Auto.vbs With Generic.scriptworm.5fbd90c
Hi,
I have contracted this Generic.ScriptWorm.5FBD90C through pen drive in an internet cafe and now it has also gone to my SD Card. Since I use Deepfreeze on my hard disk my system is safe but apparently there is a hidden auto.vbs which stops me from using the shortcuts to these drives. When I scan with Bitdefender it finds it, deletes it but it is resurrected in no time.
In short,
Generic.ScriptWorm.5FBD90C infected (or possibly created an) auto.vbs file in the root.
BD finds it and reports deleting it.- The file auto.vbs is resurrected.
What to do?
Thanks for your help
icouldiwill
Comments
-
Hello,
Sorry for the late reply.
Try this:
- look in Task Manager for processes called wsscript.exe. If you find any, kill all instances (vbs files are run by Windows through wsscript.exe)
- look in the Startup list (Start -> Run -> msconfig -> <Enter> -> Startup) for any entries related to vbs files. If you find auto.vbs related entries, remove them from list. If you find other vbs files, please post their names and locations.
- after this, run a deep system scan with BitDefender and clean all infected files.
Post back the result.
Cris.0 -
Below you can find my email exchnages with support for the same issue. I cannot believe that Support treats this as false issue although so many sites and users point to this as being a real thread since Dec 2007. Also see attached screenshot and match to your own problems to see if they look the same.
I am sure moderators will delete this post but I will post again and again and again and again.... till either fixed or money back for all 11 licenses I purchased and are useless.
This answer is not acceptable. Stopping BD from identifying the issue leaves me in the position of having a Trojan in my computer which is no longer identified as threat.
Your own Forum shows a link identifying this issue posted last night, possibly after my email was sent to you: http://forum.bitdefender.com/index.php?sho...amp;#entry45000 so how can you tell me this is a false issue??
For the same Trojan, Kaspersky and McAffee have long forum threads but you say is a false-alarm?
Please tell me how can you arrange for a remote desktop connection, so you can connect to my desktop, and watch as I delete the 2 files, and they recreate themselves instantly back. Also, because of these Trojans, we lose customer data from our accounting files, as this Trojan seems to favor deleting specific extension data.
See this thread for similar problems fixed by competitor software.
http://forum.f-secure.com/topic.asp?TOPIC_ID=4082
http://www.emsisoft.es/es/malware/?Trojan.VBS.Agent.aj
http://translate.google.com/translate?u=ht...zh-CN&tl=en
http://research.sunbelt-software.com/threa...hreatid=4009590
The worse info I found is this: http://www.viruslist.com/en/viruses/encycl...?virusid=257115 showing that the virus/worm has been detected since December 2007 and you STILL have no solution against it?????
Please do the same:
If BD cannot fix this, I will as for a full refund of our 11 licenses and move to another provider. This is the last email I send for this issue. Please get it fixed.
As you can see from the attached screenshot, your own product recognizes and names the file as Trojan, otherwise I would have had no clue WHERE to search for its description.
Yours,
my name
Confidentiality Note: This message is intended only for the use of the named recipients and may contain confidential and/or privileged information. If you are not the intended recipient, please contact the sender and delete this message. Any unauthorized use of the information contained in this message is prohibited.
-----Original Message-----
From: BitDefender Support Team [mailto:support@bitdefender.com]
Sent: Saturday, November 22, 2008 12:21 PM
To: my email
Subject: Re: [Ticket ID:200811211009866] [Ticket ID:200811211007274] infected
---- BEFORE YOU START ----
Please don't change the subject of the email in order to better keep track of the message history. Thank you!
----------------------------
Dear customer,
In order to be able to fix this issue please send us the suspect/infected files as described below. Please note that these files will be used for malware analysis only and will be treated accordingly.
But,as far as we can tell it seems to be only a false-positive. We will add this program to our database and the BitDefender will stop identifying the issue.
1. Disable BitDefender's real-time protection and any other security software you might use; 2. Display hidden objects in Windows (how to information is written bellow); 3. Locate the suspect/infected files:
The autorun.inf
4. Compress them using a common archiver of your choice (e.g.: WinZip, WinRAR, WinAce etc.); 5. Protect the archive with the password "infected"; 6. Attach the archive to a reply to this message and make sure to enclose the password in the message body; 7. Send us the email; 8. Enable the BitDefender protection.
