Author Topic: wscript.exe infected?  (Read 17377 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #30 on: January 19, 2015, 08:42:26 PM »
No... do you think it is gone? do you know what was the culprit?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript.exe infected?
« Reply #31 on: January 19, 2015, 09:01:24 PM »
It appears to have been downloaded from your chrome synch and I missed it the second time it did that

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #32 on: January 19, 2015, 09:02:44 PM »
Ok thank you. I will be more vigilant about installing chrome extensions going forward.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript.exe infected?
« Reply #33 on: January 19, 2015, 09:14:18 PM »
Run delfix again to remove the tools :)

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #34 on: January 19, 2015, 11:01:03 PM »
Unfortunately,after a few hours the alert has returned.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript.exe infected?
« Reply #35 on: January 19, 2015, 11:17:21 PM »
Do you have an external drive or a USB that you are plugging in ?

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #36 on: January 20, 2015, 12:12:08 AM »
There are external drives permanently connected to the computer, but none were added between the time I ran the last scan and/or fix and the time the alert re-appeared.

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #37 on: January 20, 2015, 12:24:04 PM »
I think the problem might have been that I didn't completely remove chrome from each user profile.  I uninstalled chrome again, then manually deleted each C:\Users\[USERNAME]\AppData\Local\Google\Chrome\User Data folder.

Then I re-installed chrome from scratch.  Took me a while to manually add back each of the family member's bookmarks, but so far no more alerts.

Let me know if there is any other scan you would like to see to confirm my pc is now clean.

Thanks.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript.exe infected?
« Reply #38 on: January 20, 2015, 04:28:49 PM »
You can run a fresh FRST if you wish :)

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #39 on: January 20, 2015, 05:21:02 PM »
Latest FRST logs attached.

Thanks again!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript.exe infected?
« Reply #40 on: January 20, 2015, 06:47:21 PM »
User cory is the one that is being reinfected

I will remove the mountpoints (they will be recreated when needed) just in case

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
HKU\S-1-5-21-2661723367-4171544803-1169632980-1000\...\MountPoints2: {6dd5e860-2b15-11e4-bc42-534e57000000} - I:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1000\...\MountPoints2: {e7b0e1ba-5734-11e4-b3f4-534e57000000} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL L:\start.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1000\...\MountPoints2: {eb350a3b-7d4e-11e4-b234-534e57000000} - L:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1003\...\MountPoints2: {6dd5e860-2b15-11e4-bc42-534e57000000} - I:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1003\...\MountPoints2: {e7b0e1ba-5734-11e4-b3f4-534e57000000} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL L:\start.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1003\...\MountPoints2: {eb350a3b-7d4e-11e4-b234-534e57000000} - L:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1004\...\MountPoints2: {6dd5e860-2b15-11e4-bc42-534e57000000} - I:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1004\...\MountPoints2: {e7b0e1ba-5734-11e4-b3f4-534e57000000} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL L:\start.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1004\...\MountPoints2: {eb350a3b-7d4e-11e4-b234-534e57000000} - L:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1005\...\MountPoints2: {6dd5e860-2b15-11e4-bc42-534e57000000} - I:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1005\...\MountPoints2: {e7b0e1ba-5734-11e4-b3f4-534e57000000} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL L:\start.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1005\...\MountPoints2: {eb350a3b-7d4e-11e4-b234-534e57000000} - L:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1006\...\MountPoints2: {6dd5e860-2b15-11e4-bc42-534e57000000} - I:\Splash.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1006\...\MountPoints2: {e7b0e1ba-5734-11e4-b3f4-534e57000000} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL L:\start.exe
HKU\S-1-5-21-2661723367-4171544803-1169632980-1006\...\MountPoints2: {eb350a3b-7d4e-11e4-b234-534e57000000} - L:\Splash.exe
Startup: C:\Users\Cory\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowsshell.vbs ()
2015-01-19 16:08 - 2015-01-19 16:08 - 00000000 __SHD () C:\Users\Maya\AppData\Local\EmieUserList
2015-01-19 16:08 - 2015-01-19 16:08 - 00000000 __SHD () C:\Users\Maya\AppData\Local\EmieSiteList
2015-01-19 14:17 - 2015-01-20 09:43 - 00000000 __SHD () C:\Users\Deborah\AppData\Local\EmieUserList
2015-01-19 14:17 - 2015-01-20 09:43 - 00000000 __SHD () C:\Users\Deborah\AppData\Local\EmieSiteList
2015-01-15 19:42 - 2015-01-15 19:42 - 00003891 _____ () C:\ads_err.adt
2015-01-15 19:42 - 2015-01-15 19:42 - 00003072 _____ () C:\ads_err.adi
2015-01-15 19:42 - 2015-01-15 19:42 - 00002048 _____ () C:\ads_err.adm
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #41 on: January 20, 2015, 08:24:14 PM »
Ran FRST again.  Log is attached.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript.exe infected?
« Reply #42 on: January 20, 2015, 08:34:57 PM »
How is it now ?

REDACTED

  • Guest
Re: wscript.exe infected?
« Reply #43 on: January 20, 2015, 08:59:56 PM »
No more alerts, but they stopped for almost a day earlier.  I can't say for sure that the problem is gone, but there is no indication of any problem at the moment!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: wscript.exe infected?
« Reply #44 on: January 20, 2015, 09:22:37 PM »
OK lets wait for a day then