WSCRIPT/WINLOGON.exe virus please help :(

[REDACTED]

Hi all,

I need your help...

First, all files on my USB Drive became shortcut, and I double-clicked it. + at that moment I only had local antivirus named Smadav. It said it cleaned them, but yeah.... i think my laptop still infected.

Then, I downloaded avast, and it kept saying there're virus, the process is  ".........../wscript.exe" (sorry i forgot where the "........." was)
I've tried :
a. download many antivirus + scan my laptop + scan my USB + the virus on USB cannot be deleted + format my USB drive + tried copying some files to USB drive + unplugged it + plugged it again + after a while the files became shortcuts again.

b. Open task manager + end task wscript.exe process + find wscript.exe, couldn't delete it because i'm not TrustedInstaller + change the ownership to Administrator + still couldn't delete it.

Then I keep downloading antiviruses and scans my laptop, and found your thread.
after I scanned my laptop with MBAM, FRST, and aswMBR, my internet connection became really really slow and couldn't connect me to any website at all,
before it couldn't connect me to any websites on any browser (i trired chrome, IE and firefox), I use the LAN connection to became WIFI-router via Connectify-hotspot and connected to the WIFI from my phone.
and when it couldn't connect me to any websites on any browser, my phone still connected and I could browsing with my phone nicely.
.... tried making data tethering from my phone card connection, and my laptop still couldn't connect me to any website at all.....

After that I checked my task manager, and also found some processes which username and description column were blank, the screenshots are attached (on my next post)

Then I full scanned AVAST again, it just found viruses on my harddisk E:/, which was not wscript/vbs etc..
Boot-time scanned with AVAST again, the result still the same....

Re-install the google chrome and suddenly the internet connects again.
but I'm still afraid the viruses are still there on my laptop..


please please help me
I attached the latest logs (scanned just now).. Thankyou so much!

[REDACTED]

After that I checked my task manager, and also found some processes which username and description column were blank, the screenshots are attached (on my next post)

Here's the screenshots..


again, thankyou so much!

[essexboy]

You have at least 3 and maybe 4 antiviruses on your system you must uninstall them until only one remains

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

Code: [Select]

HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\Run: [AdobeBridge] => [X] 
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: G - G:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: K - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: L - L:\Setup.exe /Auto
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {0df029d3-3890-11e3-a546-dc85de3cf568} - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {0df029de-3890-11e3-a546-dc85de3cf568} - L:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {1555d196-6ed2-11e3-9f37-dc85de3cf568} - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {1ffc4e04-b64a-11e2-9cd2-dc85de3cf568} - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {25b61ec6-7302-11e3-b686-001e101f9843} - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {47bc133f-49e1-11e3-9dae-dc85de3cf568} - K:\Startme.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {69120bd4-cac1-11e3-8751-dc85de3cf568} - L:\LaunchU3.exe -a
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {8fd3a5ef-7ac1-11e3-8733-dc85de3cf568} - L:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {9478c96c-e09c-11e2-b967-dc85de3cf568} - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {97a5ca53-6f92-11e3-80e7-806e6f6e6963} - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {97a5caa8-6f92-11e3-80e7-dc85de3cf568} - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {97a5caaf-6f92-11e3-80e7-dc85de3cf568} - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {9e69c120-84e9-11e3-943c-dc85de3cf568} - L:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {b0724b1e-7a77-11e3-9759-dc85de3cf568} - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {b24cf136-3425-11e3-b3e7-dc85de3cf568} - K:\Setup.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {b95c8383-4534-11e2-932d-dc85de3cf568} - I:\Autorun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {b9ef1f1e-7e8c-11e3-9d76-001e101f63cf} - L:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {b9ef1f2e-7e8c-11e3-9d76-001e101f63cf} - M:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {bcabbe18-4aa4-11e2-8e27-dc85de3cf568} - G:\Setup.exe /Auto
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {c557e580-76ef-11e3-bd6f-dc85de3cf568} - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {d90e41c8-3714-11e2-9677-806e6f6e6963} - F:\InstAll.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1000\...\MountPoints2: {fccaa1f7-b63b-11e2-ae94-dc85de3cf568} - K:\AutoRun.exe
HKU\S-1-5-21-3356007612-1831039974-1725718383-1001\...\MountPoints2: {d90e41c8-3714-11e2-9677-806e6f6e6963} - F:\InstAll.exe
SearchScopes: HKCU - {CBE0FB39-3E29-46E9-AF1B-ED116FE4FD3C} URL = http://searchou.com/?q={searchTerms}&id=52337020000000000000fe85de3b6ec8&r=375
FF DefaultSearchEngine: user_pref("browser.search.defaultenginename", "");
FF SearchEngineOrder.1: qvo6
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "");: user_pref("browser.search.order.1,S", "");
FF Plugin HKCU: @catalinahub.com/CatalinaGroup Update;version=3 -> C:\Users\Astrid\AppData\Local\CatalinaGroup\Update\1.3.25.203\npCatalinaUpdate3.dll (Catalina Group Ltd.)
FF Plugin HKCU: @catalinahub.com/CatalinaGroup Update;version=9 -> C:\Users\Astrid\AppData\Local\CatalinaGroup\Update\1.3.25.203\npCatalinaUpdate3.dll (Catalina Group Ltd.)
FF user.js: detected! => C:\Users\Astrid\AppData\Roaming\Mozilla\Firefox\Profiles\r9zn0o68.default-1366835723783\user.js
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2014-09-20 22:04 - 2014-09-20 22:05 - 15568184 _____ (Elex do Brasil Participações Ltda) C:\Users\Astrid\Desktop\yet_another_cleaner_sk.exe
2014-09-09 01:51 - 2014-09-09 01:51 - 00000000 ____D () C:\Program Files (x86)\ExstraCCoUpoN
2014-09-09 01:39 - 2014-09-09 01:39 - 00003226 _____ () C:\Windows\System32\Tasks\{48A38042-562C-4FC2-B7C4-12DDB01B18CD}
2014-09-09 01:39 - 2014-09-09 01:39 - 00000000 ____D () C:\Program Files (x86)\DigIICouupon
2014-09-09 01:26 - 2014-09-09 01:43 - 00000000 ____D () C:\ProgramData\NoExtCoup
2014-09-09 01:26 - 2014-09-09 01:39 - 00000000 ____D () C:\Program Files (x86)\NoExtCoup
2014-09-09 01:23 - 2014-09-09 01:23 - 00000000 ____D () C:\Program Files (x86)\RooboSaveru
2014-09-09 01:23 - 2014-09-09 01:23 - 00000000 ____D () C:\Program Files (x86)\RegularDDeals
2014-09-09 01:23 - 2014-09-09 01:23 - 00000000 ____D () C:\Program Files (x86)\FFuNN2Suave
2014-09-09 01:23 - 2014-09-09 01:23 - 00000000 ____D () C:\Program Files (x86)\EnnjooYCoupon
2014-09-08 18:53 - 2014-09-08 18:53 - 00000000 ____D () C:\ProgramData\pinilaikhollbigoilojijhojbmmdfed
2014-09-07 19:48 - 2014-09-09 01:28 - 00000000 ____D () C:\ProgramData\RegularDDeals
2014-09-05 19:12 - 2014-09-20 18:31 - 00000000 ____D () C:\ProgramData\Trusted Publisher
2014-09-17 19:40 - 2013-09-26 03:49 - 00000000 ____D () C:\ProgramData\DoWnload kkeePer
2014-09-09 15:42 - 2014-06-12 21:00 - 00000000 ____D () C:\ProgramData\ExstraCCoUpoN
2014-09-09 01:51 - 2014-09-09 01:51 - 00000000 ____D () C:\Program Files (x86)\ExstraCCoUpoN
2014-09-09 01:51 - 2014-03-07 02:45 - 00000000 ____D () C:\ProgramData\80de2c568919b49e
2014-09-09 01:43 - 2014-09-09 01:26 - 00000000 ____D () C:\ProgramData\NoExtCoup
2014-09-09 01:43 - 2014-06-11 23:05 - 00000000 ____D () C:\ProgramData\DigIICouupon
2014-09-09 01:39 - 2014-09-09 01:39 - 00003226 _____ () C:\Windows\System32\Tasks\{48A38042-562C-4FC2-B7C4-12DDB01B18CD}
2014-09-09 01:39 - 2014-09-09 01:39 - 00000000 ____D () C:\Program Files (x86)\DigIICouupon
2014-09-09 01:39 - 2014-09-09 01:26 - 00000000 ____D () C:\Program Files (x86)\NoExtCoup
2014-09-09 01:28 - 2014-09-07 19:48 - 00000000 ____D () C:\ProgramData\RegularDDeals
2014-09-09 01:28 - 2014-08-09 01:31 - 00000000 ____D () C:\ProgramData\EnnjooYCoupon
2014-09-09 01:28 - 2014-07-05 11:48 - 00000000 ____D () C:\ProgramData\RooboSaveru
2014-09-09 01:28 - 2014-07-05 11:48 - 00000000 ____D () C:\ProgramData\FFuNN2Suave
2014-09-09 01:23 - 2014-09-09 01:23 - 00000000 ____D () C:\Program Files (x86)\RooboSaveru
2014-09-09 01:23 - 2014-09-09 01:23 - 00000000 ____D () C:\Program Files (x86)\RegularDDeals
2014-09-09 01:23 - 2014-09-09 01:23 - 00000000 ____D () C:\Program Files (x86)\FFuNN2Suave
2014-09-09 01:23 - 2014-09-09 01:23 - 00000000 ____D () C:\Program Files (x86)\EnnjooYCoupon
Task: {4201255A-6B2E-4E16-AA95-D7ECDC57B3C4} - System32\Tasks\Desk 365 RunAsStdUser => C:\Program Files (x86)\Desk 365\desk365.exe <==== ATTENTION
Task: {AE63A146-4660-4BF3-A22B-1E90222AF0CE} - \Express FilesUpdate No Task File <==== ATTENTION
Task: {B4E78D45-AFDF-4D81-A747-23E16DD4D3DE} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline No Task File <==== ATTENTION
Task: {DF4DD2F4-72BD-4F66-8FB4-4307E754EC9B} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask No Task File <==== ATTENTION
Task: {F6248B98-51D3-4EA2-9765-638E5D2C8973} - \Driver Booster Update No Task File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Microsoft:AeRiLlzIZ7DLwgomYHQqW
AlternateDataStreams: C:\ProgramData\Microsoft:hKXOomHS07VEgsclHoxFkPVN
AlternateDataStreams: C:\ProgramData\Temp:1CE11B51
AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\ProgramData\Temp:A1EDB939
AlternateDataStreams: C:\Users\Astrid\Local Settings:jpjZ95FMb9SFlbuIT3jUjSg3er
AlternateDataStreams: C:\Users\Astrid\Local Settings:QhbGDCkr4jvTSiUiJM
AlternateDataStreams: C:\Users\Astrid\Desktop\aswmbr.exe:BDU
AlternateDataStreams: C:\Users\Astrid\Desktop\FRST64.exe:BDU
AlternateDataStreams: C:\Users\Astrid\Desktop\googledrivesync.exe:BDU
AlternateDataStreams: C:\Users\Astrid\Desktop\mbam-setup-2.0.2.1012.exe:BDU
AlternateDataStreams: C:\Users\Astrid\Desktop\MCShield-Setup.exe:BDU
AlternateDataStreams: C:\Users\Astrid\Desktop\yet_another_cleaner_sk.exe:BDU
AlternateDataStreams: C:\Users\Astrid\Downloads\avira_en_av___ws.exe:BDU
AlternateDataStreams: C:\Users\Astrid\Downloads\HitmanPro_x64.exe:BDU
AlternateDataStreams: C:\Users\Astrid\AppData\Local:jpjZ95FMb9SFlbuIT3jUjSg3er
AlternateDataStreams: C:\Users\Astrid\AppData\Local:QhbGDCkr4jvTSiUiJM
AlternateDataStreams: C:\Users\Astrid\AppData\Local\2KJtFPuRedVrRP:KQe0ecU4tkuzd6nvuQ
AlternateDataStreams: C:\Users\Astrid\AppData\Local\Application Data:jpjZ95FMb9SFlbuIT3jUjSg3er
AlternateDataStreams: C:\Users\Astrid\AppData\Local\Application Data:QhbGDCkr4jvTSiUiJM
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[REDACTED]

