Unknown VBScript in my startup. Unable to delete them.

Discussion in 'Computer Security' started by HackSpoon, Jul 13, 2017.

  1. HackSpoon

    HackSpoon Member

    Messages:
    142
    Hello! I was looking at my start up list cause I do often to see what is getting started up. Its a good way to look at if any malware is coming up. I found two VBScript files. One is called ANTIVI~1, and Item Spawner?

    Well I tried to delete these, and it goes away, but it restores itself. I tried to rewrite the code in it but it just restores itself again to the code before.

    I will upload the files and I would like someone to please look and tell me if these are malicious!

    https://ufile.io/8u5mc
     
  2. Cromewell

    Cromewell Administrator Staff Member

    Messages:
    15,060
    Did you even look at the contents? Sketchy is an understatement.
     
  3. johnb35

    johnb35 Administrator Staff Member

    Messages:
    39,317
    I'm not downloading that file. Item spawner is a mod of somekind. Would need the full name of this antivi~1 entry. But if Cromewell says sktechy is a understatement, then I would have to agree with him.
     
    Darren likes this.
  4. Darren

    Darren Moderator Staff Member

    Messages:
    10,193
    Try deleting them in Safe Mode?
     
    Cromewell likes this.
  5. Cromewell

    Cromewell Administrator Staff Member

    Messages:
    15,060
    It looked like that was its full name. As opposed to an 8.3 fallback name.

    The script builds a massive string and then executes it. Like 1000s of characters long. The command was nonsensical to me, but they might be trying to make the weirdest sled I've ever seen. On the plus side, I'm not 100% confident the code actually works, so you've got that going for you :p

    The command is something that starts with "sdjbfsjkgftektgejhrtgyhjerjkedhkyjned" and goes on for a country mile.
     
    Darren likes this.
  6. Darren

    Darren Moderator Staff Member

    Messages:
    10,193
    OP, gotta wonder about your browsing habits if you're getting goofy ass scripts in your startup like this. Wasn't your paypal remoted into not too long ago?
     
  7. beers

    beers Moderator Staff Member

    Messages:
    7,196
    Needs more thermal paste.
     
    Darren and Intel_man like this.
  8. HackSpoon

    HackSpoon Member

    Messages:
    142
    Well come to find out I was checking my task manager to check how my CPU is doing cause I added some new thermal paste not too long ago, and I come across this. [​IMG]

    There is some weird ESET Main GUI thing that really gets me thinking... So I right clicked on it and I checked the file location.
    [​IMG]

    I see that the stuff before is now in my roaming folder and it seems to be replicating itself across my computer. I don't even recall the system thingy there at all. I will research about it.

    After a little research the eset appears to be some kind of anti-virus that I never ever have installed myself? I only have spybot search and destroy, malwarebytes, and bitdefender. But I was trying to delete those files again and then it tells me Windows Script something was open and that I can't delete it. So I check task manager and I see that two of the windows based scripts are open. It gets me thinking cause of the VBS Scripts it could be relating to that. [​IMG]
    Well upon what I found I will be doing a full factory reset of my computer again. This only trails after about a month ago someone stole about $100 by a RAT I had on my computer. I will be taking no chances this time.
     
  9. johnb35

    johnb35 Administrator Staff Member

    Messages:
    39,317
    Have you tried uninstalling ESet antivirus in the programs and features in control panel?
     
    Darren likes this.
  10. Darren

    Darren Moderator Staff Member

    Messages:
    10,193
    I'd run AdwCleaner if I were you.
     
  11. Cromewell

    Cromewell Administrator Staff Member

    Messages:
    15,060
    You might want to change your browsing/downloading habits.
    Probably. End the wscript processes and see if you can delete the files.
     

Share This Page