Windows Script Host error...malware related?

My sister's laptop recently started having a message pop up called "Windows Script Host" and it says: Can not find script file "C:\Documents and Settings\Marbie\Local Settings\Temp\.tt2.tmp.vbs
And when she clicks the "OK" button, the computer goes to a greyish black screen that has some weird script line and tells her to restart her computer. Then it automatically restarts without her doing anything. Once it restarts it goes to a blue screen that has a error message with some script lines and it restarts again. And again..and keeps doing that, each time with a new script line thing. Is this malware or is it something else? I ran a couple anti-virus scans on it and got rid of alot of viruses and infected objects..and also came across something called "NotHarmful.Sysinternals Bluescreen Screen Saver" after running the Super Antispyware scan..which might have something to do with it. I've also attached a screenshot of the Windows Script Host error along with the logs...

Hope ya'll can help me out!
Thanks!
-John

 

Here's the ComboFix.txt and the MGlogs.zip.

 

Hi Flathorlin,
Welcome to the Malware Forum!

I'm looking at your logs and will post you a set of instructions. This takes some time, so thanks for being patient. For my information, how were you able to run the scans if it is in this loop that it keeps rebooting itself in connection with the error message? Did you just leave the error there? Can you use the computer if you don't click on okay in that message? Is it still there?

abri?

 

Well, when it got stuck in the loop, I held down the startup/on button and after a couple seconds the computer turned off. Then I turned it back on, and was able to run the scans. The error message seems to popup after you quit doing any active things on the computer (like browsing the web or running scans) and you just leave the computer on. Then it pops up randomly.

And also if I don't click "OK" in the error message, I can continue my work on the computer...but once I do click "OK" it starts that loop.

Nope, I shut down the computer after running all those scans and getting the logs so the error isn't there right now.

 

Quick update: I've left her computer on for about 3 hours now..and nothing has happened, so maybe I somehow got rid of whatever was causing the error yesterday when I ran all those scans.

Hope that sorta helps
-John

 

Hi Flathorlin,


1) Here's some information about what you've got:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_INETINFO.A&VSect=T

You can look for the file they mention by going to Start / Run and type in regedit and click on okay. The follow the pathway for this file:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{7B87A1E1-481A-47A5-B58F-BB1430DCC930}


I don't know if you'll find it or not. If you do, just tell me and I'll have you delete it using Combofix.

2) Do you know what the following file is from 11th of May? (Do not click on it or try to open it if you don't know what it is. You can right-click on it to look at the properties for more information.)

C:\GBOOK.ENV


3) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. Then go to C:\ and delete all the files with this structure: sqmnoopt12.sqm or C:\sqmdata10.sqm


4) Next go to add/remove programs and uninstall the below:

- Viewpoint Media Player
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) 6 Update 5


5) Reboot after uninstalling the above.

6) Install the current version of Sun Java from: Sun Java Runtime Environment


7) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

8) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


After you click fix, just close hijackthis.

9) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
mmfucil
lxdcjswa
sisbkipf
sqlwlaph
msacbzj
sirenacq
ipnajhlp
sirenacq
sqlwlaph

FILE::
C:\WINDOWS\system32\mmfucil.dat
C:\WINDOWS\system32\lxdcjswa.dat
C:\WINDOWS\system32\sisbkipf.dat
C:\win32.bak
C:\WINDOWS\system32\sqlwlaph.dat
C:\WINDOWS\system32\msacbzj.dat
C:\WINDOWS\system32\sirenacq.dat
C:\WINDOWS\system32\ipnajhlp.dat
C:\WINDOWS\system32\sirenacq.dIl
C:\WINDOWS\system32\sqlwlaph.dat
C:\WINDOWS\system32\1.tmp

REGISTRY::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sirenacq]
[-HKEY_CLASSES_ROOT\CLSID\{B5D54C32-4CAC-797F-4F4B-F0F7D14B5A3B}]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


10) Now run CCleaner at the default setting with the Windows tab as the top one.

11) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

Mmk, I can't find the HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{7B87A1E1-481A-47A5-B58F-BB1430DCC930}. My sister isn't sure what the "C:\GBOOK.ENV" is..it is most likely from a program called "Grade Book" written by her professor that lets her see her grades. There is a program icon on her desktop called GBOOK.EXE which is the program...so it probably is related to that. I've deleted all of the files beginning with: "sqmnoopt" and "sqmdata" which I'm assuming you wanted me to do..correct? Not just deleting sqmnoopt12.sqm and sqmdata10.sqm..right? I've gotta go right now, but when I get back, I'll finish the rest of the steps and reply with the log.

Thank you for your help!
-John

 

Mmk, I ran the scans and stuff..heres the logs.
Thank you soo much for all the help!!!!!!

 

Hi Flathorlin,

Please go to add/remove programs and uninstall Zone Alarm. When AVG went to the security suite (AVG 8.0), they included a firewall as part of it.

Did you want to keep the Windows Messenger? If not, please do step 7 in my last post. This messenger is used by very few people and is a vulnerability for your computer.

I don't see any other malware. Please go ahead with the final cleanup instructions:

abri

 

Awesome, will do. Thank you so very much!!!

 

Well, it all seems to be running fine. Thanks!!!!!!!!

 

You're welcome!
I'm glad to hear it!
Best of luck to you and
enjoy your computer!