Suggestions to get rid of http://jsh37.net/a/ ......MALWARE

[vibes]

Hello!

I'm having the same problem as this person http://forum.avast.com/index.php?topic=119713.0
I'll just be copying parts of the post:

"I inserted an usb drive into my laptop and scanned it while opening the drive many files are not visible, and folders were displayed as shortcuts.
after that i could see that  below 2 urls are invoked at regular intervals and blocked by avast
http://nnh42.name/a/
http://jsh37.net/a/
also the windows update icon in the tray keeps multiplying.
how to get rid of this problem.help!

[essexboy]

Hi there after a few goes at this it is now relatively easy to remove

Download OTL  to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post  both logs

[vibes]

Hello,

I did the OTL scan. The Logs are attached.

[essexboy]

First we will need to disable C:\windows\system32\wscript.exe

Using windows explorer go to C:\windows\system32
Right click Wscript.exe
Select Properties
Select Security Tab
Select Advanced
Select Owner
Select Edit
Select your account
Click Apply
OK the warning
Click OK
Then delete Wscript.exe to the recycle bin



THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
SRV - [2013/04/05 00:52:28 | 000,109,064 | ---- | M] (Wajam) [Auto | Running] -- C:\Program Files\Wajam\Updater\WajamUpdater.exe -- (WajamUpdater)
IE - HKLM\..\SearchScopes\{3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z7xdm354YYin&ptnrS=Z7xdm354YYin&si=124514_race_gcIND&ptb=12FE1BD2-7E27-45E5-A034-9DD81847D53C&psa=&ind=2012061804&st=sb&n=77eda06c&searchfor={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2790392
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No CLSID value found
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - SOFTWARE\Classes\CLSID\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\InprocServer32 File not found
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&AF=108921&tt=290312_bexdll&babsrc=SP_ss&mntrId=9822e933000000000000000000000000
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\SearchScopes\{3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z7xdm354YYin&ptnrS=Z7xdm354YYin&si=124514_race_gcIND&ptb=12FE1BD2-7E27-45E5-A034-9DD81847D53C&psa=&ind=2012061804&st=sb&n=77eda06c&searchfor={searchTerms}
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2790392
IE - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb178/?search={searchTerms}&loc=IB_DS&a=6R8CWeu0gh&i=26
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}: C:\Program Files\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi [2013/04/05 00:52:28 | 000,037,909 | ---- | M] ()
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Wajam) - {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} - C:\Program Files\Wajam\IE\priam_bho.dll (Wajam)
O3 - HKU\S-1-5-21-2338478908-853316361-2382320542-1000\..\Toolbar\WebBrowser: (no name) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No CLSID value found.
O4 - HKU\S-1-5-21-2338478908-853316361-2382320542-1000..\Run: [98c69] C:\Users\vaibhav\AppData\Roaming\8ed0\98c69.js ()
O4 - HKU\S-1-5-21-2338478908-853316361-2382320542-1000..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe File not found
O4 - Startup: C:\Users\vaibhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4c4c.js ()
O33 - MountPoints2\{23500543-458f-11df-93a3-001dd9f8f5c0}\Shell\AutoRun\command - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{23500543-458f-11df-93a3-001dd9f8f5c0}\Shell\oPEN\coMmaNd - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{29e3727f-1658-11e1-a3c3-a8787e70be29}\Shell - "" = AutoRun
O33 - MountPoints2\{29e3727f-1658-11e1-a3c3-a8787e70be29}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{34b5682e-7f18-11e0-a922-c8de0e3bfeb7}\Shell - "" = AutoRun
O33 - MountPoints2\{34b5682e-7f18-11e0-a922-c8de0e3bfeb7}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{34c7c229-ab65-11df-92cc-001dd9f8f5c0}\Shell\AutoRun\command - "" = H:\NIKOLIC\\baswala.exe
O33 - MountPoints2\{34c7c229-ab65-11df-92cc-001dd9f8f5c0}\Shell\explore\command - "" = H:\NIKOLIC\\\baswala.exe
O33 - MountPoints2\{34c7c229-ab65-11df-92cc-001dd9f8f5c0}\Shell\open\command - "" = H:\NIKOLIC\\\baswala.exe
