S
samah
Guest
Elmo wrote:
> samah wrote:
>> Pegasus [MVP] wrote:
>>>
>>> "samah" said this in news item
>>> news:u7ZLyWboKHA.1552@TK2MSFTNGP05.phx.gbl...
>>>> Pegasus [MVP] wrote:
>>>>>
>>>>> "samah" said this in news item
>>>>> news:#h8NPjUoKHA.5260@TK2MSFTNGP02.phx.gbl...
>>>>>> Pegasus [MVP] wrote:
>>>>>>> "samah" said this in news item
>>>>>>> news:unuO4CIoKHA.3664@TK2MSFTNGP04.phx.gbl...
>>>>>>>> Pegasus [MVP] wrote:
>>>>>>>>>
>>>>>>>>> "samah" said this in news item
>>>>>>>>> news:ej7Qc6#nKHA.5344@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Pegasus [MVP] wrote:
>>>>>>>>>>>
>>>>>>>>>>> "samah" said this in news item
>>>>>>>>>>> news:umd$mO#nKHA.3948@TK2MSFTNGP06.phx.gbl...
>>>>>>>>>>>> Win XP SP3.
>>>>>>>>>>>>
>>>>>>>>>>>> After I eject a CD/DVD from my DVD drive or unmount an disk
>>>>>>>>>>>> image from the Daemon Tools virtual drive, I get an error
>>>>>>>>>>>> window with the title "wscript.exe - No Disk" and with the
>>>>>>>>>>>> message " There is no disk in the drive. Please insert a disk
>>>>>>>>>>>> into drive (drive letter):". There are three buttons that I
>>>>>>>>>>>> can click: Cancel, Try again, Continue. When I click any of
>>>>>>>>>>>> these options, the error window closes but pops up again
>>>>>>>>>>>> after an interval of approx. i minute. The only way I can
>>>>>>>>>>>> close this window permanently is by rebooting the system.
>>>>>>>>>>>>
>>>>>>>>>>>> Can anybody help me with this please.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks in advance.
>>>>>>>>>>>>
>>>>>>>>>>>> -samah.
>>>>>>>>>>> It seems you're running some script, perhaps malicious. How
>>>>>>>>>>> exactly do you eject your compact disk?
>>>>>>>>>> With the 'Eject' button (it's a laptop).
>>>>>>>>> Ok. Now please do this:
>>>>>>>>> - Click Start/Run
>>>>>>>>> - Type the three letters cmd and press Enter
>>>>>>>>> - Type this command:
>>>>>>>>> tasklist | find /i "script"
>>>>>>>>> - Report what you see (if anything)
>>>>>>>> Here is what I got after I re-booted to clear the error window:
>>>>>>>>
>>>>>>>> image name: wscript.exe
>>>>>>>> PID: 2320
>>>>>>>> session name: console
>>>>>>>> session #: 0
>>>>>>>> mem usage: 5964k
>>>>>>>>
>>>>>>>> This is what I got when the error window is active:
>>>>>>>>
>>>>>>>> image name: wscript.exe
>>>>>>>> PID: 2672
>>>>>>>> session name: console
>>>>>>>> session #: 0
>>>>>>>> mem usage: 2976k
>>>>>>>>
>>>>>>>> Sorry for my late response. Thank you.
>>>>>>> Here is a method to find out what script is running:
>>>>>>> 1. Click Start/Run
>>>>>>> 2. Type this command:
>>>>>>> notepad c:\ScriptTest.bat
>>>>>>> 3. Allow the new file to be created.
>>>>>>> 4. Copy & paste the code below into the notepad session.
>>>>>>> Do NOT retype it!
>>>>>>> 5. Save and close the file.
>>>>>>> 6. Open Windows Explorer, locate c:\ScriptTest.bat, then
>>>>>>> double-click it.
>>>>>>>
>>>>>>> When wscript.exe is active then my program will report the script
>>>>>>> that it runs. What is it? Can you locate it on the hard disk and
>>>>>>> post its contents here?
