wscript.exe alert

[Guest]

[rawrzar]

Hello,

I just got an alert from Defense+ that wscript.exe is trying to modify a protected registry key.  I googled it and it says that it is a microsoft application and should not be disabled, so I allowed it.  However, more requests keep popping up.  It is trying to modify different things in:
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
such as CA, TrustedPeople, Disallowed,
I found out that wscript.exe can also be used by a virus.  Is this the case?

Edit:
After blocking the request a few more times, it is now trying to connect to the Internet.
Also, cscript.exe is trying to create a new file or directory

[kail]

Hi rawrzar, welcome to forums.. sorry, it's under such a circumstance.

I'm no expert on this, you'll need to wait for those, but I do know that wscript.exe can indeed be abused, rather easily in fact. It's the basic scripting language for Windows.

Do you have something like Process Explorer? If not, grab it. Process Explorer will probably tell you what the script file is that is being run on wscript.exe and the command-line start-up of the process. Find the file & block it in CIS.

You should probably also use something like HijackThis to see what is trying to start on startup. And there is a autothingy HijackThis log file analysis here.

Also, check you AV & update the virus definitions & run a full scan.

There also many other apps you can run.. more of that later perhaps.

PS If you find wscript.exe running using Process Explorer, note script filename & kill the process.

edit

[rawrzar]

Hello kail,

Thank you for your help.  Using Process Explorer, I found that HP Health Check was responsible for the script.  After searching around, I found that many people have come across this, and I didn't realize that the Health Check was running automatically. Thanks again.

[kail]

No problem, good tool Process Explorer. You should also check out AutoRuns, it's by the same guys.

[Tags:]