Posted February 1, 201015 yr Elmo wrote: > samah wrote: >> Pegasus [MVP] wrote: >>> >>> "samah" said this in news item >>> news:u7ZLyWboKHA.1552@TK2MSFTNGP05.phx.gbl... >>>> Pegasus [MVP] wrote: >>>>> >>>>> "samah" said this in news item >>>>> news:#h8NPjUoKHA.5260@TK2MSFTNGP02.phx.gbl... >>>>>> Pegasus [MVP] wrote: >>>>>>> "samah" said this in news item >>>>>>> news:unuO4CIoKHA.3664@TK2MSFTNGP04.phx.gbl... >>>>>>>> Pegasus [MVP] wrote: >>>>>>>>> >>>>>>>>> "samah" said this in news item >>>>>>>>> news:ej7Qc6#nKHA.5344@TK2MSFTNGP04.phx.gbl... >>>>>>>>>> Pegasus [MVP] wrote: >>>>>>>>>>> >>>>>>>>>>> "samah" said this in news item >>>>>>>>>>> news:umd$mO#nKHA.3948@TK2MSFTNGP06.phx.gbl... >>>>>>>>>>>> Win XP SP3. >>>>>>>>>>>> >>>>>>>>>>>> After I eject a CD/DVD from my DVD drive or unmount an disk >>>>>>>>>>>> image from the Daemon Tools virtual drive, I get an error >>>>>>>>>>>> window with the title "wscript.exe - No Disk" and with the >>>>>>>>>>>> message " There is no disk in the drive. Please insert a disk >>>>>>>>>>>> into drive (drive letter):". There are three buttons that I >>>>>>>>>>>> can click: Cancel, Try again, Continue. When I click any of >>>>>>>>>>>> these options, the error window closes but pops up again >>>>>>>>>>>> after an interval of approx. i minute. The only way I can >>>>>>>>>>>> close this window permanently is by rebooting the system. >>>>>>>>>>>> >>>>>>>>>>>> Can anybody help me with this please. >>>>>>>>>>>> >>>>>>>>>>>> Thanks in advance. >>>>>>>>>>>> >>>>>>>>>>>> -samah. >>>>>>>>>>> It seems you're running some script, perhaps malicious. How >>>>>>>>>>> exactly do you eject your compact disk? >>>>>>>>>> With the 'Eject' button (it's a laptop). >>>>>>>>> Ok. Now please do this: >>>>>>>>> - Click Start/Run >>>>>>>>> - Type the three letters cmd and press Enter >>>>>>>>> - Type this command: >>>>>>>>> tasklist | find /i "script" >>>>>>>>> - Report what you see (if anything) >>>>>>>> Here is what I got after I re-booted to clear the error window: >>>>>>>> >>>>>>>> image name: wscript.exe >>>>>>>> PID: 2320 >>>>>>>> session name: console >>>>>>>> session #: 0 >>>>>>>> mem usage: 5964k >>>>>>>> >>>>>>>> This is what I got when the error window is active: >>>>>>>> >>>>>>>> image name: wscript.exe >>>>>>>> PID: 2672 >>>>>>>> session name: console >>>>>>>> session #: 0 >>>>>>>> mem usage: 2976k >>>>>>>> >>>>>>>> Sorry for my late response. Thank you. >>>>>>> Here is a method to find out what script is running: >>>>>>> 1. Click Start/Run >>>>>>> 2. Type this command: >>>>>>> notepad c:\ScriptTest.bat >>>>>>> 3. Allow the new file to be created. >>>>>>> 4. Copy & paste the code below into the notepad session. >>>>>>> Do NOT retype it! >>>>>>> 5. Save and close the file. >>>>>>> 6. Open Windows Explorer, locate c:\ScriptTest.bat, then >>>>>>> double-click it. >>>>>>> >>>>>>> When wscript.exe is active then my program will report the script >>>>>>> that it runs. What is it? Can you locate it on the hard disk and >>>>>>> post its contents here? >>>>>>> >>>>>>> @echo off >>>>>>> set Scr="%temp%\TempVBS.vbs" >>>>>>> set VB=echo^>^>%Scr% >>>>>>> cd 1>nul 2>%Scr% >>>>>>> %VB% Set oWMIService = GetObject("winmgmts:\\.\root\CIMV2") >>>>>>> %VB% Set cItems = oWMIService.ExecQuery( _ >>>>>>> %VB% "SELECT * FROM Win32_Process where Name = 'wscript.exe'") >>>>>>> %VB% If cItems.Count = 0 Then >>>>>>> %VB% msgbox "Executable ""wscript.exe"" not found." >>>>>>> %VB% Else >>>>>>> %VB% For Each oItem In cItems >>>>>>> %VB% msgbox "The command line is " ^& oItem.CommandLine ^& >>>>>>> cItems.count >>>>>>> %VB% Next >>>>>>> %VB% End If >>>>>>> cscript //nologo %Scr% >>>>>>> del %Scr% >>>>>>> >>>>>>> >>>>>> This is what I got: >>>>>> "The command line is c:\windows\system32\wscript.exe >>>>>> c:\windows\system32\killvirus.vbs1" >>>>>> >>>>>> Thank you so much for your time. Waiting for your advice. >>>>>> >>>>> Fine. You now know have two points of attack: >>>>> - Your problem script is the file >>>>> c:\windows\system32\killvirus.vbs1. What does it contain. >>>>> - It gets invoked by wscript.exe. You can prevent this by running >>>>> msconfig.exe, then looking for wscript.exe under the Startup tab and >>>>> removing the tick mark. >>>>> >>>>> >>>> Sorry. wscript.exe is not appearing in the Startup tab. I re-booted >>>> in safe mode and tried again but still no luck. >>>> >>>> Thank you. >>> What about my first question: What does the script file contain? >> Sorry. I could not locate the file. I searched not only the >> c:\windows\system32 folder but also the entire hard disk. Included the >> system and hidden files in the search as well. >> >> Thank you. > > Run Regedit, press the Home key, press F3, type killvirus.vbs1 and see > if there are any hits. If so, delete that entry and press F3 to > continue the search. > Thank you. I will send the feed back to you later.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.