Hi,
I'm using Malwarebytes in my Windows 10 version 22H2 (build 19045.3516) and after a scan, it detected 2 malware named "drjTh" in the location C:\Users\user\AppData\Roaming. the first file type is (.bat) and the second is (.vbs).
After I select quarantine, they come back automatically after a while!
Any idea what those files are?
Thanks
@Saleh9416, i need to see the report that Malwarebytes sends you, could you run these programs for me & post the reports ? If you still have Malwarebytes on the computer, delete/remove it & download it new from the instructions i posted !!
Download these 2 programs & run them, when done post the logs so we can see if that problem goes away or do i need to have you run a more stronger program ??
Malwarebytes AdwCleaner >>> Download AdwCleaner
Please download AdwCleaner and save it to your Desktop
* Close all open programs and browsers
* Right click on the icon and select Run as administrator
* Click Scan now
* Allow the program to Quarantine what it finds except for Pre-installed applications if you would like to keep those or other entries you would like to keep
* When completed click View Scan Log File
* Copy and paste the contents in your reply
* Click Skip Basic Repair if it appears then close the program
===========
Full System Scan with Malwarebytes Antimalware >>> https://www.malwarebytes.com/mwb-download
* If not existing, please download Malwarebytes' Anti-Malware to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If the program is already installed:
* Run Malwarebytes Antimalware
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
* Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
*** Post that log back here or just tell me what it found ?
If it is to long then you will have to zip it or find a site to download it to & let me know where !
Post the logs so i can read them unless nothing is found ! If they are to big then zip them up & give me a link !!
Thanks !
Chuck
Howdy @Saleh9416, the Malwarebytes AdwCleaner is clean & the Malwarebytes.txt has found 1 bad guy and has quarantined so you shouldn't ever have any problems with it, not sure why you said it came back unless you hit the restore button ! So you can completely remove it from the computer !
Open Malwarebytes for Mac.
Click the Detection History card.
Click the Quarantined items tab.
Click the check boxes next to each listed item you want to restore or delete.
You can either Restore or Delete selected items:
If you want to restore selected items back to their original locations, click Restore. In the popup that appears, click Restore and Allow if you want to exclude the item from future detections. Click Restore only if you don't want to add to the Allow List.
If you want to permanently delete selected items from your Mac, click Delete.
=====================
If you still feel you are infected you can run ESET and post it's log !
ESET Online Scanner
--------------------
Note: You can expect this process to take a couple of hours or more.
Download ESET Free Online Scanner and save it to your Desktop >>> https://redirect.viglink.com/?format...line%20Scanner
* Right click on esetonlinescanner_enu.exe and select Run as administrator
* Click Computer Scan
* Click Full scan
* Select Enable ESET to detect and quarantine potentially unwanted applications
* Click Start scan
* Once completed click Save scan log and save it to your Desktop as ESETScan.txt
* Click Continue then finally click Close
* Copy and paste the ESETScan.txt file contents in your reply or just let us know everything is good !
Then if you feel, which you are clean as i do then run this program to remove the programs we used to remove them & the logs they produced !!
Please download KpRm by Kernel-panik and save to your Desktop. >>> Downloads - KpRm - ToolsLib
* Click on KpRm.exe to run the tool.
* Vista/Windows 7/8/10 users right-click and select Run As Administrator.
* Put a check mark next to these items:
- Delete tools
- Delete now
* Click the "Run" button.
When the tool has finished, it will create and open a log report and delete itself.
Thanks !
@Saleh9416 ............. glad to help ! Now one more program to run which will remove all logs & tools we used in the cleaning !
This removes all programs we used !
Please download KpRm by Kernel-panik and save to your Desktop. >>> Downloads - KpRm - ToolsLib
* Click on KpRm.exe to run the tool.
* Vista/Windows 7/8/10 users right-click and select Run As Administrator.
* Put a check mark next to these items:
- Delete tools
- Delete now
* Click the "Run" button.
When the tool has finished, it will create and open a log report and delete itself.
Happy Surfing !!
@Saleh9416 ............... try this !
How to Fix Windows Script Host Errors on Startup - MajorGeeks
IMO that is a very misleading article and possibly unwise for the OP (or anyone else) to use.
For example, under Step 1 it advises:
However, it actually shows a screenshot of the (correct) data value of VB Script Language.On the right pane, double-click Default and change the Value Data to VBSfile and reboot to see if the error is gone.
In Step 2 it advises:
The advice makes no mention that the VMApplet entry's default data value relates to numerous performance-related settings for visual effects, allocation of task performance preference (including swapfile) and DEP (Data Execution Prevention). If you just delete the entry, as advised, you'll most likely get one or more errors, including that the swapfile couldn't be created. (I'm not sure you CAN even delete the entry... and I'm certainly not going to try to unless on a VM or test device I can recover easily.)On the right pane, scroll down to Userinit and delete and registry keys after that. Some may see more, less, or different names than seen in the example screenshot.
It also doesn't mention that the WinStationsDisabled entry's data value should have a default value of 0 (unless you want to disable remote logons, in which case it's 1). IMO neither entry has anything to do with Windows Script Host errors on startup.
As for deleting any other entries in the right-hand pane... well, IMO that's just plain reckless advice without first ascertaining what those entries are.
IMO it would be far safer to:
a) ask the OP to use the Registry Editor to provide a screenshot of the WinLogon entry wide enough to show both right-hand pane entries and their data values, then compare with your own system, or;
b) get the OP to run Autoruns (using Run as administrator) and save the results as an .ARN file for you to look at in your own system, or:
c) more complex, get the OP to run Process Monitor in Boot Logging mode and filtered on both the cscript.exe and wscript.exe process names to see what's calling the .vbs script (which is possibly being added by %SystemRoot%\System32\reg.exe so OP could filter on that process name as well to see how the call keeps getting re-added).
Hope this helps...
Quote
