Wscript.exe (Windows Script Host) being flagged by PC Matic in Windows 11

Topic

New Reply

I’m working on a friend’s wife’s computer. They had a malware incursion on September 10th. Then had some unauthorized activity on a business banking site and a robinhood.com account. I asked the wife if she recalled anything odd while she was surfing websites or if she opened an attachment in an email. She did not recall anything that could help me (but I suppose I could check her browser history now that I think of it).

I ran a couple software tools to clean it up. I used PC Matic deep scan (they have a subscription) and a deep scan from Malwarebytes. Malwarebytes found a Trojan. I  quarantined and deleted the hits. I am planning to run a few more antivirus programs to see if something shows up.

For the last few weeks, PC Matic has been blocking wscript.exe as it tries to run a couple of nonexistent script files (essentials.vbs and vbs.vbs). Every 15 minutes on the dot a PC Matic alert pops up with the same warning that wscript.exe was blocked trying to run a .vbs script file. I tried to find the files in the location that PC Matic indicated in the block notice, but the folders and files do not exist (and I am viewing hidden files). I’m assuming that it is possibly some residual from the Trojan still trying to grab information.

I can’t figure out what is “calling” wscript.exe to run. I’ve looked at Task Scheduler and can’t determine which of the 182 items might be calling it. Windows Script Host is not listed as a “service” in Services.  Event Viewer shows numerous warnings that PC Matic executed an “incorrect function” (exactly every 15 minutes), but did not say which function.

Interestingly, the computer will no longer go to sleep nor will the screen go to sleep after the 1 hour it is set for. This leads me to believe that there is something running or called every 15 minutes that is keeping it awake. I ran powercfg /requests at the Command Prompt, but nothing came up. I looked in Task Manager-Startup apps, but nothing looks odd.

I have not checked the Registry for and entry that could be left over from the malware incursion.

The folks I am working with are very paranoid about being hacked (understandable) but also are not technically inclined. As long as the PC Matic alert is popping up, they are reluctant to believe that the system is most likely clean.

I could really use some help. I suppose I could refresh the Windows 11 installation, but I dread that because the wife is running Quickbooks and they have had enormous problems in the past with installation and operation of this software. Plus, of course, all the other apps that are running. I actually set this computer up a few years ago when they purchased it, but things have morphed since then.

Thanks in advance for you interest and help.

Eric

1 user thanked author for this post.

IT Manager Geek

Reply | Quote

Replies

IT Guyk,

I’d personally just disable WSH. I run all my machines w/o it with out issues.
YMMV!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

ITguy wrote:

I can’t figure out what is “calling” wscript.exe to run

Download and run the free portable Procexp64 and Procmon.

Reply | Quote

There is probably a scheduled task that the malware created.

Download NirSoft TaskSchedulerView (x64 zip at the bottom of the page). Extract the files and run TaskSchedulerView.exe.
Sort by “next run” to see what is due in 15 minutes.
Right click on the offending item and “Disable” it. (You may want to put it back to test.)

cheers, Paul

1 user thanked author for this post.

TechTango

Reply | Quote

You may be able to get some more information by using Windows Security Auditing to log process creation events.  There is a Microsoft blog article at https://devblogs.microsoft.com/commandline/how-to-determine-what-just-ran-on-windows-console/ that discusses how to do this.

Be aware that enabling this logging can generate a lot of events in the Windows Security event log so you only want to enable it for a short time to gather information and then turn it off.

An example of a log record for a successful process creation event is below.  The account information is redacted.

 

Reply | Quote

Thanks everyone. Great responses! I probably will do as suggested by @RetiredGeek, but before I do, I want to see if I can figure out the culprit!

Reply | Quote

Should you decide to audit Windows process creation events you may want to enable logging for both success and failure since we don’t have any insight into PC Matic’s interception and allowing/blocking of process creation.

Reply | Quote

ITguy wrote:

I want to see if I can figure out the culprit!

Sorry but IMO this is a classic case of PC Matic identifying the vehicle rather than the person sat steering said vehicle from the driving seat.

The Windows Script Host is just that… a host. To all effects it’s just an engine, still used by multiple Windows troubleshooters, for example part of the network troubleshooter and multiple printing troubleshooters… and even the Windows activation tool (slmgr.vbs). Whilst they could probably be called by cscript.exe, in practice they use the Windows Script Host (wscript.exe), not the commandline cscript.exe… so disabling WSH will effectively break these useful tools. (See line 57 of the gatherNetworkInfo.vbs file or line 598 of slmgr.vbs as 2 examples.)