O33 - MountPoints2\{36c98d01-6bf3-11e0-b332-fb77929a60e2}\Shell - "" = AutoRun
O33 - MountPoints2\{36c98d01-6bf3-11e0-b332-fb77929a60e2}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{60983e63-8364-11e0-b9f2-8a9d666004aa}\Shell - "" = AutoRun
O33 - MountPoints2\{60983e63-8364-11e0-b9f2-8a9d666004aa}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{66a83c17-0765-11e1-89e3-ae78ec07dce2}\Shell - "" = AutoRun
O33 - MountPoints2\{66a83c17-0765-11e1-89e3-ae78ec07dce2}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{66a83c27-0765-11e1-89e3-ae78ec07dce2}\Shell - "" = AutoRun
O33 - MountPoints2\{66a83c27-0765-11e1-89e3-ae78ec07dce2}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{73862434-b5d4-11df-9c05-001b38a2f4e8}\Shell\AutoRun\command - "" = H:\DUSKO\\\svjetlana.exe
O33 - MountPoints2\{73862434-b5d4-11df-9c05-001b38a2f4e8}\Shell\explore\command - "" = H:\DUSKO\\\\svjetlana.exe
O33 - MountPoints2\{73862434-b5d4-11df-9c05-001b38a2f4e8}\Shell\open\command - "" = H:\DUSKO\\\\svjetlana.exe
O33 - MountPoints2\{8c1d25a2-2c45-11df-8771-001b38a2f4e8}\Shell\AutoRun\command - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{8c1d25a2-2c45-11df-8771-001b38a2f4e8}\Shell\oPEN\coMmaNd - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{8d2418e8-a0d8-11e2-b97c-806e6f6e6963}\Shell\AutoRun\command - "" = G:\8e8\g9fc49.js
O33 - MountPoints2\{8d2418e8-a0d8-11e2-b97c-806e6f6e6963}\Shell\explore\command - "" = G:\8e8\g9fc49.js
O33 - MountPoints2\{8d2418e8-a0d8-11e2-b97c-806e6f6e6963}\Shell\open\command - "" = G:\8e8\g9fc49.js
O33 - MountPoints2\{9bc3808e-1a91-11e1-9674-e7d93968262f}\Shell - "" = AutoRun
O33 - MountPoints2\{9bc3808e-1a91-11e1-9674-e7d93968262f}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{a7ddbf82-7ebd-11e0-914b-989e7a7bf4da}\Shell - "" = AutoRun
O33 - MountPoints2\{a7ddbf82-7ebd-11e0-914b-989e7a7bf4da}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{a7ddbfa3-7ebd-11e0-914b-989e7a7bf4da}\Shell - "" = AutoRun
O33 - MountPoints2\{a7ddbfa3-7ebd-11e0-914b-989e7a7bf4da}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{b514b11b-7f8a-11e0-9eaa-a68f40ebc0f8}\Shell - "" = AutoRun
O33 - MountPoints2\{b514b11b-7f8a-11e0-9eaa-a68f40ebc0f8}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{bf049174-4e2d-11df-b3d7-001b38a2f4e8}\Shell\AutoRun\command - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{bf049174-4e2d-11df-b3d7-001b38a2f4e8}\Shell\oPEN\coMmaNd - "" = H:\cache\tmp983.exe
O33 - MountPoints2\{cd9847d4-6e51-11e0-9872-eabe28869fe6}\Shell - "" = AutoRun
O33 - MountPoints2\{cd9847d4-6e51-11e0-9872-eabe28869fe6}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{d05ab49b-4f79-11df-b917-001b38a2f4e8}\Shell\Auto\command - "" = I:\msbackup.exe
O33 - MountPoints2\{d05ab49b-4f79-11df-b917-001b38a2f4e8}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL I:\msbackup.exe
O33 - MountPoints2\{d67d1264-68ec-11e0-8fb8-8b1bded65ded}\Shell - "" = AutoRun
O33 - MountPoints2\{d67d1264-68ec-11e0-8fb8-8b1bded65ded}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{d67d1268-68ec-11e0-8fb8-8b1bded65ded}\Shell - "" = AutoRun
O33 - MountPoints2\{d67d1268-68ec-11e0-8fb8-8b1bded65ded}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{e6aacaaf-6a40-11e0-ae98-a178bd7d08ed}\Shell - "" = AutoRun
O33 - MountPoints2\{e6aacaaf-6a40-11e0-ae98-a178bd7d08ed}\Shell\AutoRun\command - "" = H:\AutoRun.exe
O33 - MountPoints2\{f99e3b75-6bcc-11df-b166-001b38a2f4e8}\Shell\AutoRun\command - "" = H:\b.exe
O33 - MountPoints2\{f99e3b75-6bcc-11df-b166-001b38a2f4e8}\Shell\explore\Command - "" = H:\b.exe
O33 - MountPoints2\{f99e3b75-6bcc-11df-b166-001b38a2f4e8}\Shell\open\Command - "" = H:\b.exe
[2013/04/09 23:30:55 | 000,000,000 | ---D | C] -- C:\Users\vaibhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam
[2013/04/09 23:30:44 | 000,000,000 | ---D | C] -- C:\Users\vaibhav\AppData\Local\Wajam
[2013/04/09 23:30:23 | 000,000,000 | ---D | C] -- C:\Program Files\Wajam
[2013/04/09 11:21:52 | 000,000,000 | -HSD | C] -- C:\Users\vaibhav\AppData\Roaming\8ed0
[2013/04/10 01:00:05 | 000,045,644 | ---- | C] () -- C:\Users\vaibhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c4c4c.js

