Unknown VBScript in my startup. Unable to delete them.

HackSpoon

Member
Hello! I was looking at my start up list cause I do often to see what is getting started up. Its a good way to look at if any malware is coming up. I found two VBScript files. One is called ANTIVI~1, and Item Spawner?

Well I tried to delete these, and it goes away, but it restores itself. I tried to rewrite the code in it but it just restores itself again to the code before.

I will upload the files and I would like someone to please look and tell me if these are malicious!

https://ufile.io/8u5mc
 

johnb35

Administrator
Staff member
I'm not downloading that file. Item spawner is a mod of somekind. Would need the full name of this antivi~1 entry. But if Cromewell says sktechy is a understatement, then I would have to agree with him.
 

Cromewell

Administrator
Staff member
I'm not downloading that file. Item spawner is a mod of somekind. Would need the full name of this antivi~1 entry. But if Cromewell says sktechy is a understatement, then I would have to agree with him.
It looked like that was its full name. As opposed to an 8.3 fallback name.

The script builds a massive string and then executes it. Like 1000s of characters long. The command was nonsensical to me, but they might be trying to make the weirdest sled I've ever seen. On the plus side, I'm not 100% confident the code actually works, so you've got that going for you :p

The command is something that starts with "sdjbfsjkgftektgejhrtgyhjerjkedhkyjned" and goes on for a country mile.
 

Darren

Moderator
Staff member
OP, gotta wonder about your browsing habits if you're getting goofy ass scripts in your startup like this. Wasn't your paypal remoted into not too long ago?
 

HackSpoon

Member
I'm not downloading that file. Item spawner is a mod of somekind. Would need the full name of this antivi~1 entry. But if Cromewell says sktechy is a understatement, then I would have to agree with him.
Well come to find out I was checking my task manager to check how my CPU is doing cause I added some new thermal paste not too long ago, and I come across this.
5d6fa0272af0a83b30bb9fd1f9abca8c.png


There is some weird ESET Main GUI thing that really gets me thinking... So I right clicked on it and I checked the file location.
bc552c675dd0b441297e3be0c18ab25b.png


I see that the stuff before is now in my roaming folder and it seems to be replicating itself across my computer. I don't even recall the system thingy there at all. I will research about it.

After a little research the eset appears to be some kind of anti-virus that I never ever have installed myself? I only have spybot search and destroy, malwarebytes, and bitdefender. But I was trying to delete those files again and then it tells me Windows Script something was open and that I can't delete it. So I check task manager and I see that two of the windows based scripts are open. It gets me thinking cause of the VBS Scripts it could be relating to that.
61a5ab2ad0f37ec37be9c3f425c090d5.png

Well upon what I found I will be doing a full factory reset of my computer again. This only trails after about a month ago someone stole about $100 by a RAT I had on my computer. I will be taking no chances this time.
 
Top