Hi,

By  'uninstall antivirus until only one remains', did you mean i should uninstall MBAM - FRST - aswMBR too?

thanks!

[REDACTED]

Hi,

here're the logs..

thank you!

[essexboy]

Bitdefender Antivirus Plus 2015
avast! Free Antivirus
Smadav
IObitIObitthese are antivirus

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Oh ic.. I've uninstall them just now, now there's only one antivirus on my laptop.

Here's the log..

thanks a bunch!

[essexboy]

Any further problems ?

[REDACTED]

Sorry sir.. may i ask you some questions?

1. is that mean my coomputer is now virus free? wscript.exe etc?
Because I'm going to copy some data from my external HDD and I'm afraid to do it because of the virus.. there's so many important datas there..

2. Are the programs I screenshots yesterday not harmful? because they're still there in the task manager..

3. Am I only allowed to have only 1 antivirus on my laptop?

thankyou so much!

[essexboy]

1. is that mean my coomputer is now virus free? wscript.exe etc?
Because I'm going to copy some data from my external HDD and I'm afraid to do it because of the virus.. there's so many important datas there.. It looks good to me

2. Are the programs I screenshots yesterday not harmful? because they're still there in the task manager.. They are all legitimate

3. Am I only allowed to have only 1 antivirus on my laptop? Multiple antiviruses will fight over analysing files and will cause unusual behaviour 

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Download and run Delfix



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave:

[REDACTED]

thank you SO MUCH!
may God bless you sir :')
have a nice day!

[essexboy]

My pleasure