Re: How do I remove the pop up ad virus?

From: Sandi - Microsoft MVP (sandi_hardmeier_at_mvps.org)
Date: 01/23/04 

Date: Fri, 23 Jan 2004 07:38:52 +0800

You can find more info about wscript.exe here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;232211

Wscript.exe is not loading itself, it is being called by something else, at
least that is how I read it. 

-- 
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://www.mvps.org/inetexplorer
"Eric" <email@anon.com> wrote in message 
news:%23xYKSkP4DHA.3752@TK2MSFTNGP11.phx.gbl...
> As I mentioned, I already ran Spybot and AdAware.  I also already checked
> the registry keys.  I will try the other programs you recommend to see if
> they find anything new.  What exactly would I be looking for to remove in
> Msconfig?
>
> One other thing I didn't mention that I did already try was loading the
> Internet Options, selecting View Files and View Objects, and removing
> anything that looked like it didn't belong.
>
> I'm just trying to figure out how this wscript.exe program loads itself 
> when
> I boot up.  It's not in any startup places I'm aware of (autoexec.bat,
> registry Run keys, win.ini, Programs - Startup folder) unless there's a
> place Windows executes things from on shutdown that could be adding it to
> the RunOnce key?  The only other way is if it attached itself to a valid
> program that runs on startup and somehow runs every time that runs?  I'll
> try removing everything from startup tonight and see if it's still there.
>
> "Sandi - Microsoft MVP" <sandi_hardmeier@mvps.org> wrote in message
> news:#EbhJMP4DHA.2348@TK2MSFTNGP10.phx.gbl...
>> Temp files and IE caches are two places to look.  Some of the following
>> advice is repetitious, but...
>>
>> Get yourself a copy of BHODemon, available at
>> http://www.definitivesolutions.com/bhodemon.htm .
>> It does not need installing - simply unzip and run the EXE programme. It
> is
>> very easy to use.  It will often find the following hijackware DLL files,
>> and give you the ability to disable them easily.
>> Many people like AdAware, available at www.lavasoft.de. Make sure you 
>> keep
>> the signature files up to date and remember, AdAware only removes the
>> current install; it can't do anything about software that reinstalls
> itself
>> (unless you want to get stuck in an endless loop of
>> hijack/cleanout/hijack/cleanout). Sometimes you will have to track down
> and
>> remove the software that keeps putting the hijackware back - hence this
>> advice section.  Warning: AdAware is now version 6.181. All previous
>> versions are NO LONGER SUPPORTED and will not be updated.
>> The more experienced user can try Spybot. Again, it is a free programme
>> which can be downloaded from: http://spybot.eon.net.au/.  Warning: it is
> NOT
>> a good programme for the inexperienced.  If you want to use this
> programme,
>> please get the advice of those more experienced before 'fixing' anything
>> that it finds.
>> Go to the link below to check your system for parasites (supplied by
>> Doxdesk.com):
>> http://www.mvps.org/inetexplorer/parasite.htm
>> Another excellent programme that allows you to examine your system and
>> *create a results log for experts to examine* is HijackThis, available
> from:
>> http://www.tomcoyote.org/hjt/
>> Download and run the latest version of "Cool Web Shredder"
>> http://www.merijn.org/files/CWShredder.exe
>> Here is advice specific to:
>> home page hijackings
>> http://www.mvps.org/inetexplorer/answers.htm#home_page
>> pop-up ads
>> http://www.mvps.org/inetexplorer/Darnit.htm#pop_up
>> search engine hijackings
>> http://www.mvps.org/inetexplorer/answers4.htm#search_engine
>> IMPORTANT: The above programmes are excellent, and a lot of credit goes 
>> to
>> those who authored and update the programmes, but they can NOT detect
>> everything that is out there - as time goes on the programmes will become
>> more and more unwieldy if they try to maintain a standard of positive
>> identification for as much spyware as possible, and it will be harder and
>> harder for the programmes to catch everything that is out there. More and
>> more spyware uses RANDOM names as part of their programme making it
>> impossible for positive identification to occur, therefore....
>> It is VERY IMPORTANT that you learn how to examine your system for
> potential
>> problems as well as using 'fixit' programme such as AdAware or Spybot.
>> Check your startup folder and MSCONFIG (startup tab).  You can also check
>> the following registry keys and edit as appropriate (if you have
> experience
>> with same).
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
>> The following link will lead you to some Microsoft KB articles about the
>> basics of the Registry and working with it:
>> http://www.mvps.org/inetexplorer/answers.htm#Registry
>> An experienced computer technician can use programme such as AutoStart
>> Viewer for in-depth diagnosis:
>> http://www.diamondcs.com.au/index.php?page=asviewer
>> Empty your IE cache and your other temporary file folders, eg:
>> c:\windows\temp (if using Windows 98) or  C:\Documents and
>> Settings\<name>\Local Settings\Temp (the path to your temp folder will
>> change depending on your name) - sometimes programmes can be hidden in
>> there - watch out for mysterious *.exe files or *.dll files in those
>> folders.
>> Go to IE Tools, Internet Options, Temporary Internet Files {Settings
>> Button}, View Objects, Downloaded Programme Files. Check for unusual
> objects
>> there.
>> Go to IE Tools, Internet Options, Accessibility.  Make sure there is no
>> style sheet chosen (under User Style Sheet - format documents using my
> style
>> sheet). If the option is turned on, turn it OFF.
>> It is possible to turn off third party extensions (Enable third-party
>> browser extensions (requires restart) at IE tools, internet options,
>> advanced) to disable *all* plug-ins but troubleshooting will be difficult
>> and it is only a BANDAID. Nothing gets fixed.  There is software that
>> depends on 'third party browser extensions" to work, including Acrobat,
>> Microsoft Money, and many other programmes.
>>
>> --
>> _______________________________________
>> Sandi - Microsoft MVP since 1999 (IE/OE)
>> http://www.mvps.org/inetexplorer
>>
>> "Eric" <email@anon.com> wrote in message
>> news:%23iVpHBP4DHA.2380@TK2MSFTNGP09.phx.gbl...
>> >I apparently have a virus on my home PC, and I can't figure out how it
>> > executes.  A program called wscript.exe runs when I boot up and I don't
>> > know
>> > where it's coming from.  If I don't kill it from the task manager, it
> runs
>> > unnoticed for a while in the background.  After a while, a pop up ad
>> > window randomly appears.  If I kill the process wscipt.exe, I don't get
>> > the
>> > pop up windows.  How does this program start itself?  I checked
> everywhere
>> > I
>> > know of that runs things on startup and it still runs.  My operating
>> > system
>> > is Windows ME.  Here's what I've tried:
>> >
>> > 1) I checked the Start - Programs - Startup folder for anything I don't
>> > recognize and found nothing.
>> > 2) I checked the registry using Regedit.  I looked in all 4 Run keys 
>> > and
>> > removed anything I didn't recognize, including:
>> > \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>> >
> \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
>> > \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>> > \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
>> > 3) I ran programs to remove viruses and popups, including AdAware from
>> > www.lavasoft.com, AVG from www.grisoft.com
>> > , and Spybot from www.spybot.info.
>> > 4) I checked Msconfig, didn't see anything in there containing
> wscript.exe
>> > and didn't want to remove anything since I don't know what most of that
>> > is.
>> > 5) I checked a virus vendor website referred to by Jimmy S on
>> > microsoft.public.games.discussion.  One of his two links just seemed to
>> > recommend paying them for their software and sounded like they couldn't
> do
>> > anything for you unless you pay them.  The other link had references to
>> > check in the registry.  I checked all the registry entries, and they
> were
>> > exactly as the site said they should be.  The links were:
>> >
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_VEREN.A
>> > and
>> >
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_EXPOSED.
>> > A
>> > 6) I periodically run Regedit and select the Export option on the menu
> and
>> > choose to export all branches, so I ran Regedit and selected to Import 
>> > a
>> > registry file that I believe was before the problem started.
>> > 7) I checked for win.ini in the c:\Windows\System and
> c:\Windows\System32
>> > path and looked for any references in it to load= or run= .  I also
>> > checked
>> > for anything in c:\autoexec.bat and c:\config.sys.  I didn't see
> anything
>> > there.
>> > 8) I tried reinstalling Windows ME over my current installation.
>> >
>> > The problem still exists.  wscript.exe loads every time I boot up and 
>> > if
> I
>> > don't kill it, I get pop up windows.  Where else am I missing?  Where
>> > could
>> > wscript.exe be starting from?  I'm not sure what else to do to fix it
>> > short
>> > of searching my hard drive for anything I want to save and trying to
> back
>> > it
>> > all up, then reformatting and reinstalling Windows from scratch.  After
>> > exhausting all other known options, Jimmy referred me to this board.
> Help
>> > please!
>> >
>> >
>> >
>> >
>>
>
>

