Avast WEBforum
Non-English Zone => Deutsch => Topic started by: BastianS on March 23, 2013, 06:30:56 PM
-
Hallo,
ich erhoffe mir hier Hilfe zu bekommen im Bezug auf eine immer wiederkehrende Meldung meines avast! Virenscanners (Freeware)
Der Reihe nach:
Ich habe Bilder von einer SD-Card auf meinen PC gezogen (diese war vorher auf einem anderen Laptop). Seit dem erscheint immer wieder die Meldung, dass avast! den Zugriff auf eine Webseite blockiert hat. Es handelt sich um zwei verschiedene URL's:
http://nnh42.name/a/
http://jsh37.net/a/
Den Infektionsdetails ist außerdem jeweils zu entnehmen:
Prozess: C:\Windows\System32\WScript.exe
Infektion: URL:Mal
Außerdem erscheinen in der Taskleiste unter "ausgeblendete Symbole" sehr viele Symbole vom Windowsupdate. Fährt man mit der Maus über sie, so verschwinden sie einfach.
Ein kompletter Scan meines Systems lieferte allerdings keine Funde.
Während ich das hier gerade schreibe, lieferte avast! außerdem noch folgende Meldung:
Infektion: JS:Iframe-AMQ [Trj]
Prozess: C:\Windows\System32\WScript.exe
URL: http://www.carbonsmart.co.uk/index.php?q
Es scheint also ein Trojaner zu sein.
Da avast! nur den Zugriff zu blockieren scheint, aber die Ursache nicht beheben kann, bin ich auf Hilfe angewisen.
Was kann ich also nun tun?
Danke im Voraus
-
Bitte folge dieser Anleitung: http://forum.avast.com/index.php?topic=102616.0
Willkommen im Forum,
Asyn
-
Hat leider etwas gedauert, aber ich hoffe nun, alle erforderlichen Dateien hochladen zu können.
Da verhindert wurde, dass die Programme im normalen Modus starten, musste ich jedes mal den "Abgesicherten Modus" wählen.
Ich hoffe, man kann mir nun weiter helfen.
-
Und noch die aswmbr
-
Da verhindert wurde, dass die Programme im normalen Modus starten, musste ich jedes mal den "Abgesicherten Modus" wählen.
Hast du gut gemacht..!! :)
Bitte etwas Geduld, einer unserer Experten wird sich hier melden.
LG, Asyn
-
Hallo war die Infektion von der SD-Karte. Beim Ausführen von McShield gewährleisten die Karte eingelegt
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O2 - BHO: (no name) - {326E768D-4182-46FD-9C16-1449A49795F4} - No CLSID value found.
O2 - BHO: (no name) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - No CLSID value found.
O4 - HKU\S-1-5-21-1903657100-1192547202-2996381717-1000..\Run: [b81bb] C:\Users\Momo\AppData\Roaming\ae0d\b81bb.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e0e0e.js ()
[2013.03.23 15:42:11 | 000,000,000 | -HSD | C] -- C:\Program Files\b105
[2013.03.23 15:42:11 | 000,000,000 | -HSD | C] -- C:\af87
[2013.03.23 15:42:11 | 000,000,000 | -HSD | C] -- C:\Users\Momo\AppData\Roaming\ae0d
[2013.03.25 08:02:50 | 000,046,000 | ---- | M] () -- C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e0e0e.js
[2013.03.25 08:02:50 | 000,046,000 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e0e0e.js
[2013.03.06 18:27:36 | 000,000,032 | ---- | M] () -- C:\Windows\0
[2013.03.25 08:00:00 | 000,046,000 | ---- | C] () -- C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e0e0e.js
[2013.03.25 08:00:00 | 000,046,000 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e0e0e.js
[2013.03.06 18:26:45 | 000,000,032 | ---- | C] () -- C:\Windows\0
[2013.03.06 18:26:45 | 000,000,000 | ---- | C] () -- C:\Windows\System32\0
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download McShield (http://amf.mycity.rs/mcshield/downloads.html) to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
(https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG)
Plug in the SD Card and McShield will start a scan
Then get the log which will be here :
Start > all programs > MCShield > logs > all scans
And post that
-
Ich habe die Anweisungen nach Anleitung durchgeführt. Anbei die beiden Datein.
