C:\Windows\astig.vbs Help

thank you for the link but the one you gave me is for virus-remover.vbs

That's what i think cause it's not working i click the batch i created and when i restart there it is again

Can Not Find Script File "C:\Windows\astig.vbs".

Thank you very much for the answer

But i already delete astig.vbs i use Autoruns.exe
Then the guy i ask to tell me to delete all .vbs

Cause he say every OS has no .vbs runing in start up so i tried it and it work

Hey but Ambucias,

Can you please help me delete another .vbs it's called katrinascandal.vbs

i think it's in c\windows\adobecs4.vbs i think that is the location
i tried to delete it like astig.vbs but it did not work this time
it comes back every time and my regedit and task manager is lock because of it

Please help

And Thank you

Hi,
There very few reported cases about this scandal worm which is not yet documented.
Gervarod will be taking over from here.
Good luck

I forgot.
adobecs4.vbs comes from Photoshop CS4

hello please remove these files by ticking them and click on the remove button.

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [uTorrent] "F:\Programs\uTorrent.exe" /HIDE

O4 - HKCU\..\Run: [PowerSuite] "C:\Program Files (x86)\Uniblue\PowerSuite\launcher.exe" delay 20000 -m

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O8 - Extra context menu item: Download all by FlashGet3 - C:\Users\Se7en Ultimate\AppData\Roaming\FlashGetBHO\GetAllUrl.htm

O8 - Extra context menu item: Download by FlashGet3 - C:\Users\Se7en Ultimate\AppData\Roaming\FlashGetBHO\GetUrl.htm

O8 - Extra context menu item: &Download by Orbit - res://F:\Programs\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://F:\Programs\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Programs\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://F:\Programs\Orbitdownloader\orbitmxt.dll/202

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)


O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: Remote Connections Service (FlexService) - BitMicro Software Corporation - C:\Program Files (x86)\RapidBIT\cisvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
https://www.google.com/?gws_rd=ssl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.google.com/?gws_rd=ssl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

but one thing is are you using Avast or any other Anti Virus protection like bit defender or that?

Yes i'm using Avast Antivirus

Well here it is. . .

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4974

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/21/2010 11:14:14 AM
mbam-log-2010-10-21 (11-14-14).txt

Scan type: Full scan (C:\|F:\|I:\|)
Objects scanned: 241799
Time elapsed: 40 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Se7en Ultimate\AppData\Local\Mozilla\Firefox\Profiles\d8ds703d.default\Cache\DA761E44d01 (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.
C:\Windows\System32\secushr.dat (Malware.Trace) -> Quarantined and deleted successfully.


Thank you

OK but how is it has the infection gone away yet?

so have you checked any of the cords or that have you got power to it at all?

yup, whenever i turn off my pc and i open it again it takes me
5mins to 10mins or 1hour to 5hour it depends on purely luck you see i don't know the cause of it. . . .

Until my simpletect 96300-40001-001 (250G) drive suddenly stop working it. . . . .
at first it says "you need to format to be able to use" then "usb not recognize"
so i search for help using google and walaaa i saw fixya.com then many there says
remove the hard drive form the case or Hard Drive Enclosure then put it in my pc

At first i don't know what to do cause i'm not very good at technical fixing but my bro keeps on nagging me to fix it so i tried i opened the Simple tech then open my pc then i saw there a Hard Drive just like the one form the Simple tech so i have a good idea why not put it in my pc like they say so i search again on how to do it then there i saw again a possible way it's a IDE CABLE And now i know all about it like Master and Slave and Pins but it didn't work cause the IDE CABLE on my pc only has one connector it doesn't have any Jumper To be put in my to be
Slave Drive(AKA_Simpletech HD)



So in short my pc not having a IDE CABLE that has Slave Connector means only 1 thing my pc is a old model Well not so old i like fossil like pc but plain old pc i think

But any way if we may,can we go back to fixing my 2nd Problem it is my immortal enemy (AKA_katrinascandal.vbs)

And this tread is going to be an all type problem solving tread,WHY? cause at first

It's only astig.vbs,then katrina,then my o_d pc

So i think we may as well concentrate on defeating this immortal enemy of mine shall we?

Cheers,Hackimist

Hello,
Try the solution posted in your previous thread regarding removing the katrinascandal.vbs
Even though you delete it manually, it will return back. Follow the steps given in that thread to remove it.
For "astig.vbs"
After removing the katrinascandal.vbs, click on Start --> In search box, type msconfig and press Enter. "System Configuration Utility" will be opened --> Click on "Startup" tab.
This time look for the suspicious file and remove from the startup.
Note: If you have followed the steps to remove the kartinascandal.vbs, you can notice that a fake
file with name abodecs4.vbs is cretead. So to remove "astig.vbs" from startup look for suspicious file.
Good Luck.