I have had several viruses show up in the last few months: Hacktools, Trojans, Worms, and suchlike, all of which I have moved to quarantine. Just today there was a new one in Windows Script Host (WSH). I went back and reviewed all my previous problems and I saw a recurring "theme". Not all, but most, have to do with scripting. I have 9 in quarantine. Here they are as they appear in my CW report:



Scan Started Sun Feb 01 21:33:57 2009

-------------------------------------------------------------------------------



C:\AAWork\WinSetup\I386\WSCRIPT.EX_: moved/scheduled to 'C:\Documents and Settings\All Users\.clamwin\quarantine\infected.WSCRIPT.EX_'

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.$OEM$.exe not moved/copied since already in quarantine

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.AutoIt3Wrapper.exe not moved/copied since already in quarantine

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.Process.exe not moved/copied since already in quarantine

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.Process.exe.000 not moved/copied since already in quarantine

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.SciTE.exe not moved/copied since already in quarantine

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.SciteConfig.exe not moved/copied since already in quarantine

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.WSCRIPT.EX_ not moved/copied since already in quarantine

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb: Permission denied

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb: Permission denied

C:\pagefile.sys: Permission denied

C:\WINDOWS\$NtUninstallKB951978$\wscript.exe: moved/scheduled to 'C:\Documents and Settings\All Users\.clamwin\quarantine\infected.wscript.exe'

C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied

C:\WINDOWS\system32\config\default: Permission denied

C:\WINDOWS\system32\config\SAM: Permission denied

C:\WINDOWS\system32\config\SECURITY: Permission denied

C:\WINDOWS\system32\config\software: Permission denied

C:\WINDOWS\system32\config\system: Permission denied



C:\AAWork\WinSetup\I386\WSCRIPT.EX_: Trojan.Autorun-292 FOUND

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.$OEM$.exe: Hacktool.Blackout-2 FOUND

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.AutoIt3Wrapper.exe: Worm.Autorun-1793 FOUND

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.Process.exe: Trojan.Killproc-1 FOUND

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.Process.exe.000: Trojan.Killproc-1 FOUND

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.SciTE.exe: Worm.Autorun-1793 FOUND

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.SciteConfig.exe: Worm.Autorun-1793 FOUND

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.WSCRIPT.EX_: Trojan.Autorun-292 FOUND

C:\WINDOWS\$NtUninstallKB951978$\wscript.exe: Trojan.Autorun-292 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 503346

Engine version: 0.94.1

Scanned directories: 8003

Scanned files: 63691

Infected files: 9



Not copied: 7

Data scanned: 14655.89 MB

Time: 25238.046 sec (420 m 38 s)

--------------------------------------

Completed

--------------------------------------

Also somewhere in all of this my VBScript has been disabled.
My questions are: Should I disable Windows Script Host completely and use another scripting engine such as "PerlScript? Should I try to "fix" WSH? Or should I just ignore all of this and move on to other, "more funner" ,things?


Yours in CW....olylance

Scripting is used on a lot of web sites, so I would not disable it except as a last resort. I suggest that you run a real-time antivirus alongside ClamWin. Get one of the AVs that now have malicious script protection. I believe the free verson of Avast is one of them. There may also be some specialty security products (free or commercial) that deal extensively with scripting protection/registry protection/etc. Check out your Hosts file also to see if something has been placed there that shouldn't be.

Regards,

Thank you G. Bob. I'll try what you suggest. Why can't life be simple?