Allerdings liefert McShield keine Analyse für die SD-Card.
-
Außerdem habe ich mal noch einen Screenshot von den bereits erwähnten unzähligen Windows-Update Symbolen erstellt.
Wie gesagt, wenn man mit der Maus drüber fährt verschwinden sie sofort.
Es werden im Laufe der Zeit auch noch mehr.
-
Dies dauert ein paar läuft vollständig löschen
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef5.js ()
[2013.03.25 12:48:53 | 000,046,070 | ---- | M] () -- C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef5.js
[2013.03.25 12:48:53 | 000,046,070 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ef5.js
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Dies dauert ein paar läuft vollständig löschen
What? Maybe it's easier for you to write in english? This sentence makes no sense.
-
OK my German is rubbish :o, basically it may take a few runs to kill this
-
Yes i think so...i hope you can help me. Or you have at least a proposal what else i can do.
Attached is the new otl.txt
-
I am going to try a double kill this time. OTL will not reboot, once it has run then immediately run Avenger
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O4 - HKCU..\Run: [b81bb] C:\Users\Momo\AppData\Roaming\ae0d\b81bb.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js ()
[2013.03.25 19:37:06 | 000,046,115 | ---- | M] () -- C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
[2013.03.25 19:37:06 | 000,046,115 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
[2013.03.25 13:11:04 | 000,000,000 | -HSD | M] -- C:\Users\Momo\AppData\Roaming\ae0d
:Files
C:\Program Files\b105
C:\af87
C:\Users\Momo\AppData\Roaming\ae0d
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
- Then click the Run Fix button at the top
THEN
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog46 to your Desktop.- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
(https://dl.dropbox.com/u/73555776/avenger.jpg)
Begin copying here:
Files to delete:
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
Folders to delete:
C:\Program Files\b105
C:\af87
C:\Users\Momo\AppData\Roaming\ae0d
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
- Right click on the window under Input script here:, and select Paste.
- You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
- Click on Execute
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a freshOTL log .
-
OK. Attached is the avanger.txt.
The system has restarted only once.
It's also quite difficult to restart. I'm not sure if it's correct, that it restarts in normal mode.
Because i have to start all these programms in "safe mode". It may not start in "normal" mode. Hope this is not a problem.
-
Could you now boot to normal mode please and run one further OTL scan
-
As i said before. The OTL programm will not start in normal mode. So i can't run an OTL scan in normal-mode.
-
So even after the removal OTL will not run in normal mode ?
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Attached the ComboFix.txt.
I also couln'd start the programm in normal mode. So i have to start it (as ervery time) in safe-mode.
And 'yes' to your question; even after the "removal" OTL will not run in normal mode. It starts for a very short time (approx 1 sec) and than it closes. This was the same with ComboFix.
-
On completion of this run could you try normal mode again please
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
FCopy::
File::
c:\users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
Folder::
c:\users\Momo\AppData\Roaming\ae0d
C:\af87
c:\program files\b105
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b81bb"=-
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
I tried normal mode.
Refering to the picture, i draged CFScript into ComboFix.exe
For a short time i've seen the red and the blue load bar. Than it closes and thats it.
What should i do now?
-
Could you retry the combofix CFScript please
-
I tried it again in normal mode with same result as before.
So i restarted it the third time in safe mode.
The log you see attached.
What do you think; how close we are to it?
-
Still the two to remove from the startup folder
These are very stubborn and difficult to kill
Once combofix has run again could you check the two locations to ensure that they have gone
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea59.js
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ea59.js
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
And again: wasn't aible to start in normal mode...so i maked the run in safe-mode.
Attached the ComboFixCFSript_1.txt
I've checked the locations with result that botch startup folders does'nt exist.
There is something new: After a restart it can be, that i get an error message (4-5 times). I've attached a picture.
I'm not sure if it is important. Cause, clicking on it will colse the window. It recomes 4-5 times, but after that it remains closed.
