When you login to your account, you may see a Windows Script Host error similar to the following:
Windows Script Host
Script: C:\Users\{username}\AppData\Local\Updates\Run.vbs
Line: 31
Char: 1
Error: The system cannot find the file specified.
Code: 80070002
Source: (null)
Additionally, on some systems, you may see a WindowsService.exe popup window that appears briefly at logon.
Cause
The Run.vbs script and WindowsService.exe (VT analysis) are components of a crypto-miner that has infected your computer. The miner disables Microsoft Defender Antivirus and Firewall. It also deletes the Microsoft Defender executables/platform folder completely. The Run.vbs script and WindowsService.exe run as scheduled tasks with the highest privileges.
Resolution
**First, download Malwarebytes Antimalware and run a thorough scan. Eliminate every item it finds.**
Malwarebytes will removes most of the crypto-malware files, but its scheduled task and the run.vbs script file may remain. There are many ways to delete the offending scheduled task and remove it. One of the easiest ways is to use Autoruns.
(Autoruns is an advanced startup management tool from Microsoft, which is covered in detail in the article Clean Boot Windows Using the Autoruns Utility.)
- Download Autoruns and run it as administrator. Wait for the entries to populate.
- Use the “Quick Filter” box at the top to find the offending entry quickly. For example, type the script file name (e.g., run.vbs) in the Quick Filter box.
Note: If the item is not listed in the Scheduled Tasks tab, select the “Everything” tab.
- The Run.vbs entry is usually triggered by a rogue task named “\Window Update“.
(Click on the offending entry and look at the details section at the bottom. It shows the full command-line or the arguments used by that entry.)
- Right-click on the task and choose Delete.
- Next, look for a task named “Windows Service Task” pointing to the executable “WindowsService.exe”, delete the task.
- Delete the corresponding files, Run.vbs and WindowsService.exe manually. The files will be located in the following folder:
C:\Users\%username%\AppData\Local\Updates\
- Exit Autoruns.
Using Command-line
To accomplish the above using command-line, open admin Command Prompt and run:
del "%LocalAppData%\Updates\Run.vbs" /a schtasks /delete /tn "\Window Update" /f
Also, run:
schtasks /delete /tn "\Windows Service Task" /f rd /s /q "%LocalAppData%\Updates"
Important
- Clear the Microsoft Defender Antivirus exclusions. The Run.vbs malware may have added entries to the exclusions.
- Delete all Microsoft Defender policies added by the malware. To clear the policies, see instructions in the article Microsoft Defender “Managed by your administrator”
- For a thorough inspection, run the Farbar Scanner tool and inspect FRST.txt and Addition.txt logs.
- If Microsoft Defender Antivirus files are deleted and you’re unable to launch Microsoft Defender Antivirus service and Windows Security, do an in-place upgrade (repair installation) by downloading the Media Creation Tool or ISO.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
