 10080 times)

0 Members and 1 Guest are viewing this topic.

LGVD

  • Guest
Re: Wscript.exe virus detected
« Reply #15 on: March 24, 2014, 10:34:32 PM »
ok here are is the OTL log

edit: i just noticed that the last time i restarted my cpu the two wscript processes were gone,just gone... and the avast or the mcshield didnt accused any viruses... my pc did not stopped working... maybe its fixed? that combofix program deleted a few files from C:\   maybe he deleted the virus?
« Last Edit: March 24, 2014, 10:46:32 PM by LGVD »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wscript.exe virus detected
« Reply #16 on: March 24, 2014, 10:57:11 PM »
Nope parts of it are still there, fingers crossed this will kill all elements of it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKU\S-1-5-21-872251298-2058480501-4578285-1000..\Run: [fce] C:\Users\Dino Vieira\AppData\Roaming\eaf7\fce.js ()
O4 - Startup: C:\Users\Dino Vieira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1a.js ()
[2014/03/24 17:31:19 | 000,000,000 | -HSD | C] -- C:\Program Files\f5ff
[2014/03/24 17:31:19 | 000,000,000 | -HSD | C] -- C:\eb40
[2014/03/24 17:31:19 | 000,000,000 | -HSD | C] -- C:\Users\Dino Vieira\AppData\Roaming\eaf7
[2014/03/24 18:00:58 | 000,048,226 | ---- | C] () -- C:\Users\Dino Vieira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1a.js
[2014/03/24 18:00:58 | 000,048,226 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\a1a.js

:Files
C:\Users\Dino Vieira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Dino Vieira\AppData\Roaming\eaf7

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

LGVD

  • Guest
Re: Wscript.exe virus detected
« Reply #17 on: March 24, 2014, 11:04:34 PM »
there you go(again restarted the cpu no virus alerts no shortcuts on my pendrive and mcshield say its clean)



Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wscript.exe virus detected
« Reply #18 on: March 24, 2014, 11:06:32 PM »
OK how is it behaving now ?

LGVD

  • Guest
Re: Wscript.exe virus detected
« Reply #19 on: March 24, 2014, 11:16:18 PM »
no more random viruses alerts... the processes called Wscript are gone (im using taskmanager to check), no more shortcuts... i think thats it...


by the way in case i have to use that school cpu again  and my flashdrive gets the virus what should i do?

if the virus is on the flashdrive how can i clean it without it passing to my cpu?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wscript.exe virus detected
« Reply #20 on: March 24, 2014, 11:20:37 PM »
I have passed the data on to the author of MCShield so he will probably make some adjustments to the programme

Keep MCShield installed and running (it is very, very lightweight) and as long as you have autoupdates set it should protect you against any USB malware 

I would also get the school to clean that computer up, who knows how many it has infected.. 

If all is still well tomorrow let me know and I will tidy up my rubbish :)

LGVD

  • Guest
Re: Wscript.exe virus detected
« Reply #21 on: March 25, 2014, 04:20:24 PM »
2nd and still nothing... no viruses warnings no strange background .exe files being executed while im on desktop... looks like its gone for good... thank you man you really saved me here  ;D

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wscript.exe virus detected
« Reply #22 on: March 25, 2014, 04:25:29 PM »
In that case methinks I will send you on your merry way :)

Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Download and run Delfix



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave:

LGVD

  • Guest
Re: Wscript.exe virus detected
« Reply #23 on: March 29, 2014, 10:31:40 AM »
looks like its finally over... its been a long time since i had any viruses alerts... everything its back  to normal and even my restore point its not fully working

thank you man, youre probably gettin paid to do this job but still... youre doing it the right way  8)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wscript.exe virus detected
« Reply #24 on: March 29, 2014, 01:24:23 PM »
Nope 'tis all voluntary :)  Enjoy