Author Topic: Malicious software or Trojan  (Read 22006 times)

0 Members and 1 Guest are viewing this topic.

okym

  • Guest
Re: Malicious software or Trojan
« Reply #30 on: March 23, 2013, 02:10:42 PM »
Have to start work in 4 hours so off to bed.
Will check for your reply later.
Regards,
Kym

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious software or Trojan
« Reply #31 on: March 23, 2013, 02:27:56 PM »
Could you re-run Combofix now please, allowing it to update if requested

okym

  • Guest
Re: Malicious software or Trojan
« Reply #32 on: March 28, 2013, 01:26:04 PM »
Sorry this is taking so long,work is extremely busy and I am doing 14-16 hour days,so not getting a lot of time to myself.
I re ran combo fix as requested,log attached.
Control panel has reappeared in start box,malicious url pop ups have stopped again.
MalwareBytes has updated and is accessable.
Will see what happens when I close the pc and log on again.
Regard's,
Kym

okym

  • Guest
Re: Malicious software or Trojan
« Reply #33 on: March 28, 2013, 01:42:34 PM »
Rebooted pc,control panel again disabled as is MalwareBytes,malicious url popups back again.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious software or Trojan
« Reply #34 on: March 28, 2013, 03:36:08 PM »
OK the file is changing every reboot

So could you run a fresh OTL scan and attach here.  In the meantime do not reboot until I have created and you have run the new fix 

okym

  • Guest
Re: Malicious software or Trojan
« Reply #35 on: March 28, 2013, 09:35:37 PM »
OK,so run a new OTL scan,retreive the log and leave the pc running until I run the new fix.
Will run when I get home tonight.
This post from the work pc.
Kym

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious software or Trojan
« Reply #36 on: March 28, 2013, 09:48:18 PM »
Aye and if that fix fails I will remove the windows scripting host for the duration as it needs that to run

okym

  • Guest
Re: Malicious software or Trojan
« Reply #37 on: April 02, 2013, 12:26:21 PM »
Ended up having to work all through easter ,so have only just had time to run OTL.
Log is attached.
PC will remain on until I hear back from you.
Regard's,
Kym

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious software or Trojan
« Reply #38 on: April 02, 2013, 04:39:49 PM »
OK lets do it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:OTL
O4 - HKCU..\Run: [7d7e7] C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6\7d7e7.js ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\203c2.js ()
O4 - Startup: C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\203c2.js ()
[2013/03/23 22:50:39 | 000,000,000 | -HSD | C] -- C:\6a4
[2013/03/28 23:04:58 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Program Files\74607

:Reg
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"7d7e7"=-

:Files
C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\*.js
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\*.js
[override]
C:\Windows\System32\wscript.exe
[stopoverride]

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

okym

  • Guest
Re: Malicious software or Trojan
« Reply #39 on: April 03, 2013, 07:20:12 AM »
Not having much luck with the fix.
Pasted the fix into OTL clicked "run fix" and left it to run.
Six hours later,nothing has happened.PC appears to be locked up and can not close OTL to try and run fix again.
PC is still on,will not reboot until I hear back.
Kym

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious software or Trojan
« Reply #40 on: April 03, 2013, 03:44:33 PM »
OK I now have a quick way of killing this blighter, as you are the fourth or fifth  you get the benefits  ;D
Reboot the computer


Open windows explorer and go to C:\Windows\System32
Locate wscript.exe
Right click Wscript.exe
Select Properties
Select Security Tab
Select Advanced
Select Owner
Select Edit
Select your account
Click Apply
OK the warning
Click OK



Now delete wscript.exe to the recycle bin

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:OTL
O4 - HKCU..\Run: [7d7e7] C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6\7d7e7.js ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\203c2.js ()
O4 - Startup: C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\203c2.js ()
[2013/03/23 22:50:39 | 000,000,000 | -HSD | C] -- C:\6a4
[2013/03/28 23:04:58 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Program Files\74607

:Reg
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"7d7e7"=-

:Files
C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\*.js
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\*.js

:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

okym

  • Guest
Re: Malicious software or Trojan
« Reply #41 on: April 04, 2013, 12:59:22 PM »
Took most of the day to get in to delete WScript but got there in the end.
Ran fix.
Ran quick scan,log attached.
Still no access to control panel,but malicious pop up's appear to have stopped.MalwareBytes is accessable at the moment.
Will log off and check for your reply in the morning.
Kym
« Last Edit: April 04, 2013, 01:03:34 PM by okym »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious software or Trojan
« Reply #42 on: April 04, 2013, 03:43:43 PM »
You can now restore wscript form the recycle bin

Run MBAM and see if that restores the control panel

If not could you let me know what error you get

okym

  • Guest
Re: Malicious software or Trojan
« Reply #43 on: April 11, 2013, 10:34:01 PM »
Hi essexboy,I am back again - got to love short notice business trips.
I have restored wscript and run Malwarebytes,only a quick scan though.
Still no control panel and no error from the Malwarebytes log.
Should I run a full scan instead ?
Regard's,
Kym

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious software or Trojan
« Reply #44 on: April 11, 2013, 10:38:58 PM »
No run Combofix again, but allow it to update if it asks