Windows Script Host Error

OrbitaLinx · February 26

So I deleted what looks like malware. A .js called EduPanda.js and now wscript wont stop trying to run it and I am getting a Windows Script Host error.

Can not find script file
“C:\Users\username\AppData\Local\EduTechDynamics\EduPanda.js”

This is popping up every few seconds. How do i make Windows Script Host stop looking for non existent scripts? All the guides I can find want to tell me how to remove malware or to simply reinstall it but non tell me how to stop wscript from trying to find a script. I already looked around in the registry and deleted all entry’s pertaining to it and checked by VBS entry and my Windows logon entries. I read the Microsoft documentation for wscript and no help their… I could run wscript in batch mode but I dont want to completely disable wscript dialog all together…

Thx.

OrbitaLinx · February 26

Well in any case I just recreated the directory and put a blank EduPands.js in it… Wish I could figure out whats trying to use it because I forget what created it in the first place.

xAcid9 · February 26

Try search with Autoruns. Usually its in Logon and Task Scheduler

Download https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

goatedpenguin · February 27

Windows may not be able to find the file because the malware may be using an ADS aka a Alternate Data stream. To fix you gotta download https://download.sysinternals.com/files/Streams.zip from Microsoft, then extract and open cmd as admin. After that run cmd as admin and the run the command

don't modify any of the commands(not even the username part it will do it automatically) at all and run it as it is!!!

cd C:\Users\%USERNAME%\Downloads\Streams

then run the command, you might see a popup for agreeing to the license just hit agree and continue.

.\streams64.exe -s C:\Users\%USERNAME%\AppData\Local\EDuTechDynamics\EduPanda.js

if a file is found you should get a output(read carefully), then run:

.\streams64.exe -d C:\Users\%USERNAME%\AppData\Local\EDuTechDynamics\EduPanda.js

After that reboot your machine and hopefully the malware is gone.

OrbitaLinx · March 1

I did this and it didn't find and ADS but than you for giving me the commands to run.

OrbitaLinx · March 1

I was able to find a .url for the Edu Panda in the windows startup this way but wscript still wants the directory and file name to exist... Wscript just seems like a good way to give people malware and annoy people into keeping it in its current state. Microsoft needs to fix this and allow users to tell Wscript to just ignore or stop certain request. Like you have to have the file you dont want their to even run any Wscript commands for it and Wscript does not even have any options to ignore shit or stop looking for shit... At least not that I know of or can find any documentation on.

On another not while I was using autoruns I was able to find and clean up some other misc small things that were middy amiss with my system. In any case thanks.