script file location

jack78 · May 10, 2024

hi guys
this keeps popping up randomly after i removed a firemail virus or malware.would i need to search out the registry to clear this? or just use a regcleaner or any other advice

FreeBooter · May 10, 2024

Look at startup programs using Autoruns.

x BlueRobot · May 10, 2024

By Firemail virus, do you mean this?

Remove Helpmanager@firemail.cc Ransomware (Virus Removal Guide)

This guide teaches you how to remove Helpmanager@firemail.cc ransomware for free by following easy step-by-step instructions.

malwaretips.com

I would look at posting at a forum which provides malware removal support to ensure that it has been removed completely. However, if you did want to check what was trying to run that script, then Process Monitor from Sysinternals would be a better option than Autoruns.

FreeBooter · May 10, 2024

Autoruns will show you startup locations for processes that are not running like the one you have nothing running except for error message display by dialog box.

x BlueRobot · May 10, 2024

Autoruns is just going to provide a list of programs without actually indicating which specific program is attempting to access that file path.

With Process Monitor or even Sysmon for that matter, the user can filter the trace to that particular path and see what process is trying to access it. It's likely just going to be VBScriptHost.exe or whichever name it has.

Anyhow, if the user has been infected by malware at some point, it would be prudent for the user to seek assistance from someone who is well versed with examining FRST logs and the alike.

FreeBooter · May 10, 2024

OP deleted 3.vbs script, so Process Explorer will not show where this startup program launching, all it will do shows process displaying the error message which is File Explorer anyhow i agree OP should get Windows checked out.

x BlueRobot · May 10, 2024

I'm not talking about Process Explorer, I'm referring to Process Monitor which is a separate program and it will show which process is trying to access that path. I've used it for this exact purpose.

You're also making the assumption that the process is starting using the Run subkey. In either case, as we've both agreed, it would be best if they sought assistance in ensuring that its completely removed.

FreeBooter · May 10, 2024

x BlueRobot said:
I'm not talking about Process Explorer, I'm referring to Process Monitor which is a separate program and it will show which process is trying to access that path. I've used it for this exact purpose.

You're also making the assumption that the process is starting using the Run subkey. In either case, as we've both agreed, it would be best if they sought assistance in ensuring that its completely removed.

My bad i'm making no assumptions i'm just letting OP know there is Autoruns which can help look for startup programs and services and tasks the Process Monitor is a difficult utility to understand.

Let us take a look at some of the functionalities provided by Process Monitor that can help in our quest of hunting malware.

jack78 · May 13, 2024

FreeBooter said:
My bad i'm making no assumptions i'm just letting OP know there is Autoruns which can help look for startup programs and services and tasks the Process Monitor is a difficult utility to understand.

Let us take a look at some of the functionalities provided by Process Monitor that can help in our quest of hunting malware.

Hi Freebooter
I ran the autorun64, under scheduled tasks i found the files(8 of them) i removed and rebooted and everything is running fantastic. ill be working with autoruns more in the future to learn more