First I would check wscript.exe with something like VirusTotal in the unlikely case that it’s been replaced by an evil twin, despite all the code signing safeguards against this ever being allowed to happen.

Next, I agree with @Alex5723… the tool you need is TechNet/Sysinternals’ Process Monitor (ProcMon). It’s what the tool was designed for… to look ‘under the bonnet/hood’ to identify the driver, not the vehicle, i.e. what is triggering/spawning the wscript.exe engine process.

However, there’s a caveat. ProcMon creates an overwhelming amount of information… it captures hundreds of events every second. As such, ProcMon has quite a learning curve to using it quickly and productively.

IMO the key is ‘filtering’, preferably BEFORE events are captured, not afterwards.

So, here’s how I would do it:

1. Download and unblock Process Monitor somewhere, like C:\Temp or C:\Support… your choice. (I use it very frequently to ‘look at stuff’ so, for me, it lives in my C:\Support folder.)

2. Allow me to suggest a tip… create a shortcut to the executable file you’ve just downloaded then change the shortcut’s Properties (by right-clicking on the shortcut).

This will make it much easier to use by running it not only with elevated privileges (a) but also, crucially, with its ‘event capture’ turned OFF (b).

3. Double-click on your new shortcut and accept the UAC prompt. Note that the first time you use ProcMon you will be asked to accept its EULA. Just click OK… ProcMon will add your assent to the Windows registry and you won’t be asked again.

4. If you’ve followed step 2 then running ProcMon from its shortcut will open a Windows console that is NOT currently ‘capturing’ events. (If you didn’t follow step 2 then you need to stop ‘capturing events’ before your device’s virtual memory (i.e. swapfile aka paging file) is overwhelmed.)

Now is the time to familiarise yourself with ProcMon‘s toolbar and keyboard shortcuts. Identify Start/Stop Capture (CTRL+E) as a bare minimum.

5. In the toolbar, select Filter > Filter… (or CTRL+L) then INCLUDE (a) and ADD (b) and APPLY (c) the following filter:

6. Now, reduce the pressure on your swapfile by choosing Filter > Drop Filtered Events… so ProcMon captures any instance of wscript.exe and nothing else.

(Note: ProcMon remembers this setting so turn it back off when you’ve finished with it… otherwise you’ll wonder why any subsequent captures show no results!)

7. Use the START/STOP icon (or CTRL+E) to start capturing events.

8. Minimize the ProcMon window and go about your business.

When wscript.exe is triggered then ProcMon should have captured what prompted it.

9. When you see ProcMon has captured the triggering of wscript.exe then turn off ‘capturing’ (CTRL+E).

If you have trouble deciphering ProcMon‘s output then choose File > Save and save the capture to a PML file, nothing else. Zip up the PML file and attach it to a post for others to look at.

Hope this helps…

 

3 users thanked author for this post.

RetiredGeek, satrow, Alex5723

Reply | Quote

Thanks @Rick_Corbett. I appreciate the in-depth instructions. I agree that it’s probably just a false positive by PC Matic. But something is starting WSH and calling a .vbs file. I’ll definitely use ProcMon to figure it out.

Reply | Quote

Scheduling VBS files is typical malware behaviour. Find and fix is required.

Try TaskSchedulerView first, it’s much easier than Procmon and will probably give you the answer.

cheers, Paul

Reply | Quote

Paul T wrote:

and will probably give you the answer.

I have ScriptDefender installed (http://www.analogx.com/contents/download/System/sdefend/Freeware.htm), when any .VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB,.PIF,.SCR,.BAT,.CMD are attempted, it triggers a warning and indicates the source file.

It might not be possible to readily discover the location, esp. if it’s a temp file/location, as the window is quite small, TaskMan/Process Explorer or similar should find it easily.

Reply | Quote

Eric wrote:

I agree that it’s probably just a false positive by PC Matic. But something is starting WSH and calling a .vbs file.

Paul T wrote:

Scheduling VBS files is typical malware behaviour. Find and fix is required. Try TaskSchedulerView first, it’s much easier than Procmon and will probably give you the answer.

Whilst I agree with Paul T, I would suggest using Sysinternals/TechNet’s small, free, portable Autoruns (using ‘Run as administrator’) to give you a more comprehensive oversight than using TaskSchedulerView which, as its name implies, only includes scheduled tasks.

Hope this helps…

1 user thanked author for this post.

satrow

Reply | Quote