1

I don't remember entering any "funny" website and this virus warning seems to pop-up at random once every day, anyone know what it is? How can I fix it?

Object: http://mst.my03.com:8080/k.zip | [Embedded:MSEnc...

Infection: VBS:Downloader-ABT [Trj]

Process: C:\Windows\System32\wbem\scrcons.exe

Cristy
  • 361
  • 1
  • 8
  • 26
  • 2
    I suggest you try scanning with another AV tool, e.g. MalwareBytes (https://www.malwarebytes.com). Also, see http://superuser.com/questions/100360/how-can-i-remove-malicious-spyware-malware-adware-viruses-trojans-or-rootkit – James P Aug 30 '16 at 09:09
  • @James Thanks, I will install malwarebytes trial, hope there won't be any conflicts with (the stupid) avast. – Cristy Aug 30 '16 at 09:19
  • 1
    You don't have to go to "funny" websites to download malware, most malware is sent through, ads – Ramhound Aug 30 '16 at 11:16
  • I have ran MBAM and disabled WSH and today that warning popped up again... Not sure what else can I do. – Cristy Aug 31 '16 at 14:01
  • @Cristy: Try using a couple of bootable anti-virus ISO's (see the link to the SuperUser question in my previous comment) in case you have a rootkit deeply embedded in your system and your symptoms are just the tip of the iceberg. – James P Sep 01 '16 at 08:28

1 Answers1

2

Looks like a malicious VBScript is hooked somehow to your WMI event system - that is what scrcons.exe is responsible for - see here.

Using a free version of MBAM is a good idea, I would start with that.

You can allways check URL with Virustotal.

For the mentioned url mst.my03.com you get:

Dr.Web                  known infection source
Websense ThreatSeeker   dynamic dns

So it looks likely it is not a false alarm, it is a vbscript downloader.

One thing you can also do before you get rid of the rogue script completely is to temporarily disable WSH.

Vojtěch Dohnal
  • 3,740
  • 9
  • 25
  • 50
  • Thanks, I disabled WSH. Is there any drawback if I keep WSH disabled? – Cristy Aug 30 '16 at 11:41
  • No older scripting llanguages ike VBScripts, JScript will work, BAT or PowerShell should be ok. It may be problem when you install something that uses VBScripts during install. – Vojtěch Dohnal Aug 30 '16 at 11:48
  • I have ran MBAM and disabled WSH and today that warning popped up again... Not sure what else can I do. – Cristy Aug 31 '16 at 14:01
  • Perhaps disabling did not work, you can verify by running a vbs file, containing *MsgBox "ok"*. Or the virus is only detected as vbscript but it is not a script at all. – Vojtěch Dohnal Aug 31 '16 at 18:24
  • It's disabled, if I type `cscript.exe` I get this: `CScript Error: Windows Script Host access is disabled on this machine. Contact your administrator for details.` – Cristy Sep 01 '16 at 12:23
  • So it is some executable that is hooked to WMI event, MBAM did not show anything? – Vojtěch Dohnal Sep 01 '16 at 12:48
  • It did show and fix a few threats, but they seemed unrelated with this issue. – Cristy Sep 01 '16 at 13:41
  • 1
    You may try to post your C:\Windows\System32\wbem\scrcons.exe on VirusTotal.com. There is a huge number or VBS:Downloader variants on Avast from AAA to AHK. You can also eventually block the one website http://superuser.com/questions/270524/blocking-web-sites-with-windows-firewall – Vojtěch Dohnal Sep 01 '16 at 14:03
  • Oddly, I can not select that `.exe` file to be uploaded on VirusTotal – Cristy Sep 01 '16 at 14:29
  • 1
    I think this is related: http://la.trendmicro.com/media/misc/understanding-wmi-malware-research-paper-en.pdf but I didn't understand how to fix the issue. – Cristy Sep 02 '16 at 09:28
  • `can not select that .exe` it is not in `C:\Windows\System32\wbem\scrcons.exe` or what? I do not have it on Windows 7 Enterprise x64 at all. What is your Windows version? You may try to uninstall KB2506143 – Vojtěch Dohnal Sep 02 '16 at 09:56
  • I have the file, I can see it in File Explorer, but when I get the Upload file prompt and go to `System32\wbem` the scrcons.exe file does not appear in that menu. I have `Windows 10 Pro`. And from the guide on trendmicro I was not able to do anything as no Consumers appear in WMI. – Cristy Sep 02 '16 at 12:10
  • You can drag and drop the file there... – Vojtěch Dohnal Sep 02 '16 at 12:54
  • `Warning! You submitted an empty file (0 bytes size), please make sure no software on your computer is preventing the upload (e.g. antivirus quarantine).` Message still appears if I disable the anti-virus – Cristy Sep 02 '16 at 13:37
  • Also unable to copy the file to another destination on your disk with Avast disabled? That would be something very weird. More complex analysis of your system in terms of malware would be required. – Vojtěch Dohnal Sep 03 '16 at 11:02
  • Is it inside https://www.avast.com/faq.php?article=AVKB21 ? – Vojtěch Dohnal Sep 03 '16 at 11:04
  • No, it's not inside the virus chest. And I can copy it to another location and the file has 49KB. – Cristy Sep 03 '16 at 11:37
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/44873/discussion-between-vojtch-dohnal-and-cristy). – Vojtěch Dohnal Sep 03 '16 at 16:21