Author Topic: http://etpsoprc.ru/a/ URL: Mal  (Read 11118 times)

0 Members and 1 Guest are viewing this topic.

1v4n0

  • Guest
http://etpsoprc.ru/a/ URL: Mal
« on: March 21, 2014, 10:19:50 AM »
Hello. I had this virus on my laptop which put all the files in the external drives to "hidden" status, plus it created HEAPS of "tmp" files in the same external drives.

I decided to format and reinstall windows7, and everything went fine until I (stupidly) connected my kindle (ebook reader), which I had not formatted since using it on the old installation.

Immediatly I got this message that avast blocked a "threat". It also tells me I don't need to do anything.

Object: F:\autorun.inf
Infection: INF:AutoRun-EJ[Trj]
Process: C:\Windows\System32\Wscript.exe


This message also pops up every second anytime I connect some external drives (but not all).  It does for example with the kindle itself, plus everytime I copy a folder into the drive it immediatly becomes hidden and the system creates a shortcut to it (not hidden).

It also does so with an SD card. I formatted it, but nothing changes. As soon as the formatting is done, the popups start again, and immediatly ther appears in the drive a folder named "2e2e" with to files inside, "g3f7a3" and "i3333". The computer tells me they are "Jscript script files".

There appears also an "autorun" file, in the root directory of the drive, which disappears and reappears every few seconds.

Since that moment, even with no devices connected, every now and then (20' or less) I get this popup that avast blocked a website or  a file

Object: http: // etpsoprc.ru/a
Infection: URL:Mal
Process: C:\Windows\System32\Wscript.exe


I also get this icon in the notification area of my taskbar, like windows is downloading some updates, but when I hover the mouse over that icon, it disappears.

I tried deleting this "Wscript" file but it tells me I "need permission from TustedInstaller".


I googled a bit, downloaded McShield but it won't install.

Any help?

TY :)
« Last Edit: March 21, 2014, 10:24:41 AM by 1v4n0 »

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #1 on: March 21, 2014, 10:23:19 AM »
Hi,

http://forum.avast.com/index.php?topic=53253.0

Attach OTL, MBAM, aswMBR. I know you're infection. It can be tricky to remove w/o MCShield.Try redownloading it?

http://www.mcshield.net/download.html

Edit: I forgot. Break that etpsoprc.ru/a link.
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

1v4n0

  • Guest
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #2 on: March 21, 2014, 10:32:53 AM »
I cannot install Malwarebytes either :o

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #3 on: March 21, 2014, 11:17:45 AM »
I cannot install Malwarebytes either :o
you may have a infection that is blocking....
then move to next tool.....if you have problems running any of the tools, try run from safe mode


argus

  • Guest
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #4 on: March 21, 2014, 11:29:37 AM »
Monitoring.





1v4n0

  • Guest
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #5 on: March 21, 2014, 11:55:10 PM »

argus

  • Guest
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #6 on: March 21, 2014, 11:57:26 PM »

Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

1v4n0

  • Guest
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #7 on: March 22, 2014, 12:02:16 AM »
There you go.

G'night, see you tomorrow, ty


Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #8 on: March 22, 2014, 01:15:52 AM »
Hi,

Some Warnings:

:P2P Warning!:

!!IMPORTANT!!

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Warnings
USAToday
Info World

Files Found:

-UTorrent

Your infection: (Hijacked Process)

2014-03-07 20:28 - 2013-10-12 02:15 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
2014-03-07 20:28 - 2013-10-12 02:33 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe

« Last Edit: March 22, 2014, 01:17:32 AM by Michael (alan1998) »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

1v4n0

  • Guest
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #9 on: March 22, 2014, 09:20:39 AM »
Hello, thanks for your answer.

I don't think p2ps are the issue here, because I used them for a long time before getting this warnings from avast. It's something else I think.

Any solution?

ty :)

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #10 on: March 22, 2014, 09:31:30 AM »
@1v4n0
UTorrent isn't your problem nor M$'s wscript legit process. You just wait for argus' responce.


Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #11 on: March 22, 2014, 10:09:04 AM »
Hi,

Some Warnings:

:P2P Warning!:

!!IMPORTANT!!

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Warnings
USAToday
Info World

Files Found:

-UTorrent


What I meant by that was, possibly you're leading to more infections. Not your current one.

[Edit]: 1 out of many cases that were infected by P2P.

http://forum.avast.com/index.php?topic=145700.msg1057552#msg1057552
« Last Edit: March 22, 2014, 10:12:20 AM by Michael (alan1998) »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

argus

  • Guest
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #12 on: March 22, 2014, 11:05:15 AM »

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
HKLM-x32\...\Run: [] - [X]
HKU\S-1-5-21-1736404222-114842431-3765707497-1001\...\Run: [387] - C:\Users\1V4N0\AppData\Roaming\2e6e\387.js [46924 2014-03-21] ()
2014-03-19 13:37 - 2014-03-19 13:37 - 00000000 __SHD () C:\Users\1V4N0\AppData\Roaming\2e6e
2014-03-19 13:37 - 2014-03-19 13:37 - 00000000 __SHD () C:\2fd
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version..
.




*******************







Please download MCShield from one of the following links:

MCShield -Official download link
  • Double click on MCShield-Setup to install the application.
    Next => I Agree => Next => Install ... per installation click on Run! button.
  • Wait a few seconds to MCShield finish initial HDD scan...
  • Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
  • When all scanning is done, you need to post a logreport that MCShield has created.
Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt


Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

1v4n0

  • Guest
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #13 on: March 22, 2014, 08:07:33 PM »
Ok so I saved the txt file to my "desktop" folder. I ran  FRST from the same folder and clicked "fix". It created this file. It took a few seconds. It didn't prompt a restart or anything.

:)

i

EDIT see my next post.
« Last Edit: March 23, 2014, 12:03:59 PM by 1v4n0 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: http://etpsoprc.ru/a/ URL: Mal
« Reply #14 on: March 22, 2014, 08:17:24 PM »
And MCShield log  ?