-
OK the malware is renaming itself at every boot
Once this OTL run has completed it will not reboot
Could you keep the system running and do a fresh OTL scan
If possible do not reboot again until I have done a further check
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:processes
killallprocesses
:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b81bb"=-
:Files
c:\users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec5.js
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ec5.js
C:\af87
c:\users\Momo\AppData\Roaming\ae0d
c:\program files\b105
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
No, this is not possible.
Because OTL will not run in normal mode!
I can start it in safe mode, but i have no internet connection and can't upload the log.
What now?
-
OK this will need a little renaming work on your part
Reboot to safe mode
Ensure that the files/folders names are exactly as the ones below, renaming if necessary
c:\users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec5.js
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ec5.js
C:\af87
c:\users\Momo\AppData\Roaming\ae0d
c:\program files\b105
Once that is done then run the OTL fix
On completion of the fix confirm that those files/folders are no longer showing
-
Stupid question:
What, if the two first folders doesn't exist?
I meen the two "Startup" -folders. So i can't say if there is a ec5.js file
-
OK leave those in there and lets see how it runs
Had the folders changed names ?
-
Ok. I will start the OTL.
No, the folders had the same name.
-
Although you said, that it will not restart, it restarted after i run the fix.
So i restarted again in safe mode to run the quick scan.
Attached you can see the logfile.
After this run, i can't see hidden folders any more. And it's not possible to show them.
And System Control is not startable. Its like OTL or all ohter programs. It starts for a very short time and then it will be closed.
-
OK I will now take a drastic step and remove the windows scripting file. That way the programme will not be able to run, we will replace the file on completion. You may get some errors about programmes not running properly at start (any that depend on wscript)
Please download OTM (http://oldtimer.geekstogo.com/OTM.exe)
- Save it to your desktop.
- Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
killallprocesses
:Files
C:\Users\Momo\AppData\Roaming\ae0d
C:\Program Files\b105
C:\af87
c:\windows\system32\wscript.exe
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea59.js
- Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start
-
The result from OTM run.
I had to restart to finish the remove.
But your description, where i can find the log-file is incomplete.
Attached you see the file, i think you want to have
-
@Asyn: Kannst du mir erklären, wie dieser Support hier funktioniert?
Wir fahren hier einen run nach dem anderen und kommen nicht (bzw. besser: nur sehr langsam) voran. Es scheint ein hartnäckiger Virus/ Trojaner zu sein (kenn mich nicht so gut aus).
Mich würde interessieren, was passiert, wenn das Ding entfernt ist.
Wird das irgendwann in avast! eingepflegt? Bekommt es einen Namen? Und wie kann ich mich in Zukunft vor dem Ding schützen?
-
Is it still present ? If so we are left with two alternatives either work outside of windows or replace them with dummy files
-
Yes it is :(
I'm not sure what you mean. Working outside od windows is DOS? And dummy files means replace some?
Why its so hard to find and distroy it?
-
NO problem I have now figured out the quick way to kill it with the assistance of another user
Go to C:\Windows\System32
Delete the following file to the recycle bin :
Wscript.exe
Reboot to safe mode and Run an OTL scan selecting all users
Once I have that log I will delete the files and as wscript is no longer available they will not regenerate
Then we will replace wscript
-
I've found the file in System32 folder. But it's not possible to delte the file.
Clicking on the delete, an error message will appear.
See attached image from message.
Wtf is TrustedInstaller? - Sorry for my impatience. But what kind of trojan is that? Why no antivirus-software (i run different softwares) can find it? Will it implemented in the feature in avast!?
OK. I can't delete the wscript. What shall i do?