Relevant Pages

  • Re: Empfehlung fuer Linux-Einsteigerseite?
    ... Der Desktop ist unter Linux in viel weiterem Umfang einstellbar als bei ... Verwendung der Maustasten ist meist ziemlich ähnlich wie in Windows, ... der in deiner Bekanntschaft auch ein Linux hat. ... Solche Programme werden typischerweise nicht über ...
    (de.comp.os.unix.linux.misc)
  • Re: ubuntu8.11
    ... like to install a programme called VirtualBox, ... does this mean I can flip between Windows and Linux at will ... If, at startup I do nothing, which programme will automatically startup. ... gksudo gedit menu.lst ...
    (Ubuntu)
  • Re: Hardware ansprechen
    ... man nennt es Wintel windows braucht bessere hardware ... (was sagt MS nochmal über zugriffe auf die Hardware?) ... Du darfst nur treiber verwenden die von MS ... direkten Einfluss auf andere Programme unter Windows. ...
    (microsoft.public.de.vc)
  • Re: Hamegs HMO und SCPI
    ... Windows ist erstaunlich gut rueckwartskompatibel. ... Programme ohne Alternative für andere OS. ... zusammen mit dem Entwickler verbessert werden musste (keine ... Die Instek PC-Software ist so ein Beispiel. ...
    (de.sci.electronics)
  • Re: How do I remove the pop up ad virus?
    ... This is on Windows ME. ... >> It does not need installing - simply unzip and run the EXE programme. ... It will often find the following hijackware DLL files, ... >> Go to IE Tools, Internet Options, Accessibility. ...
    (microsoft.public.security.virus)