1

I don't remember entering any "funny" website and this virus warning seems to pop-up at random once every day, anyone know what it is? How can I fix it?

Object: http://mst.my03.com:8080/k.zip | [Embedded:MSEnc...

Infection: VBS:Downloader-ABT [Trj]

Process: C:\Windows\System32\wbem\scrcons.exe

Improve this question
5
  • 2
    I suggest you try scanning with another AV tool, e.g. MalwareBytes (malwarebytes.com). Also, see superuser.com/questions/100360/…
    – James P
    Commented Aug 30, 2016 at 9:09
  • @James Thanks, I will install malwarebytes trial, hope there won't be any conflicts with (the stupid) avast.
    – Cristy
    Commented Aug 30, 2016 at 9:19
  • 1
    You don't have to go to "funny" websites to download malware, most malware is sent through, ads
    – Ramhound
    Commented Aug 30, 2016 at 11:16
  • I have ran MBAM and disabled WSH and today that warning popped up again... Not sure what else can I do.
    – Cristy
    Commented Aug 31, 2016 at 14:01
  • @Cristy: Try using a couple of bootable anti-virus ISO's (see the link to the SuperUser question in my previous comment) in case you have a rootkit deeply embedded in your system and your symptoms are just the tip of the iceberg.
    – James P
    Commented Sep 1, 2016 at 8:28

1 Answer 1

Reset to default
2

Looks like a malicious VBScript is hooked somehow to your WMI event system - that is what scrcons.exe is responsible for - see here.

Using a free version of MBAM is a good idea, I would start with that.

You can allways check URL with Virustotal.

For the mentioned url mst.my03.com you get:

Dr.Web                  known infection source
Websense ThreatSeeker   dynamic dns

So it looks likely it is not a false alarm, it is a vbscript downloader.

One thing you can also do before you get rid of the rogue script completely is to temporarily disable WSH.

Improve this answer
18
  • Thanks, I disabled WSH. Is there any drawback if I keep WSH disabled?
    – Cristy
    Commented Aug 30, 2016 at 11:41
  • No older scripting llanguages ike VBScripts, JScript will work, BAT or PowerShell should be ok. It may be problem when you install something that uses VBScripts during install.
    – Vojtěch Dohnal
    Commented Aug 30, 2016 at 11:48
  • I have ran MBAM and disabled WSH and today that warning popped up again... Not sure what else can I do.
    – Cristy
    Commented Aug 31, 2016 at 14:01
  • 1
    You may try to post your C:\Windows\System32\wbem\scrcons.exe on VirusTotal.com. There is a huge number or VBS:Downloader variants on Avast from AAA to AHK. You can also eventually block the one website superuser.com/questions/270524/…
    – Vojtěch Dohnal
    Commented Sep 1, 2016 at 14:03
  • 1
    I think this is related: la.trendmicro.com/media/misc/… but I didn't understand how to fix the issue.
    – Cristy
    Commented Sep 2, 2016 at 9:28

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .