Help required to remove virus: JS:Redirector-BOS [Trj]

Hello everyone,

I need some help to remove the following virus: JS:Redirector-BOS [Trj]

I have followed advice posted by ‘essexboy’ on this thread: http://forum.avast.com/index.php?topic=145399.0

And carried out the following:

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please copy and paste log back here.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Please see attached logs.

Thank you.

Monitoring …

Hi, LewisHoltby

Before we begin, tell me have you set up these Policies?

LogonHoursAction, value is 2
DontDisplayLogonHoursWarnings, value is 1
LogonHoursAction, value is 2
DontDisplayLogonHoursWarnings, value is 1
DisableRegistryTools, value is 2
DisableChangePassword, value is 1
DisableTaskMgr, value is 1
DisableLockWorkstation, value is 1

And do you know this webpage?
http://www.viglen.co.uk

Hello magna86,

Regarding the ‘Policies’…sorry but I have no idea what this means. :frowning:

Regarding the webpage…I am using a Viglen PC.

Ok,

Start >Control Panel>Program and Feauter;

Uninstall/Remove the following:
Vuze Remote Toolbar (Version: 6.8.9.0 - Vuze Remote)
note: do not remove Vuze, just it’s toolbar

FreemakeTB Toolbar (Version: 6.9.0.16 - FreemakeTB)
note: do not remove Freemake Video Converter, just it’s toolbar


Next . . .

The following FRSTScript (FixList) shall remove these policies, bad toolbars (if they are lefted) who came within legitimate applications (Conduit conceal behind them), related services…and some malware extension. Zoek tool shall just attempt to fix some broken settings.

Thereafter, post me fresh FRST.txt logreport.


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
C:\Program Files\Vuze_Remote
C:\Program Files\FreemakeTB
C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\keigpnkjljkelclbjbekcfnaomfodamj
C:\Program Files\Common Files\Motive
C:\Users\Charlie\AppData\Local\CRE\ojpijjmpahflnipadmlpgbjmagmjchkk.crx
C:\Users\Charlie\AppData\Local\Temp\*.exe
C:\Users\Charlie\AppData\Local\Temp\*.dll
HKCU\...\Policies\system: [LogonHoursAction] 2
HKCU\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Chloe\...\Policies\system: [LogonHoursAction] 2
HKU\Chloe\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Chloe\...\Policies\system: [DisableRegistryTools] 2
HKU\Chloe\...\Policies\system: [DisableChangePassword] 1
HKU\Chloe\...\Policies\system: [DisableTaskMgr] 1
HKU\Chloe\...\Policies\system: [DisableLockWorkstation] 1
URLSearchHook: HKLM - Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
URLSearchHook: HKLM - FreemakeTB Toolbar - {adca5064-9e30-43fe-9856-58b07a3149fe} - C:\Program Files\FreemakeTB\prxtbFree.dll (Conduit Ltd.)
URLSearchHook: HKCU - Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
URLSearchHook: HKCU - FreemakeTB Toolbar - {adca5064-9e30-43fe-9856-58b07a3149fe} - C:\Program Files\FreemakeTB\prxtbFree.dll (Conduit Ltd.)
SearchScopes: HKCU - {09345F7B-2336-49FB-85FB-A0E51CE9AA34} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3214568
BHO: FreemakeTB Toolbar - {adca5064-9e30-43fe-9856-58b07a3149fe} - C:\Program Files\FreemakeTB\prxtbFree.dll (Conduit Ltd.)
BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
Toolbar: HKLM - Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
Toolbar: HKLM - FreemakeTB Toolbar - {adca5064-9e30-43fe-9856-58b07a3149fe} - C:\Program Files\FreemakeTB\prxtbFree.dll (Conduit Ltd.)
Toolbar: HKCU - Vuze Remote Toolbar - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
Toolbar: HKCU - FreemakeTB Toolbar - {ADCA5064-9E30-43FE-9856-58B07A3149FE} - C:\Program Files\FreemakeTB\prxtbFree.dll (Conduit Ltd.)
CHR Extension: (如意淘:同款比价,价格曲线,降价提醒) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\keigpnkjljkelclbjbekcfnaomfodamj [2012-09-19]
CHR HKLM\...\Chrome\Extension: [edmgmpmklgfbohogafcfobonnkogchec] - C:\Program Files\Common Files\Motive\extensions\MotiveRequest.crx [2013-09-03]
CHR HKLM\...\Chrome\Extension: [ojpijjmpahflnipadmlpgbjmagmjchkk] - C:\Users\Charlie\AppData\Local\CRE\ojpijjmpahflnipadmlpgbjmagmjchkk.crx [2012-09-20]
CHR HKCU\...\Chrome\Extension: [ojpijjmpahflnipadmlpgbjmagmjchkk] - C:\Users\Charlie\AppData\Local\CRE\ojpijjmpahflnipadmlpgbjmagmjchkk.crx [2012-09-20]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
AlternateDataStreams: C:\ProgramData\TEMP:A9F04799
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


