Author Topic: wscript.exe infected?  (Read 17382 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
wscript.exe infected?
« on: January 13, 2015, 02:53:25 AM »
Can someone please help me.  Avast tells me that has blocked a harmful wepbage or file (hxxp://openvpnn.ddns.net:49273/is-ready).

Thank you.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37599
  • Not a avast user
Re: wscript.exe infected?
« Reply #1 on: January 13, 2015, 03:31:43 PM »
did it just happen one time when surfing?
does it happen  multiple times when surfing .... or when not doing anything?


REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #2 on: January 13, 2015, 04:11:03 PM »
Sorry if I wasn't clear.  It happens constantly, even when not doing anything.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: wscript.exe infected?
« Reply #3 on: January 13, 2015, 04:22:08 PM »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #4 on: January 13, 2015, 05:15:16 PM »
Ok. I will download the additional software and post the requested logs tonight.

Thank you.

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #5 on: January 14, 2015, 02:24:28 AM »
3 of the 4 Log files are attached.

I'm still waiting for ASWMBR to finish scanning.  It appears to have stalled on "scanning: c:\users\Cory\Appdata\Local\Microsoft\Skydrive\Skydrive.exe"

It has been stuck there for 15 minutes.  Is that normal? How long should I let it run? or should I stop the scan and save the log where it is?

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #6 on: January 14, 2015, 03:11:55 AM »
After running for almost an hour I clicked "Save Log".  The aswMBR log is attached.

Thanks again!

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #7 on: January 14, 2015, 12:14:07 PM »
My problem still hasn't gone away :(  Can anyone help me? Do you need more information?


Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: wscript.exe infected?
« Reply #8 on: January 14, 2015, 01:12:43 PM »
No, just haven't had time to check....

The programs you ran (aswMBR, FRST etc) aren't fixit programs. They require programming to do that. I will notify an expert.
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript.exe infected?
« Reply #9 on: January 14, 2015, 04:30:04 PM »
First you must uninstall Chrome, you can re-install when we have finished

Also do you use flash drives ?

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
Startup: C:\Users\Cory\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowsshell.vbs ()
SearchScopes: HKU\S-1-5-21-2661723367-4171544803-1169632980-1000 -> DefaultScope {6A1806CD-94D4-4689 URL =
2015-01-12 09:00 - 2015-01-12 09:00 - 00000000 __SHD () C:\Users\Deborah\AppData\Local\EmieUserList
2015-01-12 09:00 - 2015-01-12 09:00 - 00000000 __SHD () C:\Users\Deborah\AppData\Local\EmieSiteList
Task: {DB35A6B7-DB72-4E50-A1DF-EF2D9AB7FA76} - System32\Tasks\{21A20981-2497-4820-8CF0-837A48F98FB6} => I:\Install\setup32.exe <==== ATTENTION
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #10 on: January 15, 2015, 02:50:00 AM »
Google Chrome has been uninstalled.

I ran FRST with the provided script.  Fixlog.txt is attached.

This is a family computer shared by 5 people.  Yes, flash drives are occasionally used.

I will wait for your further instructions.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript.exe infected?
« Reply #11 on: January 15, 2015, 03:45:59 PM »
OK protection time...  A question .. How is the computer behaving

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #12 on: January 15, 2015, 04:36:51 PM »
I actually didn't see any Avast "threat has been detected" warnings in the past day. 

I don't know exactly which flash drive was used last on the computer, as it is shared with my kids and might have been from one of my daughter's friends.

I'm at work now, but will run MCShield scans on all the flash drives I have used when I get home. 

Most critical thing for me once malware has been removed is to get Chrome back installed.  Please let me know when I can. Thanks!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript.exe infected?
« Reply #13 on: January 15, 2015, 04:38:11 PM »
Yes you can re-install Chrome now.  Also keep MCShiled as it will automatically monitor any USB inserted into the system and then clean if it finds anything


REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #14 on: January 16, 2015, 01:08:56 AM »
I installed MCShield, and stuck in every USB drive I had available.  They all appear clean.  The one that I am suspicious of, my daughter left at school so can't test yet. 

Is my computer now clear of malware?  Like I said, the "threat has been detected" warning from Avast hasn't popped up since I ran the FRST script.

Please let me know if you think there is anything else I should run or other software I should install to prevent further infections.

Thanks!