>>>>>>>
>>>>>>> @echo off
>>>>>>> set Scr="%temp%\TempVBS.vbs"
>>>>>>> set VB=echo^>^>%Scr%
>>>>>>> cd 1>nul 2>%Scr%
>>>>>>> %VB% Set oWMIService = GetObject("winmgmts:\\.\root\CIMV2")
>>>>>>> %VB% Set cItems = oWMIService.ExecQuery( _
>>>>>>> %VB% "SELECT * FROM Win32_Process where Name = 'wscript.exe'")
>>>>>>> %VB% If cItems.Count = 0 Then
>>>>>>> %VB% msgbox "Executable ""wscript.exe"" not found."
>>>>>>> %VB% Else
>>>>>>> %VB% For Each oItem In cItems
>>>>>>> %VB% msgbox "The command line is " ^& oItem.CommandLine ^&
>>>>>>> cItems.count
>>>>>>> %VB% Next
>>>>>>> %VB% End If
>>>>>>> cscript //nologo %Scr%
>>>>>>> del %Scr%
>>>>>>>
>>>>>>>
>>>>>> This is what I got:
>>>>>> "The command line is c:\windows\system32\wscript.exe
>>>>>> c:\windows\system32\killvirus.vbs1"
>>>>>>
>>>>>> Thank you so much for your time. Waiting for your advice.
>>>>>>
>>>>> Fine. You now know have two points of attack:
>>>>> - Your problem script is the file
>>>>> c:\windows\system32\killvirus.vbs1. What does it contain.
>>>>> - It gets invoked by wscript.exe. You can prevent this by running
>>>>> msconfig.exe, then looking for wscript.exe under the Startup tab and
>>>>> removing the tick mark.
>>>>>
>>>>>
>>>> Sorry. wscript.exe is not appearing in the Startup tab. I re-booted
>>>> in safe mode and tried again but still no luck.
>>>>
>>>> Thank you.
>>> What about my first question: What does the script file contain?
>> Sorry. I could not locate the file. I searched not only the
>> c:\windows\system32 folder but also the entire hard disk. Included the
>> system and hidden files in the search as well.
>>
>> Thank you.
>
> Run Regedit, press the Home key, press F3, type killvirus.vbs1 and see
> if there are any hits. If so, delete that entry and press F3 to
> continue the search.
>
Thank you. I will send the feed back to you later.
> samah wrote:
>> Pegasus [MVP] wrote:
>>>
>>> "samah" said this in news item
>>> news:u7ZLyWboKHA.1552@TK2MSFTNGP05.phx.gbl...
>>>> Pegasus [MVP] wrote:
>>>>>
>>>>> "samah" said this in news item
>>>>> news:#h8NPjUoKHA.5260@TK2MSFTNGP02.phx.gbl...
>>>>>> Pegasus [MVP] wrote:
>>>>>>> "samah" said this in news item
>>>>>>> news:unuO4CIoKHA.3664@TK2MSFTNGP04.phx.gbl...
>>>>>>>> Pegasus [MVP] wrote:
>>>>>>>>>
>>>>>>>>> "samah" said this in news item
>>>>>>>>> news:ej7Qc6#nKHA.5344@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Pegasus [MVP] wrote:
>>>>>>>>>>>
>>>>>>>>>>> "samah" said this in news item
>>>>>>>>>>> news:umd$mO#nKHA.3948@TK2MSFTNGP06.phx.gbl...
>>>>>>>>>>>> Win XP SP3.
>>>>>>>>>>>>
>>>>>>>>>>>> After I eject a CD/DVD from my DVD drive or unmount an disk
>>>>>>>>>>>> image from the Daemon Tools virtual drive, I get an error
>>>>>>>>>>>> window with the title "wscript.exe - No Disk" and with the
>>>>>>>>>>>> message " There is no disk in the drive. Please insert a disk
>>>>>>>>>>>> into drive (drive letter):". There are three buttons that I
>>>>>>>>>>>> can click: Cancel, Try again, Continue. When I click any of
>>>>>>>>>>>> these options, the error window closes but pops up again
>>>>>>>>>>>> after an interval of approx. i minute. The only way I can
>>>>>>>>>>>> close this window permanently is by rebooting the system.
>>>>>>>>>>>>
>>>>>>>>>>>> Can anybody help me with this please.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks in advance.
>>>>>>>>>>>>
>>>>>>>>>>>> -samah.
