[quote]Delivering physics in games is no easy task. It’s an extremely compute-intensive environment based on a unique set of physics algorithms that require tremendous amounts of simultaneous mathematical and logical calculations.
yep, this wscript.exe, i notice it a day before i post this topic.
if i remember correctly, i start getting this wscript this when i plug & open a USB drive from my friend. i block this wscript.exe from running, but then i can’t open the drive. then i open it via start (right click)/explore .
i don’t get the wscript.exe warning for a while until 2 days ago i’m trying to open my C: drive.
oh, where am i, oh yeah the trojan ;D
yes the “recycle.vbs” seems similar. but i still can open task manager, and nothing show up when i open start/run (it shows only the last thing i open, like regedit or mspaint, no fishy thing).
edit:
this is the steps to clean it from tiffany’s site (the failed steps): 1) Start Run command, type “regedit” go the registry > Current_User\ Software\ Microsoft\ Window\ CurrentVersion\ Policies\ System. This is to Enable the Task Manager. Change from ‘1’ to ‘0’.
2) In the Task Manager- Stop the processes named “wscript”
3) Go to C:/Windows/System 32 => Delete file name called “recycle.vbs” (Have to show all hidden files in folder options)
4) Start Run command and go to the registry, go to Edit and Find “recycle” and delete > “Ageia”
5) In the registry , go to Edit and Find "attack"and delete > “http://10.14.133.44” on start page and “::ATTACK::” on windows title.
6) In the registry, go to Edit and Find for “Rahadian” and delete > “Rahadian Restore”
and this is what i do:
skipped(i can still open task manager)
done
can’t find recycle.vbs on system32 folder ???
done
done (i delete the “powerful curse seal”)
skipped
well, the cursed seal has been broken 88) , now my IE seems normal.it shows “about:blank-microsoft internet explorer”.
i deleted wscript.exe but then i get this error message (attached) when i’m trying to open C: or any other drive. why do i need wscript.exe to open things? ??? and why can’t i find this recycle.vbs ???
btw, i’ve finished full scanning with SAS & MBAM, found nothing :o
is it normal to have that error message after removing wscript.exe? perhaps i should get it back? 88)
edit#2:
i copied wscript.exe from my other comp. the cursed seal is coming back >:( , i block every wscript related D+ pop up, but i don’t know why it still manage to change my IE title.
and attachment #2, i got that D+ alert, but can’t find it on regedit ???
When you looked for recycle.vbs did you enable look for hidden files and folders?
Windows XP Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
[]Close all programs so that you are at your desktop.
[]Double-click on the My Computer icon.
[]Select the Tools menu and click Folder Options.
[]After the new window appears select the View tab.
[]Put a checkmark in the checkbox labeled Display the contents of system folders.
[]Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
[]Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
[]Remove the checkmark from the checkbox labeled Hide protected operating system files.
[]Press the Apply button and then the OK button and shutdown My Computer.
[]Now your computer is configured to show all hidden files.
oops, i’ve done those things except unticking the “hide protected system file” (:TNG)
OK. i found the recycle.vbs.delete it.i once again delete the “powerful curse seal” reg entry & restart.
after rebooting, i tried open IE, the cursed seal is gone.
but then i tried double click my C: drive, and got the same “wscript trying to modify recycle.vbs” D+ alert.
i block it, but the cursed seal is back >:(
i’m sure i’ve deleted that recycle.vbs. i can’t find it anymore on system32. but why D+ still alert me of that thing.
oh, norton security scan catch 23 nasties (trojan.zlob…something). but i need to purchase the full product if i want to remove them >:(
does anyone know good scanner for this nasty except SAS & MBAM (those 2 failed), norton (need to buy the full version) & CureIt (freeze my PC)? 88)
i’m downloading avast & bitdefender right now. ;D
but i don’t like installing things. is there any portable scanner like DrWebCureIt? but nevermind, i’ll try these two first
The trojan placed a autorun.inf on your hard drive.
If you double click your c drive, it gets executed (uncritical, wscript.exe is a known ms application)
The IE titlebar is changed (uncritical)
The trojan tries to place itself in your windows system folder (critical)
Defense+ reports, that wscript tries to modify a file in your system directory (here it would be very nice, if D+ would give the possibility to see the command line arguements of wscript, to see which script tries to do so…)
This time you cancel it (good)
So, be sure to kill all running processes of wscript.exe
delete the autorun.inf file(s) on your hard drive(s)
delete the autorun entry which executes wscript.exe
try to find the .vbs files causing the problems and remove them
I would suggest you post your HijackThis log on a good specialist help forum and let them guide you as just trying different scanners could take forever.
update! :-La
after knowing my system is attacked by fellow ninja naruto.
i reboot in safe mode
i use “search”,and look for “naruto” & delete all of it.
i use regseeker to find “naruto” reg.entry & delete them.
once again, i remove the “powerful seal” entry via regedit HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Cursed Seal is The Powerful
reboot in normal mode. and i think my PC’s fine now :BNC
i am soooo KEWL! (:KWL)
wow heey, i was just pushing my luck playing with reg.entry & deleting stuff, but it seems my way of gut+luck+del is similar to your suggestion ;D
hmm, i was suspicious about my friend’s flashdisk. i knew there’s a big chance that flashdisk has malware in it. but since i need to open it (and i think i have D+), i still open it (i was thinking, should any executable wants to run, i’ll block it). and i remember D+ alert me about the same wscript.exe (and i blocked it). but why this naruto can still enter my system ??? pretty sneaky huh? ???
anyway, i’ve finished installing bitdefender. i’m updating it right now. i’ll post my result later.
thx James :-TU & thx to all.
oh did i mention I AM SO KEWL already?
i am so KEWL! (:KWL)
Trojan.Zlob is a Trojan that allows the remote attacker to perform various malicious actions on the compromised computer. There are many variations of it.
Suggest you do that Norton scan again to see if you got all of it.
Maybe you should consider to add “c:\autorun.inf” to “My Protected Files” (would have prevented wscript.exe to write to c:\autorun.inf according to the access to your system directory) or to disable the autorun feature for hard drives.
Probably you allowed wscript sometimes later, when you double clicked your hard drive icon.
i deleted all autorun.inf i found yesterday 88)
oh, and i’ve disabled autorun function from Disk & removable drive long time ago using “tweakUI”.
errr, i remove norton & delete the installer as soon as i notice it won’t clean anything (:TNG)
i’m redownloading right now.could take a while.
btw, finished scanning with bitdefender, found nothing :■■■■
i’ll post my result with norton after i finish scanning. thx a lot guys
Then I don’t understand, why the script got executed, when you inserted the flash drive or double clicked your hard drive. This is typically autorun behaviour!