~
[how to DISABLE THE REAL-TIME PROTECTION on BitDefender 2009] In order to disable the real-time protection please open BitDefender, "switch to Advanced View", go to "Antivirus" > "Shield" and click on "Real-time protection is enabled", select the time interval that suites your troubleshooting needs and click "OK"; the message will change to "Real-time protection is disabled".
-----
[how to DISABLE THE REAL-TIME PROTECTION on BitDefender 2008] In order to disable the Real-time protection please open BitDefender, select "Settings", go to "Antivirus" > "Shield" and click on "Real-time protection is enabled", select the time interval that suites your troubleshooting needs and click "OK"; the message will change to "Real-time protection is disabled".
-----
[how to DISABLE THE REAL-TIME PROTECTION on BitDefender v10] In order to disable the real-time protection please open BitDefender, go to "Antivirus" > "Shield" and click on "Real-time protection is enabled"; this message will change to "Real-time protection is disabled".
-----
[how to DISPLAY HIDDEN OBJECTS]
- go to your "Control Panel" and open "Folder Options";
- then go to the "View" tab and perform the changes listed below:
* check "Display contents of system folders"
* check "Show hidden files and folders"
* uncheck "Hide file extensions for known file types"
* uncheck "Hide protected operating system files"
- click "Apply" and then "OK" to exit.
NOTE: On Microsoft Windows Vista you will apply the same steps except for selecting "Display contents of system folders".
For more information you can read the following article:
http://kb.bitdefender.com/KB354-en--Reveal...em-folders.html
------
As soon as the analysis ends we will make sure to send you all needed pieces of information.
Best regards,
Alexandru Craescu
BitDefender Technical Support Engineer
-------------------------------------
-------------------------------------
---------------------- Original Message ---------------------
"my email wrote
> Hello Support,
>
> The problem is that after the deep scan the BD deletes the virus or
> whatever the autorun.inf file is, but this it re-creates itself back
> in the next second. See screenshot for details.
>
> The notification of system is protected pops-up so often people cannot
> work on the computer anymore. This is a computer used for public
> accounting office and could have been inserted a floppy disk infected with malware.
>
> Please advise.
>
> =========================
>
>
>
>
> Confidentiality Note: This message is intended only for the use of
> the named recipients and may contain confidential and/or privileged information.
> If you are not the intended recipient, please contact the sender and
> delete this message. Any unauthorized use of the information contained
> in this message is prohibited.
> -----Original Message-----
> From: BitDefender Support Team [mailto:support@bitdefender.com]
> Sent: Friday, November 21, 2008 4:49 PM
> To: my email
> Subject: Re: [Ticket ID:200811211007274] infected
>
> ---- BEFORE YOU START ----
> Please don't change the subject of the email in order to better keep
> track of the message history. Thank you!
> ----------------------------
>
> Dear my name,
>
> In order to be able to assist you please run a Deep System Scan task
> with BitDefender and send us the resulting scan report.
>
> Before running the scan please make sure that you have the latest
> virus definitions downloaded via the Update module: open BitDefender
> and choose the "Update Now" quick task.
>
> After the update process completes successfully you can proceed to
> running the scan task: select the "Deep System Scan" quick task.
>
> When the scan ends, click the "Show log" button at the bottom of the
> scan window; a browser window will open displaying the scan report.
> Save this file on a location of your choice and then send it to us
> attached to your email.
>
>
> Note! If you already ran a scan task you can send us your latest
> report by following these steps:
>
> Open BitDefender, access the Advanced Administration panel by clicking
> on "Settings" (in the lower right side of the window); select the "Antivirus"
> module from the left and then go to the "Scan" tab; right click on the
> scan task and choose "View Scan Logs" from the dropdown menu; double
> click the latest scan log (or select the log and choose "Show log"); a
> browser window will open displaying the scan report. Save this file on
> a location of your choice and then send it to us attached to your email.
>
>
> We are looking forward to hearing from you.
> Best regards,
>
> Cosmin Trifon
> BitDefender Technical Support Engineer
> -------------------------------------
> -------------------------------------
>
>
> ---------------------- Original Message ---------------------
>
>my email wrote
>
> > Chat Summary:
> >
> >
> >
> > End Chat Summary
> > ---------------------------------------------------------------
> >
> >
> > my name: autorun.inf cannot delete
> >
> > Welcome Valentin Vesa! Please hold while we contact a representative.