>>>>>>>>>>> It seems you're running some script, perhaps malicious. How
>>>>>>>>>>> exactly do you eject your compact disk?
>>>>>>>>>> With the 'Eject' button (it's a laptop).
>>>>>>>>> Ok. Now please do this:
>>>>>>>>> - Click Start/Run
>>>>>>>>> - Type the three letters cmd and press Enter
>>>>>>>>> - Type this command:
>>>>>>>>> tasklist | find /i "script"
>>>>>>>>> - Report what you see (if anything)
>>>>>>>> Here is what I got after I re-booted to clear the error window:
>>>>>>>>
>>>>>>>> image name: wscript.exe
>>>>>>>> PID: 2320
>>>>>>>> session name: console
>>>>>>>> session #: 0
>>>>>>>> mem usage: 5964k
>>>>>>>>
>>>>>>>> This is what I got when the error window is active:
>>>>>>>>
>>>>>>>> image name: wscript.exe
>>>>>>>> PID: 2672
>>>>>>>> session name: console
>>>>>>>> session #: 0
>>>>>>>> mem usage: 2976k
>>>>>>>>
>>>>>>>> Sorry for my late response. Thank you.
>>>>>>> Here is a method to find out what script is running:
>>>>>>> 1. Click Start/Run
>>>>>>> 2. Type this command:
>>>>>>> notepad c:\ScriptTest.bat
>>>>>>> 3. Allow the new file to be created.
>>>>>>> 4. Copy & paste the code below into the notepad session.
>>>>>>> Do NOT retype it!
>>>>>>> 5. Save and close the file.
>>>>>>> 6. Open Windows Explorer, locate c:\ScriptTest.bat, then
>>>>>>> double-click it.
>>>>>>>
>>>>>>> When wscript.exe is active then my program will report the script
>>>>>>> that it runs. What is it? Can you locate it on the hard disk and
>>>>>>> post its contents here?
>>>>>>>
>>>>>>> @echo off
>>>>>>> set Scr="%temp%\TempVBS.vbs"
>>>>>>> set VB=echo^>^>%Scr%
>>>>>>> cd 1>nul 2>%Scr%
>>>>>>> %VB% Set oWMIService = GetObject("winmgmts:\\.\root\CIMV2")
>>>>>>> %VB% Set cItems = oWMIService.ExecQuery( _
>>>>>>> %VB% "SELECT * FROM Win32_Process where Name = 'wscript.exe'")
>>>>>>> %VB% If cItems.Count = 0 Then
>>>>>>> %VB% msgbox "Executable ""wscript.exe"" not found."
>>>>>>> %VB% Else
>>>>>>> %VB% For Each oItem In cItems
>>>>>>> %VB% msgbox "The command line is " ^& oItem.CommandLine ^&
>>>>>>> cItems.count
>>>>>>> %VB% Next
>>>>>>> %VB% End If
>>>>>>> cscript //nologo %Scr%
>>>>>>> del %Scr%
>>>>>>>
>>>>>>>
>>>>>> This is what I got:
>>>>>> "The command line is c:\windows\system32\wscript.exe
>>>>>> c:\windows\system32\killvirus.vbs1"
>>>>>>
>>>>>> Thank you so much for your time. Waiting for your advice.
>>>>>>
>>>>> Fine. You now know have two points of attack:
>>>>> - Your problem script is the file
>>>>> c:\windows\system32\killvirus.vbs1. What does it contain.
>>>>> - It gets invoked by wscript.exe. You can prevent this by running
>>>>> msconfig.exe, then looking for wscript.exe under the Startup tab and
>>>>> removing the tick mark.
>>>>>
>>>>>
>>>> Sorry. wscript.exe is not appearing in the Startup tab. I re-booted
>>>> in safe mode and tried again but still no luck.
>>>>
>>>> Thank you.
>>> What about my first question: What does the script file contain?
>> Sorry. I could not locate the file. I searched not only the
>> c:\windows\system32 folder but also the entire hard disk. Included the
>> system and hidden files in the search as well.
>>
>> Thank you.
>
> Run Regedit, press the Home key, press F3, type killvirus.vbs1 and see
> if there are any hits. If so, delete that entry and press F3 to
> continue the search.
>
Thank you. I will send the feed back to you later.