Re: How do I remove the pop up ad virus?

From: Sandi - Microsoft MVP (sandi_hardmeier_at_mvps.org)
Date: 01/23/04


Date: Fri, 23 Jan 2004 07:38:52 +0800

You can find more info about wscript.exe here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;232211

Wscript.exe is not loading itself, it is being called by something else, at
least that is how I read it.

-- 
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://www.mvps.org/inetexplorer
"Eric" <email@anon.com> wrote in message 
news:%23xYKSkP4DHA.3752@TK2MSFTNGP11.phx.gbl...
> As I mentioned, I already ran Spybot and AdAware.  I also already checked
> the registry keys.  I will try the other programs you recommend to see if
> they find anything new.  What exactly would I be looking for to remove in
> Msconfig?
>
> One other thing I didn't mention that I did already try was loading the
> Internet Options, selecting View Files and View Objects, and removing
> anything that looked like it didn't belong.
>
> I'm just trying to figure out how this wscript.exe program loads itself 
> when
> I boot up.  It's not in any startup places I'm aware of (autoexec.bat,
> registry Run keys, win.ini, Programs - Startup folder) unless there's a
> place Windows executes things from on shutdown that could be adding it to
> the RunOnce key?  The only other way is if it attached itself to a valid
> program that runs on startup and somehow runs every time that runs?  I'll
> try removing everything from startup tonight and see if it's still there.
>
> "Sandi - Microsoft MVP" <sandi_hardmeier@mvps.org> wrote in message
> news:#EbhJMP4DHA.2348@TK2MSFTNGP10.phx.gbl...
>> Temp files and IE caches are two places to look.  Some of the following
>> advice is repetitious, but...
>>
>> Get yourself a copy of BHODemon, available at
>> http://www.definitivesolutions.com/bhodemon.htm .
>> It does not need installing - simply unzip and run the EXE programme. It
> is
>> very easy to use.  It will often find the following hijackware DLL files,
>> and give you the ability to disable them easily.
>> Many people like AdAware, available at www.lavasoft.de. Make sure you 
>> keep
>> the signature files up to date and remember, AdAware only removes the
>> current install; it can't do anything about software that reinstalls
> itself
>> (unless you want to get stuck in an endless loop of
>> hijack/cleanout/hijack/cleanout). Sometimes you will have to track down
> and
>> remove the software that keeps putting the hijackware back - hence this
>> advice section.  Warning: AdAware is now version 6.181. All previous
>> versions are NO LONGER SUPPORTED and will not be updated.
>> The more experienced user can try Spybot. Again, it is a free programme
>> which can be downloaded from: http://spybot.eon.net.au/.  Warning: it is
> NOT
>> a good programme for the inexperienced.  If you want to use this
> programme,
>> please get the advice of those more experienced before 'fixing' anything
>> that it finds.
>> Go to the link below to check your system for parasites (supplied by
>> Doxdesk.com):
>> http://www.mvps.org/inetexplorer/parasite.htm
>> Another excellent programme that allows you to examine your system and
>> *create a results log for experts to examine* is HijackThis, available
> from:
>> http://www.tomcoyote.org/hjt/
>> Download and run the latest version of "Cool Web Shredder"
>> http://www.merijn.org/files/CWShredder.exe
>> Here is advice specific to:
>> home page hijackings
>> http://www.mvps.org/inetexplorer/answers.htm#home_page
>> pop-up ads
>> http://www.mvps.org/inetexplorer/Darnit.htm#pop_up
>> search engine hijackings
>> http://www.mvps.org/inetexplorer/answers4.htm#search_engine
>> IMPORTANT: The above programmes are excellent, and a lot of credit goes 
>> to
>> those who authored and update the programmes, but they can NOT detect
>> everything that is out there - as time goes on the programmes will become
>> more and more unwieldy if they try to maintain a standard of positive
>> identification for as much spyware as possible, and it will be harder and
>> harder for the programmes to catch everything that is out there. More and
>> more spyware uses RANDOM names as part of their programme making it
>> impossible for positive identification to occur, therefore....
>> It is VERY IMPORTANT that you learn how to examine your system for
> potential
>> problems as well as using 'fixit' programme such as AdAware or Spybot.
>> Check your startup folder and MSCONFIG (startup tab).  You can also check
>> the following registry keys and edit as appropriate (if you have
> experience
>> with same).
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
>> The following link will lead you to some Microsoft KB articles about the
>> basics of the Registry and working with it:
>> http://www.mvps.org/inetexplorer/answers.htm#Registry
>> An experienced computer technician can use programme such as AutoStart
>> Viewer for in-depth diagnosis:
>> http://www.diamondcs.com.au/index.php?page=asviewer
>> Empty your IE cache and your other temporary file folders, eg:
>> c:\windows\temp (if using Windows 98) or  C:\Documents and
>> Settings\<name>\Local Settings\Temp (the path to your temp folder will
>> change depending on your name) - sometimes programmes can be hidden in
>> there - watch out for mysterious *.exe files or *.dll files in those
>> folders.
>> Go to IE Tools, Internet Options, Temporary Internet Files {Settings
>> Button}, View Objects, Downloaded Programme Files. Check for unusual
> objects
>> there.
>> Go to IE Tools, Internet Options, Accessibility.  Make sure there is no
>> style sheet chosen (under User Style Sheet - format documents using my
> style
>> sheet). If the option is turned on, turn it OFF.
>> It is possible to turn off third party extensions (Enable third-party
>> browser extensions (requires restart) at IE tools, internet options,
>> advanced) to disable *all* plug-ins but troubleshooting will be difficult
>> and it is only a BANDAID. Nothing gets fixed.  There is software that
>> depends on 'third party browser extensions" to work, including Acrobat,
>> Microsoft Money, and many other programmes.
>>
>> --
>> _______________________________________
>> Sandi - Microsoft MVP since 1999 (IE/OE)
>> http://www.mvps.org/inetexplorer
>>
>> "Eric" <email@anon.com> wrote in message
>> news:%23iVpHBP4DHA.2380@TK2MSFTNGP09.phx.gbl...
>> >I apparently have a virus on my home PC, and I can't figure out how it
>> > executes.  A program called wscript.exe runs when I boot up and I don't
>> > know
>> > where it's coming from.  If I don't kill it from the task manager, it
> runs
>> > unnoticed for a while in the background.  After a while, a pop up ad
>> > window randomly appears.  If I kill the process wscipt.exe, I don't get
>> > the
>> > pop up windows.  How does this program start itself?  I checked
> everywhere
>> > I
>> > know of that runs things on startup and it still runs.  My operating
>> > system
>> > is Windows ME.  Here's what I've tried:
>> >
>> > 1) I checked the Start - Programs - Startup folder for anything I don't
>> > recognize and found nothing.
>> > 2) I checked the registry using Regedit.  I looked in all 4 Run keys 
>> > and
>> > removed anything I didn't recognize, including:
>> > \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>> >
> \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
>> > \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>> > \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
>> > 3) I ran programs to remove viruses and popups, including AdAware from
>> > www.lavasoft.com, AVG from www.grisoft.com
>> > , and Spybot from www.spybot.info.
>> > 4) I checked Msconfig, didn't see anything in there containing
> wscript.exe
>> > and didn't want to remove anything since I don't know what most of that
>> > is.
>> > 5) I checked a virus vendor website referred to by Jimmy S on
>> > microsoft.public.games.discussion.  One of his two links just seemed to
>> > recommend paying them for their software and sounded like they couldn't
> do
>> > anything for you unless you pay them.  The other link had references to
>> > check in the registry.  I checked all the registry entries, and they
> were
>> > exactly as the site said they should be.  The links were:
>> >
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_VEREN.A
>> > and
>> >
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_EXPOSED.
>> > A
>> > 6) I periodically run Regedit and select the Export option on the menu
> and
>> > choose to export all branches, so I ran Regedit and selected to Import 
>> > a
>> > registry file that I believe was before the problem started.
>> > 7) I checked for win.ini in the c:\Windows\System and
> c:\Windows\System32
>> > path and looked for any references in it to load= or run= .  I also
>> > checked
>> > for anything in c:\autoexec.bat and c:\config.sys.  I didn't see
> anything
>> > there.
>> > 8) I tried reinstalling Windows ME over my current installation.
>> >
>> > The problem still exists.  wscript.exe loads every time I boot up and 
>> > if
> I
>> > don't kill it, I get pop up windows.  Where else am I missing?  Where
>> > could
>> > wscript.exe be starting from?  I'm not sure what else to do to fix it
>> > short
>> > of searching my hard drive for anything I want to save and trying to
> back
>> > it
>> > all up, then reformatting and reinstalling Windows from scratch.  After
>> > exhausting all other known options, Jimmy referred me to this board.
> Help
>> > please!
>> >
>> >
>> >
>> >
>>
>
>