Wie geht es weiter: Meldung Zugriff auf Webseite blockiert

[BastianS]

Although you said, that it will not restart, it restarted after i run the fix.
So i restarted again in safe mode to run the quick scan.
Attached you can see the logfile.

After this run, i can't see hidden folders any more. And it's not possible to show them.
And System Control is not startable. Its like OTL or all ohter programs. It starts for a very short time and then it will be closed.

[essexboy]

OK I will now take a drastic step and remove the windows scripting file.  That way the programme will not be able to run, we will replace the file on completion.  You may get some errors about programmes not running properly at start (any that depend on wscript)

Please download OTM 

• Save it to your desktop.
  
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
   
  

Code: [Select]


:Processes
killallprocesses
 
:Files
C:\Users\Momo\AppData\Roaming\ae0d
C:\Program Files\b105
C:\af87
c:\windows\system32\wscript.exe
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea59.js



• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
   
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start

[BastianS]

The result from OTM run.
I had to restart to finish the remove.
But your description, where i can find the log-file is incomplete.
Attached you see the file, i think you want to have

[BastianS]

@Asyn: Kannst du mir erklären, wie dieser Support hier funktioniert?
Wir fahren hier einen run nach dem anderen und kommen nicht (bzw. besser: nur sehr langsam) voran. Es scheint ein hartnäckiger Virus/ Trojaner zu sein (kenn mich nicht so gut aus).
Mich würde interessieren, was passiert, wenn das Ding entfernt ist.
Wird das irgendwann in avast! eingepflegt? Bekommt es einen Namen? Und wie kann ich mich in Zukunft vor dem Ding schützen?

[essexboy]

Is it still present ?  If so we are left with two alternatives either work outside of windows or replace them with dummy files

[BastianS]

Yes it is 
I'm not sure what you mean. Working outside od windows is DOS? And dummy files means replace some?

Why its so hard to find and distroy it?

[essexboy]

NO problem I have now figured out the quick way to kill it with the assistance of another user

Go to C:\Windows\System32
Delete the following file to the recycle bin :

Wscript.exe

Reboot to safe mode and Run an OTL scan selecting all users
Once I have that log I will delete the files and as wscript is no longer available they will not regenerate
Then we will replace wscript

[BastianS]

I've found the file in System32 folder. But it's not possible to delte the file.
Clicking on the delete, an error message will appear.
See attached image from message.

Wtf is TrustedInstaller? - Sorry for my impatience. But what kind of trojan is that? Why no antivirus-software (i run different softwares) can find it? Will it implemented in the feature in avast!?

OK. I can't delete the wscript. What shall i do?

[essexboy]

As it stands at the moment the only AV to detect this is Avast and then purely because of the URL it is trying to go to. No other AV has as yet this facility 

All of this can be done in safe mode

First we will change the permissions on Wscript to enable you to delete it

Download this zip file to your desktop https://dl.dropbox.com/u/73555776/TakeOwnership.zip
Extract InstalltakeOwnership.reg to the desktop
Double click and allow it to merge with the registry
Then right click the Wscript.exe file and select Take Ownership
Once it has done you should be able to delete it

Then :

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O4 - HKCU..\Run: [b81bb] C:\Users\Momo\AppData\Roaming\ae0d\*.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js ()
[2013.03.28 17:00:00 | 000,000,000 | -HSD | C] -- C:\Program Files\b105
[2013.03.28 17:00:00 | 000,000,000 | -HSD | C] -- C:\Users\Momo\AppData\Roaming\ae0d
[2013.03.28 16:59:59 | 000,000,000 | -HSD | C] -- C:\af87

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"b81bb"=-

:Files
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\ae0d

:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[BastianS]

I tried to make it as you said. But:
Right click on wscript.exe file delivers no selectable "Take Ownership". This does not exist.
And so i still can't delete it.

I have extracted the installtakeownership.reg; double clicked on it and allowed to merge with the registry. Nothing happend after that.

[essexboy]

OK OT has now made a switch that will delete system files

Lets see if it is strong enough

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O4 - HKCU..\Run: [b81bb] C:\Users\Momo\AppData\Roaming\ae0d\*.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js ()
[2013.03.28 17:00:00 | 000,000,000 | -HSD | C] -- C:\Program Files\b105
[2013.03.28 17:00:00 | 000,000,000 | -HSD | C] -- C:\Users\Momo\AppData\Roaming\ae0d
[2013.03.28 16:59:59 | 000,000,000 | -HSD | C] -- C:\af87

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"b81bb"=-

:Files
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\Momo\AppData\Roaming\ae0d
[override]
C:\Windows\System32\wscript.exe
[stopoverride]

:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[BastianS]

I'm sorry to say: no, it's not strong enough!
Attached you can see the file, generated after reboot.

[essexboy]

Could you right click that file (Wscript.exe)  now and let me know if take ownership is present

[BastianS]

No, its not present.

[BastianS]

And i've noticed, that i can't take ownership from any *.exe file.
For "normal" files like *.jpg or *.txt i have the possibility to "Take Ownership".