VB Script.
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: VB Script.

  1. #1
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747

    VB Script.

    I recentyl ran into a problem on my computer. Everytime I start up my Win98 box I get a window that says VB script. the message that comes with it is in foreign language so I have no idea what it says.

    The first option is to press ok, then the next option is yes or no, then if you press no your compuer shuts down, if you press yes it does nothing. I put Mcaffe on there and now when I press no Mcaffe gives me a warning about Malicious script and allows me to stop it from shutting down my computer.

    I'm not at the computer right now that has this problem, but if I press details on Mcaffe it says something about it being a shell.

    Any help would be appreciated.
    =

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    If you could post the message perhaps we could translate it?

    Check win.ini and your start folder for any odd looking programs that run at startup.

  3. #3
    hey, looks like you just might be infected with some sort of script virii...
    simple solution is to look for all VB scripts and remove/delete them - that is of course if you don't need them... If you are not on a big network, and no one else is using you machine- then it's a safe bet you don't need any VisualBasic scripts...

    I'd suggest deleting the .vbs

    .vbs ? is that right-?
    When you connect to your ISP, you are potentially opening your computer to the world. There are \'naughty people\' out there who enjoy breaking into other people\'s computers. Give some thought to the security of your computer...
    http://www.AntiOnline.com/sig.php?imageid=360

  4. #4
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I was looking through win.ini startup folder and under a folder called Postscript I see names like Times new Roman, etc which is just some font tpes. However the farther I scroll down I see names like @///]]\\345838dkdka. theres a bout another 12 of those in the win.ini folder. I tried unchecking them but he vbscript still popped up.

    When I get to that computer later today I'll post the details that Mcaffe brought up.
    =

  5. #5
    Banned
    Join Date
    Jul 2002
    Posts
    877
    Have you goten any mail and visited a URL in the e-mail or downloaded any attachments there? If so then that sounds like the classic macro worm. Though your AV is preventing the script from running... that won't totaly get rid of the problem intil you completly removed it and fixed any problems it may have unleashed.

    I remember hearing here that on a XP box the desktop.ini can be used to shutdown a comp as soon as you login. There are also many other ways to shuting down a windows comp.

  6. #6
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I think I got this off of Mirc. I was trying to learn Mirc and somehow I got this little script.

    Hers the detail that Mcaffe gave me though

    This script is attempting to call the run method which runs an application

    Interface name: IWshShell
    Interface documentation: Sehll Object Interface
    Method Name: Run
    Method Documentation: (nothing on this line)

    Thats what Mcaffe says about it. Its the newest version of Mcaffe and I did a full system scan but it didn't pick up anything.

    It also gives me a website www.cacing-crew.du.ru. Got there at your own risk.
    =

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    The page is down for whatever that is worth. Defiantly a Trojan of some sort I am thinking..it was probably trying to collect data and send it to someone with an address at this site.

    Da.ru is some type of dynamic domain name hosting service from what I can tell. Used for address masking (ie no whois info).

    Cacing crew web site is mostly in Russian I’m no help there (any one know a russian?) but all of their pages are down…its some sort of hacking group I’d guess, they seem to be political, anti-war and anti Americana from the posts I have seen by them…a lot ofit is in Russian so I am not 100% sure on that .


    So this is some sort of script virus or what not..perhaps even something like a BO trumpet..these guys seem to be into IRC.

  8. #8
    Banned
    Join Date
    Jul 2001
    Posts
    264
    First off to the moron who posted "find and delete all VBScript" you need to go shoot yourself in the face. Windows has tons of VBscripts that are supposed to be there and if you delete them, **** will not work. If you really want to stop the virus threat do this:

    c:\winnt\system32\wscript.exe change the permissions to "special access read only"
    c:\winnt\system32\cscript.exe change the permissions to "special access read only"

    or c:\windows\system32 for windows 9x users.

    What this does is dissable the windows scripting engine from being run by scripts. Then if you run into an application that NEEDS access to it, you can modify the permissions accordingly.

  9. #9
    Member
    Join Date
    Mar 2003
    Posts
    46
    I recomend that you found the file. Look at regedit into the local_machine folder, then software, then Microsoft, then windows, current vercion, run. and check the keys in there.
    Post here any suspicius key for more help


    xDrack

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Originally posted here by Quad
    First off to the moron who posted "find and delete all VBScript" you need to go shoot yourself in the face. Windows has tons of VBscripts that are supposed to be there and if you delete them, **** will not work. If you really want to stop the virus threat do this:

    c:\winnt\system32\wscript.exe change the permissions to "special access read only"
    c:\winnt\system32\cscript.exe change the permissions to "special access read only"

    or c:\windows\system32 for windows 9x users.

    What this does is dissable the windows scripting engine from being run by scripts. Then if you run into an application that NEEDS access to it, you can modify the permissions accordingly.
    Two points on this.
    Your advice would not work for a 9x box
    I have used vbscript to automate some administrative tasks..besides the scripts I have writen and some siteserver stuff I have never seen a .vbs file that I couldn't get rid of.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •