Advice Request Wscript trying to run

  • Thread starter ForgottenSeer 69673
  • Start date

Please provide comments and solutions that are helpful to the author of this topic.

danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
And I am sure you have scanned with many different scanners (especially K as CS recommended) by now, so I won't even ask about that. The thing is, you have multiple layers of amazing protection and are extremely aware when it comes to security, so the odds of this being malware is probably very small.

Maybe you can try to run FRST and have one of the malware removal experts on MT take a look just for the heck of it. I can look at the FRST results as well, but we certainly would want another opinion since I am not familiar with FRST at all.
 
  • Like
Reactions: harlan4096, blackice and Protomartyr
F

ForgottenSeer 69673

Thread author
danb said:
And I am sure you have scanned with many different scanners (especially K as CS recommended) by now, so I won't even ask about that. The thing is, you have multiple layers of amazing protection and are extremely aware when it comes to security, so the odds of this being malware is probably very small.

Maybe you can try to run FRST and have one of the malware removal experts on MT take a look just for the heck of it. I can look at the FRST results as well, but we certainly would want another opinion since I am not familiar with FRST at all.
Click to expand...

Yes Dan I do have good protection but I was not in shadow mode when this occurred. I still can go back to an image before all this but at this point , I am waiting. I have a strict policy about allowing scripts to run, even if they may be an update, which I have never seen before. I am not your average target. What is your email again? I will explain more in private

Meg thanks for your ideas but all are from sys32.
 
  • Like
Reactions: Nevi, AtlBo, Gandalf_The_Grey and 1 other person
F

ForgottenSeer 69673

Thread author
Today, while in shadow mode, I tried to install Eset IS. The installer failed with the splash screen it fail because I might have malware. There was a button to try a special scanner. I clicked on that and another splash screen came up saying malware was found and removed. I still have no idea what is going on. Eset never mentioned anymore, but once I reboot, it will be back. And so far I am not getting any more script blocks.
 
  • Like
Reactions: Nevi, AtlBo, oldschool and 3 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
ticklemefeet said:
Today, while in shadow mode, I tried to install Eset IS. The installer failed with the splash screen it fail because I might have malware. There was a button to try a special scanner. I clicked on that and another splash screen came up saying malware was found and removed. I still have no idea what is going on. Eset never mentioned anymore, but once I reboot, it will be back. And so far I am not getting any more script blocks.
Click to expand...
That ESET scanner should've shown the name and location of the detected malware. Didn't it? Did you put your whole PC (all drives) in shadow mode or just a particular drive? If the whole PC then the malware should still be there after exiting shadow mode. In that case you may try installing ESET again but this time on your main system or just scan with ESET Online scanner to find out the culprit.
 
  • Like
Reactions: Nevi, simmerskool, Protomartyr and 3 others
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Interesting, it might be malware after all. Now that we know that ESET is aware of the potential malware, maybe try my original suggestion again, that way VS can see the block before it is blocked by AG, and is able to provide further file insight.

malwaretips.com

Advice Request - Wscript trying to run

About a week ago i started getting blocks from Appguard for wscript. I have not installed any new software. I have only got a few insider updates. Any ideas? it appears to be trying to run svhost.exe
malwaretips.com malwaretips.com

BTW, I have not tested VS in shadow mode yet, I am working on some other stuff. But I have a hunch that it probably does not work all that well in shadow mode, simply because it had an issue writing to one of the databases. Just something to keep in mind.

BTW, is there a chance that this block is a component of Shadow Defender?
 
  • Like
Reactions: Nevi, simmerskool, Protomartyr and 2 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
When I really want to know what is happening on my system I install this NVT tool
www.novirusthanks.org

Monitor Process Execution with Process Logger | Appsvoid

NoVirusThanks Process Logger is a service-only software application that monitors for processes executed in the system and saves events to a custom log file or Windows Event Viewer.
www.novirusthanks.org
This logging service is incorporated into Exe Radar Pro (the new version)
 
  • Like
  • +Reputation
Reactions: Protomartyr, Nevi, simmerskool and 4 others
F

ForgottenSeer 69673

Thread author
shmu26 said:
When I really want to know what is happening on my system I install this NVT tool
www.novirusthanks.org

Monitor Process Execution with Process Logger | Appsvoid

NoVirusThanks Process Logger is a service-only software application that monitors for processes executed in the system and saves events to a custom log file or Windows Event Viewer.
www.novirusthanks.org
This logging service is incorporated into Exe Radar Pro (the new version)
Click to expand...

I will give it a try, thanks
Just tried this and service won't start for some reason. And so no logs are formed. ok figured it out. had to be moved to c root. working now
 
Last edited by a moderator:
  • Like
Reactions: Protomartyr, Nevi, AtlBo and 2 others
F

ForgottenSeer 69673

Thread author
OK got it.

07/04/2020 16:25:24
Process: [9052] C:\Windows\System32\wscript.exe
Username/Domain: SYSTEM/NT AUTHORITY
CommandLine: C:\WINDOWS\System32\Wscript.exe //B //NoLogo "C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.vbs"
MD5 Hash: 89940519ABD4D94A574539E92F786095
It is an Intel thing Afterall
 
  • Like
Reactions: Protomartyr, Nevi, Gandalf_The_Grey and 7 others
F

ForgottenSeer 69673

Thread author
danb said:
So who all owes me a beer? ;). Just playing, I am just happy that the issue is resolved.

That info should be in VS's DeveloperLog.log too, but it is probably easier to read in the Process Logger Service.
Click to expand...

Dan I do owe a beer. Thanks. I still wonder what Eset found. Their online scanner finds nothing but their IS found malware, maybe. From what I posted, it would not even install in shadow mode, saying I had malware. It is a scratching head moment
 
  • Like
Reactions: Protomartyr, Nevi, Gandalf_The_Grey and 1 other person

Similar threads

Cleo
    • Like
Advice Request pfSense, OPNsense, Neutrino
Replies
1
Views
122
ChromeOS & Linux
Bot
Bot
pvsurfer
    • Like
Advice Request Goodbye Kaspersky, Hello ESET
Replies
4
Views
1,031
ESET
ChristianP
C
simmerskool
Advice Request Best Linux distro to run in VMware 16.2.5
Replies
5
Views
192
ChromeOS & Linux
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top