Author Topic: Unable to remove malware (Read 12084 times)

Jaydonn · « **on:** March 29, 2013, 05:25:10 PM »

I'm having the same problem as this person http://forum.avast.com/index.php?topic=118769.0
I'll just be copying parts of the post.

Please help me to fix this...

I inserted an usb drive into my laptop and scanned it while opening the drive many files are not visible, and folders were displayed as shortcuts.
after that i could see that below 2 urls are invoked at regular intervals and blocked by avast
hxtp://nnh42.name/a/
hxtp://jsh37.net/a/

Also i could see a lot of windows update icon in system tray. I can't install Malwarebyte and OTL is closing as soon as opened.

I downloaded OTM as was suggested in the forum link of the person who had the same problem but then the steps to remove gets specific for that person's system. Can I get some help please?

mikaelrask · « **Reply #1 on:** March 29, 2013, 05:55:04 PM »

hey and welcome to the forum.

you could try in safemode to gt the otl up and running.

http://forum.avast.com/index.php?topic=53253.0

Jaydonn · « **Reply #2 on:** March 29, 2013, 06:16:01 PM »

Thanks for the welcome.

Yeah I did the safe mode thing as I saw in the post of the person who had the same problem. I guess I should have posted the logs, or would I have to rerun it first? Well here's what I have from the OTL I did earlier today.

Edit: Forgot to attach the aswMBR. It's there now.

essexboy · « **Reply #3 on:** March 29, 2013, 07:34:24 PM »

OK this is that darned JS malware.. It is hard to kill

Run this from safe mode

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva365.sys -- (XDva365)
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
O2 - BHO: (Codecv Class) - {B7E80F30-8568-4929-AE5B-4B454B40117A} - C:\ProgramData\Codecv\bhoclass.dll ()
O4 - HKCU..\Run: [155] C:\Users\Javane\AppData\Roaming\034\155.js ()
O4 - Startup: C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4f4.js ()
[2013/03/28 03:37:03 | 000,000,000 | -HSD | C] -- C:\Users\Javane\AppData\Roaming\034
[2013/03/28 03:37:02 | 000,000,000 | -HSD | C] -- C:\02b
[2013/03/29 08:40:49 | 000,000,000 | ---- | M] () -- C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4f4.js
[2013/03/29 08:00:05 | 000,000,000 | ---- | C] () -- C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4f4.js
[2013/03/28 03:37:03 | 000,000,000 | -HSD | M] -- C:\Users\Javane\AppData\Roaming\034
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:B623B5B8
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:AA9519A6

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Jaydonn · « **Reply #4 on:** March 29, 2013, 08:36:43 PM »

I couldn't run OTL on reboot. Had to run in safe mode to do the quick scan.

essexboy · « **Reply #5 on:** March 29, 2013, 09:11:32 PM »

OK the startup js file is still there lets try a different approach

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code: [Select]

Begin copying here: 
Files to replace with dummy:
C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4516.js

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a freshOTL log .

Jaydonn · « **Reply #6 on:** March 29, 2013, 09:56:52 PM »

This thing is persistent. When I tried to use avenger avast gave me the malicious url blocked prompt again and I wasn't able to use avenger. I had to use it in safemode.

When the machine rebooted the logs basically said it couldn't find the file and I was still unable to run OTL so had to use in safe mode to get the fresh log as well.

Edit: I'm wondering if the failure to remove it could be occurring because I follow what you suggest in "safe mode with networking" since I have to copy your instructions. Does it make a difference if I use regular safe mode or safe mode with networking?

essexboy · « **Reply #7 on:** March 29, 2013, 10:24:47 PM »

No it is the nature of this beast

Do not reboot at all during this process
Could you go to C:\Windows\system32\wscript.exe
Delete that file to the recycle bin but do not empty the bin as we will need to restore that file later

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:processes
killallprocesses 

:OTL
O4 - HKCU..\Run: [155] C:\Users\Javane\AppData\Roaming\034\155.js ()
O4 - Startup: C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4616.js ()
[2013/03/29 15:32:11 | 000,000,000 | -HSD | C] -- C:\Users\Javane\AppData\Roaming\034
[2013/03/29 15:32:07 | 000,000,000 | -HSD | C] -- C:\02b

:Files
C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4616.js 
C:\Users\Javane\AppData\Roaming\034
C:\02b

:Commands

Then click the Run Fix button at the top
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Jaydonn · « **Reply #8 on:** March 29, 2013, 11:27:05 PM »

Took a while because I had to figure out how to get permission to delete the file. After running the script you gave me in OTL the computer also rebooted despite you saying I shouldn't reboot but I had no control over that. I started it up in safe mode just to be sure I could run OTL without having to reboot again.

essexboy · « **Reply #9 on:** March 29, 2013, 11:34:54 PM »

OK same again this should not reboot, if it does then go straight to safe mode

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:OTL
O4 - Startup: C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4716.js ()
[2013/03/29 17:22:54 | 000,048,965 | ---- | C] () -- C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4716.js
[2012/08/28 01:10:10 | 000,000,165 | ---- | M] ()(C:\Windows\System32\?c?^??) -- C:\Windows\System32\?c?^??
[2012/08/28 01:10:09 | 000,000,165 | ---- | C] ()(C:\Windows\System32\?c?^??) -- C:\Windows\System32\?c?^??

Then click the Run Fix button at the top
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Jaydonn · « **Reply #10 on:** March 29, 2013, 11:51:12 PM »

I was in safe mode already after the unintended reboot just to ensure that OTL would work. Here's the log.

essexboy · « **Reply #11 on:** March 29, 2013, 11:56:10 PM »

OK final run (Fingers crossed) this time allow to boot to normal mode then let me know if OTL will run

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:OTL
[2013/03/08 23:24:43 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2013/03/08 23:29:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Jaydonn · « **Reply #12 on:** March 30, 2013, 01:33:24 AM »

Progress! Avast hasn't given me the malicious url notifs and OTL runs fine in normal mode. There are also no longer multiple update icons in the system tray. The scan did take a lot longer than usual though.

Now what do I do with the file I deleted earlier? And do I just download McShield to fix my flash drive?

essexboy · « **Reply #13 on:** March 30, 2013, 01:03:25 PM »

I will give McShield instructions in a mo

But first some numpty (me) emptied the temp files.

So.... Download this file and place in your C:\Windows\system32 folder https://dl.dropbox.com/u/73555776/wscript.exe

At least I now know how to kill this beastie and next time I will be able to do it a lot faster

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

Then let me know how the computer is behaving now

Jaydonn · « **Reply #14 on:** March 30, 2013, 05:40:07 PM »

So far so good I think. Thanks so much for the help! Here's the log.

Author Topic: Unable to remove malware (Read 12084 times)

Jaydonn

Unable to remove malware

mikaelrask

Re: Unable to remove malware

Jaydonn

Re: Unable to remove malware

essexboy

Re: Unable to remove malware

Jaydonn

Re: Unable to remove malware

essexboy

Re: Unable to remove malware

Jaydonn

Re: Unable to remove malware

essexboy

Re: Unable to remove malware

Jaydonn

Re: Unable to remove malware

essexboy

Re: Unable to remove malware

Jaydonn

Re: Unable to remove malware

essexboy

Re: Unable to remove malware

Jaydonn

Re: Unable to remove malware

essexboy

Re: Unable to remove malware

Jaydonn

Re: Unable to remove malware