> > If a representative does not respond in a few seconds, then he/she
> > is not available at this time.
> > You are now speaking with JACK of TECHNICAL SUPPORT.
> > Jack: Welcome to BitDefender LiveAssistance!, Valentin Vesa! Thank
> > you for your interest in our security solution BitDefender.
> > Jack: Hello, my name.
> > my name: Hello Jack
> > Jack: Please describe the situation you ran into, with more details.
> > my name: I have a problem, my BitDefender Internet Security 8
> > keep notifying me of a trojan affectin my system, but never deletes
> > it instead, the trojan after manual deletion, it reappears itself. I
> > also have acsreenshit of the process. What should I do?
> > Jack: In order to advise on disinfection, we need you to please send
> > us the scan report. To this end I will send you an email with the
> > instructions as soon as this chat session is finished. Please read
> > the email, follow the instructions and reply to the email with the
> > scan report attached.
> > my name: ok
> > my name: good
> > my name: I will do so
> > my name: can I add the screenshot there?
> > Jack: Yes, please do.
> > Vmy name: ok
> > Jack: Shall I send the email to ads@adspedia.ro?
> >my name
> > Jack: The email will be sent shortly.
> > Jack: Is there anything else I may help you with?
>
> > Jack: Ok, have a great evening!
> > Jack: Thank you for choosing BitDefender LiveAssistance! Valentin
> > Vesa. Do not hesitate to contact us if you need further assistance.
> > Goodbye.
> >
> >
>
>0 -
I am sure moderators will delete this post but I will post again and again and again and again.... till either fixed or money back for all 11 licenses I purchased and are useless.
I've seen this remark all over the forum lately.
May I ask: When exactly did the Moderators of this forum delete posts/topics without a good reason (spam/insults/whatever)? Just give me ONE single example of a deleted post.
tinuzzo, as I see you are from Romania, so you can simply check out the Romanian section of this forum. You'll find there a topic in which all Moderators of this forum (and not only) are called different names multiple times, and even those post STILL REMAIN! So please, to all users thinking that anyone is censoring this forum, STOP IT!
If you have anything to say, or anything to report, feel free to post a complete description of an abuse (because deleting posts without a reason would be an abuse).
Sorry for this off-topic comment, but I just couldn't help it.This answer is not acceptable. Stopping BD from identifying the issue leaves me in the position of having a Trojan in my computer which is no longer identified as threat.
May I ask...did you send the file for analysis, as requested? If you did, did you receive a reply for it?
If you didn't, what gives you the right to judge?
This infection is indeed real. However, there might be cases when detection is wrong, and the person who answered you just assumed it's a false positive. He DIDN'T give any assurances that it's a FP, and he only said that if it is, it will be taken out of detection. Was it removed from detection? I doubdt it...
==========================================================
So just to be clear:
- when an infected application is running and BitDefender detects it, it can easily kill the process and remove the file. As simple as that
- vbs files are NOT applications, but they are scripts.
- Scripts don't run on their own (like applications), but they need an interpreter. In case of vbs files, this interpreter is wsscript.exe (belonging to MS Windows, so it's a completely legit file).
- While wsscript.exe is "running" (interpreting) a ******, it doesn'tkeep that file locked, and doesn't keep a reference to it. It opens the ******, reads it, closes it, and then it executes the commands (from memory).
- BitDefender can detect vbs files, as infected files, and can delete them. But if they are already "running" (in a wsscript.exe instance), this CANNOT be detected. So BitDefender can only delete the source of the ******, but it can't stop it if it's already running.
- if the ****** contains methods of re-generating it's source (in case of corruption), then even if BitDefender deletes the source, wsscript will automatically regenerate it (and BitDefender will catch it again).
So, basically, the method of disinfection is, as I said above:- use TaskManager to kill all instances of wsscript.exe
- remove all vbs files from startup
- make a deep scan of the hole system and remove detected files
Like it or not there are some threats that should be cleaned manually, because making an automated procedure for it might have unwanted and dangerous results. So please take a moment to think about what you need to do, and do it. If you have questions, this forum can give you answers.
Cris.0