-
As it stands at the moment the only AV to detect this is Avast and then purely because of the URL it is trying to go to. No other AV has as yet this facility
All of this can be done in safe mode
First we will change the permissions on Wscript to enable you to delete it
Download this zip file to your desktop https://dl.dropbox.com/u/73555776/TakeOwnership.zip
Extract InstalltakeOwnership.reg to the desktop
Double click and allow it to merge with the registry
Then right click the Wscript.exe file and select Take Ownership
Once it has done you should be able to delete it
Then :
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O4 - HKCU..\Run: [b81bb] C:\Users\Momo\AppData\Roaming\ae0d\*.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js ()
[2013.03.28 17:00:00 | 000,000,000 | -HSD | C] -- C:\Program Files\b105
[2013.03.28 17:00:00 | 000,000,000 | -HSD | C] -- C:\Users\Momo\AppData\Roaming\ae0d
[2013.03.28 16:59:59 | 000,000,000 | -HSD | C] -- C:\af87
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"b81bb"=-
:Files
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\ae0d
:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
I tried to make it as you said. But:
Right click on wscript.exe file delivers no selectable "Take Ownership". This does not exist.
And so i still can't delete it.
I have extracted the installtakeownership.reg; double clicked on it and allowed to merge with the registry. Nothing happend after that.
-
OK OT has now made a switch that will delete system files
Lets see if it is strong enough
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O4 - HKCU..\Run: [b81bb] C:\Users\Momo\AppData\Roaming\ae0d\*.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js ()
[2013.03.28 17:00:00 | 000,000,000 | -HSD | C] -- C:\Program Files\b105
[2013.03.28 17:00:00 | 000,000,000 | -HSD | C] -- C:\Users\Momo\AppData\Roaming\ae0d
[2013.03.28 16:59:59 | 000,000,000 | -HSD | C] -- C:\af87
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"b81bb"=-
:Files
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\ae0d
[override]
C:\Windows\System32\wscript.exe
[stopoverride]
:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
I'm sorry to say: no, it's not strong enough!
Attached you can see the file, generated after reboot.
-
Could you right click that file (Wscript.exe) now and let me know if take ownership is present
-
No, its not present.
-
And i've noticed, that i can't take ownership from any *.exe file.
For "normal" files like *.jpg or *.txt i have the possibility to "Take Ownership".
-
OK time to do it manually
Right click Wscript.exe
Select Properties
Select Security Tab
Select Advanced
Select Owner
Select Edit
Select your account
Click Apply
OK the warning
Click OK
(https://dl.dropbox.com/u/73555776/wscript%20ownership.JPG)
You should now be able to move the file to the recycle bin
Then re-run the OTL fix as previous, minus the override for wscript
:OTL
O4 - HKCU..\Run: [b81bb] C:\Users\Momo\AppData\Roaming\ae0d\*.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js ()
[2013.03.28 17:00:00 | 000,000,000 | -HSD | C] -- C:\Program Files\b105
[2013.03.28 17:00:00 | 000,000,000 | -HSD | C] -- C:\Users\Momo\AppData\Roaming\ae0d
[2013.03.28 16:59:59 | 000,000,000 | -HSD | C] -- C:\af87
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"b81bb"=-
:Files
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\ae0d
:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]
-
Without click on apply (from your last description) i was able to finaly delete the wscript.exe.
I've run the fix, rebooted and could start the otl in "normal" mode.
Attached you can see the otl_4.txt
-
OK now to prove that it has worked
Restore wscript from the recycle bin and reboot
Then let me know how it behaves
-
After restore and reboot:
Waiting for at least 10 minutes. No avast! alert. No Windows-Update symbols. Tjis is great.
But i can't enter System Control (i'm not shure for the english word: or is it Conrol Panel?). Then i get an hint (as before) that windows-explorer doesn't work any more. I can choose between "restart explorer" or "look online for problems".
-
Might be worth running windows all in one repair, to check for damage .. Or you could try an SFC scan to check windows files
-
SFC scan found nothing. And windows all in one repair changed nothing. I have the same problem as before.
Do you mean this is still the trojan? If not, and we ar sure, that the infection is gone, i can reset to default the hole system. Means reinstall Windows etc.
-
What error do you get when you try to enter control panel ?
-
"windows-explorer doesn't work".
i can choose between: "look online for help" and "restart programm".
my task-bar freeses while the error message appears.
details:
Problemsignatur:
Problemereignisname: APPCRASH
Anwendungsname: Explorer.exe
Anwendungsversion: 6.1.7601.17567
Anwendungszeitstempel: 4d6727a7
Fehlermodulname: SHELL32.dll
Fehlermodulversion: 6.1.7601.17859
Fehlermodulzeitstempel: 4fd2d1d9
Ausnahmecode: c0000005
Ausnahmeoffset: 00108506
Betriebsystemversion: 6.1.7601.2.1.0.256.1
Gebietsschema-ID: 1031
Zusatzinformation 1: 0a9e
Zusatzinformation 2: 0a9e372d3b4ad19135b953a78882e789
Zusatzinformation 3: 0a9e
Zusatzinformation 4: 0a9e372d3b4ad19135b953a78882e789
-
Do you have any dump files at C:\windows\minidump ?
-
no. i'm sorry, but this folder doesn't exist.
-
Do you get the same problem in safe mode ?
Does it happen when you open a specific type of programme ?
-
Yes, also in safe mode.
Specific type of programm? I'm not shure. Starting Devices and Printer it works. Also starting Windows-Explorer itself - works.
I think i get this error only, when triing to start control panel.
-
OK that sounds like a corrupt element within control panel
Please try the following steps to locate that item:
1. Navigate to %windir%\System32
2. On the top right search for *.cpl
3. In the Results, sort by Type, and review all of the Control Panel Item Types. Double click on each of those items to open and verify which one is causing the Explorer crash.
4. If the CPL file that you locate is related to a 3rd party application, we may need to uninstall it . If it is a Windows CPL, please let me know for further steps.
-
There are 22 elements. From these cause following the error-message:
appwiz
desk
powercfg
Firewall
hdwwiz
wscui
infocardcpl
-
Download cpl.zip to your desktop
https://dl.dropbox.com/u/73555776/cpl.zip
Extract all files to C:\windows\system32
Allow the overwrite option
Reboot and try the control panel again
-
I've replaced the files and rebooted the system. But i can't start control panel.
I searched for the *.cpl again and started replaced files. Result was, that i get an error.
Do you mean, this is still the trojan or have we destroyed these files looking for him?
Because i want to delete the hole system now and only want to safe all my files, pictures etc.
-
The malware is now gone however, it is all about repairing damage now. Rather than reformat you can repair the installation without affecting any personal files
Full details are here, English only I am afraid http://www.sevenforums.com/tutorials/3413-repair-install.html
-
Will your help be implemented in avast?
Bacause i have still a stick and two sd-cards with the malware on it, i think so.
And an other person (friend of my) has used the same infected laptop before and has the malware now on his pc too.
Two others have had also sd-cards in this laptop and they want to see the photos on it. But we don't know if there is the malware...
Do you understand what i mean?
If you want to know where it comes from - Guatemala (realy!) :)
-
You could use McShield to scan the SD cards
Or to be totally sure they should be wiped..
Do you friends require assistance ?
-
At the beginning of our communication, you told me to scan the cards with McShield. But it has found nothing. So i'm not sure if it will find something in the future.
Also avast! has found nothing. So this malware seems to be unknown (also to other virus programs).
They have made a long travel in Guatemala and on the SD Cards are all of their pictures wich they made (also on sticks, not only sd cards). So we want to copy the photos first before we wipe the cards.
So, yes i think they'll need help.
-
One way to do it is to disable autorun on their computer
Then extract the photos to the main computer
Then wipe the SD card
-
Ok, i'll try that this weekend on my computer. It would be great if it would work.
If not, i'll need your help again ;)
Can you tell me more about the malware or can this do someone else from forum?
And most important: will it be integrated in avast?
-
At the moment no AV detects this malware, Avast only finds it when it tries to connect to a bad site
Could you zip the folder C:_OTL\moved files please
And upload to a file sharing site (or dropbox if you have it)
For me to collect, analyse and pass on to Avast
-
Zip this folder?
He is about 89KB and why can't i attache this here? I've never worked with a filesharing site. Sorry.
-
...why can't i attache this here?
Bitte grundsätzlich keine Virensamples im Forum posten..!!! Danke dir.
Schönes WE,
Asyn
-
OK no problem I will PM my e-mail address if you could send it to me there I will check it out
-
OK. Now you should have the files. I've sent you an e-mail.
