Jump to content

Cleaing Up After VBS Script Virus


Recommended Posts

Hello, all!

I was recently handed a computer to take a look at because the user suspected viruses were on it.

I ran Malwarebytes, and nothing. I accidentally discovered something, though... Lately I've been using an SD card with a write protection switch to transfer files to potentially-infected computers. When I would plug it in, a window would pop up and say something like "wscript.exe is unable to write to drive E:" or something along those lines.

I looked up wscript.exe, and it turns out that it is some program built into Windows that allows VBS scripts to run.

After a while of searching, I finally found the VBS script in startup items in msconfig (I overlooked it for quite some time, because the name started out with something about Microsoft...). Once I discovered that, I made quick work of removing the virus.

So, now it's not running at startup or trying to install to removable media. Unfortunately, however, the damage has already been done.

Symptoms: Shift key stuck in "down" state on startup. "C" key does not work. "=" key does not work. "~" key does not work. There may be others that I am not aware of at this point. Some of these keys (like the tilde key) I'm not certain whether it is a software issue or hardware issue (key not working), as pressing it feels strange (feels like it doesn't go all the way down).

I am not familiar with VBS, so I'm not 100% certain of what's going on behind the scene. The beginning of it is just a bunch of random letters, but here's the ending of it (that leads me to believe that it may have remapped some keys) (sorry for the language, just pasting it exactly as it appears in the VBS script):

ali = censored(ali)

EXECUTE (ali)

function censored(info)

censored=sec(info)

end function

Function sec(ByVal swe)

Const KFDLS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

Dim dataLength, sOut, groupBegin

swe = Replace(swe, vbCrLf, "")

swe = Replace(swe, vbTab, "")

swe = Replace(swe, " ", "")

dataLength = Len(swe)

If dataLength Mod 4 <> 0 Then

Err.Raise 1, "Base64Decode", "Bad Base64 string."

Exit Function

End If

For groupBegin = 1 To dataLength Step 4

Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut

numDataBytes = 3

nGroup = 0

For CharCounter = 0 To 3

thisChar = Mid(swe, groupBegin + CharCounter, 1)

If thisChar = "=" Then

numDataBytes = numDataBytes - 1

thisData = 0

Else

thisData = InStr(1, KFDLS, thisChar, vbBinaryCompare) - 1

End If

If thisData = -1 Then

Err.Raise 2, "Base64Decode", "Bad character In Base64 string."

Exit Function

End If

nGroup = 64 * nGroup + thisData

Next

nGroup = Hex(nGroup)

nGroup = String(6 - Len(nGroup), "0") & nGroup

pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _

Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _

Chr(CByte("&H" & Mid(nGroup, 5, 2)))

sOut = sOut & Left(pOut, numDataBytes)

Next

sec = sOut

End Function

I attached the file (changed extension to .txt to prevent accidental execution) in case anyone would like to view it in its entirety.

As for fixes: I would try restoring to a previous restore point, but unfortunately it looks like restore points have been disabled. If it were my computer, I'd just blow everything away and reinstall, but due to time constraints and not wanting to miss any of the user's essential files (that, and the fact that the internet is so friggen' slow here in Palau that it'd take forever to re-download all of their programs), I'd prefer to fix it manually, if possible.

Thanks!

ElectroPulse

100529415_help.txt

Link to post
Share on other sites

Strange... It dropped all the formatting for my OP. I'll try posting this without the code and see if that works...

Hello, all!

I was recently handed a computer to take a look at because the user suspected viruses were on it.

I ran Malwarebytes, and nothing. I accidentally discovered something, though... Lately I've been using an SD card with a write protection switch to transfer files to potentially-infected computers. When I would plug it in, a window would pop up and say something like "wscript.exe is unable to write to drive E:" or something along those lines.

I looked up wscript.exe, and it turns out that it is some program built into Windows that allows VBS scripts to run.

After a while of searching, I finally found the VBS script in startup items in msconfig (I overlooked it for quite some time, because the name started out with something about Microsoft...). Once I discovered that, I made quick work of removing the virus.

So, now it's not running at startup or trying to install to removable media. Unfortunately, however, the damage has already been done.

Symptoms: Shift key stuck in "down" state on startup. "C" key does not work. "=" key does not work. "~" key does not work. There may be others that I am not aware of at this point. Some of these keys (like the tilde key) I'm not certain whether it is a software issue or hardware issue (key not working), as pressing it feels strange (feels like it doesn't go all the way down).

I am not familiar with VBS, so I'm not 100% certain of what's going on behind the scene. The beginning of it is just a bunch of random letters, but here's the ending of it (that leads me to believe that it may have remapped some keys) (sorry for the language, just pasting it exactly as it appears in the VBS script): (attached to OP)

As for fixes: I would try restoring to a previous restore point, but unfortunately it looks like restore points have been disabled. If it were my computer, I'd just blow everything away and reinstall, but due to time constraints and not wanting to miss any of the user's essential files (that, and the fact that the internet is so friggen' slow here in Palau that it'd take forever to re-download all of their programs), I'd prefer to fix it manually, if possible.

Thanks!

ElectroPulse

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin....

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.