Next . . .

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

ResetWMI; 

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log


Re-run FRST, just hit Scan button and post me fresh created FRST.txt logreprot.

Actually, you better download ready FixList.txt for FRST from attachments …

Wow…I’m totally lost :-\

I’m not a computer expert…can we please do things one step at a time?

I really appreciate the help by the way.

It’s quite simple …

First uninstall these toolbars. Then …

  1. Download FixList.txt next to FRST tool. Run FRST and just hit the Fix button …
    FRST shall fix something and create FixLog.txt report next to FRST tool. Post that here.

  2. Download Zoek tool, run the tool and in white Widnows copy-paste the ResetWMI; word and hit RunScript button.
    Zoek shall fix something and create C:[b]zoek-results.log[/b] report. Post that here.

  3. Run FRST again, just hit Scan button and post here fresh created FRST.txt logreport.

Fixlog attached.

FRST Log Report attached.

Hi,

Hm…fix for reset WMI did not pass to good. We need to fix WMI again …

Download Repair WMI from the link below:

http://www.majorgeeks.com/mg/getmirror/tweaking_com_repair_wmi,1.html

-Run the downloaded Tweaking.com-RepairWMI. Exe and wait a few moments.
-Click on Start and wait for the program to finish.
-Restart the computer.

=========================

Next …
Please re-run FRST, just hit Scan button and post me fresh FRST.txt logreport.

Hi magna86,

Please find FRST Log Report attached.

Thanks.

Good. WMI has been reset to default. :slight_smile: And posted FRST log looks good. Just to remove some leftovers …

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
C:\Users\Charlie\AppData\Local\Temp\i4jdel0.exe
S3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [x]
S3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [x]
CMD: type C:\Users\Charlie\Desktop\zoek-results.txt
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


Tell me how’s your computer running now? Any mawlare warnings?

Please find Fix Log attached.

I haven’t seen any more malware warnings so far…only slight worry now is that Windows Action Centre says I need to turn on Avast Anti Virus…I click ‘turn on now’ then ‘yes’ but it doesn’t turn on and same warning is displayed in Windows Action Centre. When I check Avast (I think) it confirms everything is running okay.

That is important, that avast is active. It does not matter what it says in AC. :wink:
…and? You saw that this was not so hard, is it not? :wink:

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Hello magna86,

I haven’t got around to carrying out your final set of instructions and I’m due to go out shortly but thought I would let you know that the virus seems to be back…keep getting the Avast warning popping up again! :frowning:

Hi,

Hm…something is not logical in that…

Post me fresh FRST logs and post me the avast detections. ScreenShot of avast detection will do but I’ll need to see the full file path …

[*]Double-click on FRST/FRST64 to run it. Whait for FRST to update it …
[*]Under Optional Scan ensure “Addition.txt” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]FRST should makes also another log (Addition.txt). Please attach it to your reply.