At this moment, i have to say thank you for your help!
I have tried to insert the sd-cards and McShield seems to recognize the malware. I have not copied the pictures yet, but i will do it this week.
Tomorrow i will meet the other persons to talk to them wich problems they have.
Perhaps you can help them too!?
-
Certainly if you wish... Unfortunately Avast deleted the files from the archive as infected ;D
-
Wich files? Those i've sent to you or isn't there any information?
I still have the sd-cards with the malware :) And i think they are also on the stick.
And in my opinion also on the laptop of friend of my.
-
Yes the files you sent were deleted
I see you have dropbox, is it possible for you to put the files there temporarily for me to collect ? That way I can bypass Avast
-
It is interessting, why delet your avast my files?
And my does not?
-
No idea which I would be interested to find out
-
Now you should see them via dropbox. Right?
-
Thanks I now have it so you can delete them
-
Delete them in dropbox AND computer?
-
Unless you wish to keep them ;D I would recommend deletion though
-
I have now opened the JS file and tried to decode it.. But I feel I will need to let someone else have a look at it
-
ok. if it will help to identify the malware better, you should do that. or is that a problem?
-
Nope, I know some very clever people, I will pass it around to them
-
Hello,
i want to know, if there is something new you can tell me about the situation.
Is avast now able to detect AND to delete the malware? Or is there a working way to do that?
This is our actual situation: A friend of mine has copied the pictures to her laptop. Of course ( :-( ) she has now the malware on it.
I've got two other devices (a stick and a sd-card) with pictures from this trip and i want to have those. I do not dare to copy them to my PC, because there will me the malware on them.
What is your advice to do?
-
Aye this malware changes every time it runs thereby making it hard for an AV to detect
Run McShield as that has now the ability to disable the malware
Download McShield (http://amf.mycity.rs/mcshield/downloads.html) to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
(https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG)
Plug in the drive(s)/Card and McShield will start a scan
Then get the log which will be here :
Start > all programs > MCShield > logs > all scans
And post that
Then run the OTL fix and follow with a fresh scan
-
OK, i 've inserted a sd-card by running McShield.
This is the Log file output:
>>> MCShield ::Anti-Malware Tool:: v 2.6.3.21 / DB: 2013.6.2.1 / Windows 7 <<<
03.06.2013 17:03:11 > Datenträger P: - Scan gestartet (keine Bezeichnung ~945 MB, FAT Datenträger )...
> P:\RECYCLER
> P:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665
> P:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx (MD5: 79b72bf0e8c72e0bb6c1bcf26cac43e3)
>>> P:\Recycler - Schadsoftware (Ordner) > Löschung fehlgeschlagen.
=> Schädliche Dateien : 0/1 gelöscht.
=> Schädliche Ordner : 0/2 gelöscht.
____________________________________________
::::: Scandauer: 2 41Sek :::::::::::::::::::
____________________________________________
So it was able to detect the malware but could not destroy it.
I did not understand wich OTL fix i have to run.
Should i do a Quick Scan or what do you mean?
If you remember, i'm not versed in thinks like that but last time you was so helpful to me.
So please, be patient with me.
-
My apologies that last line should not have been there
McShield has now deleted the bad files and the SD card should now be safe
Did the malware get blocked from running on your computer
-
There is a warning from avast, that a file has been blocked. But the path to the file is McShield!
And McShield was NOT able to delete the files! It has only detected, where the malware is (two files).
-
Are you able to manually delete that folder from the card
-
Sorry, this time it was my fault. The sd-card was locked...damn :)
So McShield was able to delete the files! - Thanks
What can we do with my friends? The malware is on their system. Perhaps it is easiest way when i give them the Link to our Thread, so they can write and talk here directly with you. Right?
-
What can we do with my friends? The malware is on their system. Perhaps it is easiest way when i give them the Link to our Thread, so they can write and talk here directly with you. Right?
Wäre sicher die beste Option. ;)
Hier der Link zum Thread: http://forum.avast.com/index.php?topic=119099.90
LG Asyn
-
I have an easier way of removal now after much experience :)