New problems - wscript.exe error

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by viajera, Jul 12, 2008.

  1. viajera

    viajera Private E-2

    Well chaslang I made it almost a month with no problems after all your help!!! Unfortunately I've hit a bump in the road. It all started after I updated Windows to SP3. Things just haven't been the same...

    I started getting wscript.exe warnings (they come in twos) from Online Armor every time I used Outlook Express. The warning tells me that the file says its name is windows32 wscript.exe but that it contains the same data as windows32 wscript.exe. I keep blocking them and they keep coming back. I ran Spyware Doctor and Malwarebytes but they didn't show anything.

    Thursday night I went onto Myspace (against my better judgement, but we're trying to find an old friend) and as soon as I opened a page I thought might be hers, my browser started trying to open "about:" and then dozens of sessions opened with connection failures. I had to hard reboot to get out.

    I ran Spyware Doctor again and it found backdoor.vb.ays and Trojan-PWS.Bancos. Stupidly I hit "more info" and SD attempted to launch explorer but I had turned off the modem. It started launching millions of browsers again and I wasn't able to get out without hard reboot again. Spyware Doctor reported that those infections were quarantined but I didn't feel confident since the process didn't end normally.

    I went through all the Malware Removal faq steps. At some point during this process I started to receive warnings that a process wanted to redirect certain websites, saying if I typed "www.blahblah" (one of these was something like www.sex-101) it would redirect to a URL which was located in LOCALHOST. I blocked all this action but I'm quite alarmed at this point.

    I appreciate your advice! Logs attached.
     

    Attached Files:

  2. viajera

    viajera Private E-2

    Remaining logs

    Last two attached.
     

    Attached Files:

  3. viajera

    viajera Private E-2

    Clarification on wscript.exe error

    My note was vague.
    The warning states that it's identifying itself as
    c:\WINDOWS\system32\wscript.exe but that it contains the same data as
    c:\WINDOWS\system32\wscript.exe
    That is confusing to me...
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I move your new messages into a new thread. New problems or new PC should always be a new thread.

    wscript.exe is not malware. It is part of WIndows. See: http://www.liutilities.com/products/wintaskspro/processlibrary/wscript/

    When you install new software, you need to again allow things to have access thru firewalls. Even if you updated a program like FireFox, the new firefox.exe would still require approval since it is not the same file.

    You should not be blocking loopback of malware URLs to localhost. This is what programs like Spybot and many others add to your hosts file to protect you.

    Your logs are clean.
     
    Last edited: Jul 12, 2008
  5. viajera

    viajera Private E-2

    Okay, thank you again and sorry for the posting faux pas. I was on the fence about whether I should start a new thread or not, but now I know. Since I was getting red alerts advising me to block the wscript.exe, I googled it but what I learned was confusing. I'll go back and figure out what I have blocked that causes it to ask me every time. Also, thanks for the info on looping. I will sleep better :)
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    It is not a matter of what you have blocked. It is normally a matter of answer your firewall properly. With firewalls you can tell them to do something one time only or you can tell them to do something and always take the same action automatically without asking you again. So to stop it from asking you the same question over and over, tell it what action you want it to take and look for a check box or option that says something like "Always take the same action".
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds