Unknown process calling Windows 11 wscript.exe

orestgogosha · Feb 20, 2024

Some process calls wscript.exe (Windows Script Host) every 2 minutes. I disabled Script host but still have a dialog pop up every 2 minutes saying it is disabled. How can I find what this process is so I can delete it?

neemobeer · Feb 20, 2024

Well I would want to understand if it's a legitimate process or not, there is a possibility it is. Regardless of that fact, procmon should be able to help you determine the calling process

Flashorn · Feb 20, 2024

orestgogosha said:
Some process calls wscript.exe (Windows Script Host) every 2 minutes. I disabled Script host but still have a dialog pop up every 2 minutes saying it is disabled. How can I find what this process is so I can delete it?

HI!
wscript is part of Windows but, it can also be part of a replicating trojan so, run scans
with either of these online scanners or both and if you don't have Malwarebytes, you
can download their free scanner. If you can, manually create a new Restore Point before
running these scans.Hopefully, someone from this forum will assist:

Free Virus Scan | Online Virus Scan from ESET

Scan your computer for malware for free with the ESET Online Scanner. Checks for any type of virus and helps you remove it. Download for free today.

www.eset.com

Online Virus Scanner | Free Virus Scan | F‑Secure

F‑Secure Online Scanner finds and removes viruses, malware and spyware on your Windows PC. Run a virus scan for free!

www.f-secure.com

Free Antivirus 2023 | Download Free Antivirus & Virus Scan | 100% Free & Easy Install

Download free antivirus: easy install for all devices. Remove unwanted malware like viruses, ransomware, spyware & more.

www.malwarebytes.com

Try3 · Feb 20, 2024

orestgogosha said:
Some process calls wscript.exe (Windows Script Host) every 2 minutes. I disabled Script host but still have a dialog pop up every 2 minutes saying it is disabled

Please post a screenshot of that dialog - preferably one from before you disabled WSH since it is likely to contain more useful info.

my ditty - identify a dialog caller using WinSpy - my post #8 - TenForums

Best of luck,
Denis

orestgogosha · Feb 22, 2024

I downloaded WinSpy++ and followed your instructions. The process tab does not show the command line and I couldn't find any way to do it.

orestgogosha · Feb 22, 2024

I have downloaded ProcessMonitor and run it but have no idea what to look for in the output.

Try3 · Feb 22, 2024

orestgogosha said:
I downloaded WinSpy++

I know nothing about WinSpy++
WinSpy, however, successfully identified the vbs command line for me as shown in my example.

You haven't posted a diagram yet.

Denis

orestgogosha · Feb 22, 2024

I have scanned my computer with 3 anti-virus tools (TotalAV, Avast, and Malwarebytes) with negative results.

Try3 · Feb 22, 2024

It's no use investigated the msg that WScript has been disabled. You'll need to re-enable it so that you can investigate the source of the popup you first reported.
You haven't posted a diagram yet.

Denis

neemobeer · Feb 22, 2024

orestgogosha said:
I have downloaded ProcessMonitor and run it but have no idea what to look for in the output.

You can add a filter for 'Command Line' that includes wscript and add the column for Parent PID. The parent PID will be your calling process.

orestgogosha · Feb 22, 2024

app.js could be anything. It's not on my PC (the problem child) nor on my laptop. I assume it was malware that was deleted during the numerous scans I performed.

Flashorn · Feb 23, 2024

orestgogosha said:
View attachment 88019 View attachment 88020
app.js could be anything. It's not on my PC (the problem child) nor on my laptop. I assume it was malware that was deleted during the numerous scans I performed.

The extension .js is a java file which, if you were building a web page would be used to this effect.
This is from a web designer:

So basically the app.js is where the logic of the app is written,
index.html is the content page.

app.js is taking the inputs from index.html, and processing the information in app.js, and providing an output to show in the index.html.
if you check the index.html you can see there's a script:
<script src="/app.js"></script>

Have you surfed to a web site that you don't normally would?
This might be from an infected site or could just be benign, I don't
know. Did you verify the logs of the scans you took?

neemobeer · Feb 23, 2024

.js files can also be node js and is more likely. Seeing the contents of the file would indicate if it's strictly javascript or nodejs

orestgogosha · Feb 23, 2024

I have a home web site that I created so I am somewhat familiar with Javascript. There is no file called app.js anywhere on my computer or my website. I review quarantined items before deleting them. I don't recall if app.js was among them. The good part of this is that I am learning to use WinSpy and ProcMon.
As a matter of interest, the frequency of the dialog popping up has decreased to about once every 10 minutes. I don't know if this is good news or bad news.

andrew129260 · Feb 28, 2024

Use autoruns with the virus total scan option, that should help determine whats there and if anything is suspicious.

Autoruns for Windows - Sysinternals

See what programs are configured to startup automatically when your system boots and you login.

learn.microsoft.com

You can also use process explorer to find more info on the process and whats being called:

Process Explorer - Sysinternals

Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more.

learn.microsoft.com

orestgogosha said:
View attachment 88019 View attachment 88020
app.js could be anything. It's not on my PC (the problem child) nor on my laptop. I assume it was malware that was deleted during the numerous scans I performed.

You were previously infected? That's good to know. What was the threats removed? And using what removed them?

Change the Default Value of the VBS File:
- 1. Press Win + R to open the Run command.
  2. Type regedit and hit OK to open the Registry Editor.
  3. Navigate to Computer > HKEY_CLASSES_ROOT > .vbs.
  4. Double-click the (Default) value and set it to VBSfile.
  5. Restart your PC
    
    OR
    
    Use this REG fix.
    Code:
    Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\.vbs] @="VBSFile" [HKEY_CLASSES_ROOT\VBSFile\Shell] @="Open" [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\UserChoice]
    Copy the above lines to Notepad, and save it with .reg extension. Double-click the file to apply the settings.
Fix Corrupted System Files:
- Use the SFC (System File Checker) and DISM (Deployment Image Servicing and Management)tools:
  - Open Command Prompt as an administrator.
  - Run:
    sfc /scannow
    to scan and repair system files.
  - Then run:
    DISM /Online /Cleanup-Image /RestoreHealth

orestgogosha · Feb 28, 2024

Thank you. I've done these things and the problem with the dialog has stopped. Please consider this closed.

orestgogosha · Mar 5, 2024

Well it's back as the standard windows dialog asking you to select run the nonexistent app.js file. I cannot capture it this time because taking any a action with the mouse makes it disappear. Pain in the butt.

tecknot · Mar 5, 2024

orestgogosha said:
Well it's back as the standard windows dialog asking you to select run the nonexistent app.js file. I cannot capture it this time because taking any a action with the mouse makes it disappear. Pain in the butt.

Hi orestgogosha,

Can you do Alt+PrintScreen combo on the keyboard to capture it?

Kind regards,

tecknot