Malicious software or Trojan

[okym]

Have to start work in 4 hours so off to bed.
Will check for your reply later.
Regards,
Kym

[essexboy]

Could you re-run Combofix now please, allowing it to update if requested

[okym]

Sorry this is taking so long,work is extremely busy and I am doing 14-16 hour days,so not getting a lot of time to myself.
I re ran combo fix as requested,log attached.
Control panel has reappeared in start box,malicious url pop ups have stopped again.
MalwareBytes has updated and is accessable.
Will see what happens when I close the pc and log on again.
Regard's,
Kym

[okym]

Rebooted pc,control panel again disabled as is MalwareBytes,malicious url popups back again.

[essexboy]

OK the file is changing every reboot

So could you run a fresh OTL scan and attach here.  In the meantime do not reboot until I have created and you have run the new fix 

[okym]

OK,so run a new OTL scan,retreive the log and leave the pc running until I run the new fix.
Will run when I get home tonight.
This post from the work pc.
Kym

[essexboy]

Aye and if that fix fails I will remove the windows scripting host for the duration as it needs that to run

[okym]

Ended up having to work all through easter ,so have only just had time to run OTL.
Log is attached.
PC will remain on until I hear back from you.
Regard's,
Kym

[essexboy]

OK lets do it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O4 - HKCU..\Run: [7d7e7] C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6\7d7e7.js ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\203c2.js ()
O4 - Startup: C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\203c2.js ()
[2013/03/23 22:50:39 | 000,000,000 | -HSD | C] -- C:\6a4
[2013/03/28 23:04:58 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Program Files\74607

:Reg
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"7d7e7"=-

:Files
C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\*.js
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\*.js
[override]
C:\Windows\System32\wscript.exe
[stopoverride]

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[okym]

Not having much luck with the fix.
Pasted the fix into OTL clicked "run fix" and left it to run.
Six hours later,nothing has happened.PC appears to be locked up and can not close OTL to try and run fix again.
PC is still on,will not reboot until I hear back.
Kym

[essexboy]

OK I now have a quick way of killing this blighter, as you are the fourth or fifth  you get the benefits 
Reboot the computer


Open windows explorer and go to C:\Windows\System32
Locate wscript.exe
Right click Wscript.exe
Select Properties
Select Security Tab
Select Advanced
Select Owner
Select Edit
Select your account
Click Apply
OK the warning
Click OK



Now delete wscript.exe to the recycle bin

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O4 - HKCU..\Run: [7d7e7] C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6\7d7e7.js ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\203c2.js ()
O4 - Startup: C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\203c2.js ()
[2013/03/23 22:50:39 | 000,000,000 | -HSD | C] -- C:\6a4
[2013/03/28 23:04:58 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Program Files\74607

:Reg
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"7d7e7"=-

:Files
C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\*.js
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\*.js

:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[okym]

Took most of the day to get in to delete WScript but got there in the end.
Ran fix.
Ran quick scan,log attached.
Still no access to control panel,but malicious pop up's appear to have stopped.MalwareBytes is accessable at the moment.
Will log off and check for your reply in the morning.
Kym

[essexboy]

You can now restore wscript form the recycle bin

Run MBAM and see if that restores the control panel

If not could you let me know what error you get

[okym]

Hi essexboy,I am back again - got to love short notice business trips.
I have restored wscript and run Malwarebytes,only a quick scan though.
Still no control panel and no error from the Malwarebytes log.
Should I run a full scan instead ?
Regard's,
Kym

[essexboy]

No run Combofix again, but allow it to update if it asks