:Files
C:\Users\vaibhav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Program Files\Web Assistant

:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[vibes]

I am unable to delete the wscript.exe

"DESTINATION FOLDER ACCESS DENIED" error!

[mikaelrask]

hey essexbox will help you when he comes back online today.

have you run his fix in the post above?

[vibes]

I tried to delete wscript.exe as suggested but could not do it...

I get "DESTINATION FOLDER ACCESS DENIED" error!

any other method to delete the app?

[essexboy]

Was that on the entire system32 folder or just wscript ?

[vibes]

the wscript.exe file

[essexboy]

Download this small zip file to your desktop
https://dl.dropbox.com/u/73555776/TakeOwnership.zip
Extract the takeownership. reg file
Double click and allow to merge with the registry
Then go to Wscript and right click
Select take ownership

Let me know if that works 

[vibes]

the takeownership.reg got added to registry . But when right clicked on wscript.exe there is no Take ownership option.
most of the files in system32 folder when right clicked show this option bt not this one.One more wscui.cpl file doesnt show that take ownership option too

[essexboy]

Did you get any errors when you tried to take ownership via the original method ?

OK what I will do then is use a specialist tool to delete wscript and then once done I will give you a new copy of the file

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
 

Code: [Select]

Begin copying here:
Files to delete:
C:\windows\system32\wscript.exe

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.
 
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
  
• You can also click on this window and  press (Ctrl+V) to paste the contents of the clipboard.
  
• Click on Execute
  
• Answer "Yes" twice when prompted.
  

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply[/b].

THEN

Run the OTL scrip as previously posted

[vibes]

Thank you.

Finally removed the wscript.exe through Avengers.

Ran the OTL too.

Good, the windows update icon in the tray has stopped multiplying!

both avenger.txt & OTL.txt is attached.

[essexboy]

OK final stretch, run the OTL fix first and after the reboot then download the wscript.exe file

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O3 - HKLM\..\Toolbar: (no name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C17590D2-ECB4-4B15-8820-F58798DCC118} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
[2013/04/09 11:21:52 | 000,000,000 | -HSD | C] -- C:\8f9ea

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download wscript.exe from here and place it in your C:\windows\system32 folder

https://dl.dropbox.com/u/73555776/wscript.exe

Reboot again and let me know how the computer is behaving

[vibes]

I have done the "Run Fix" & "Quick Scan".
here are the logs