http://etpsoprc.ru/a/ URL: Mal

Hello. I had this virus on my laptop which put all the files in the external drives to “hidden” status, plus it created HEAPS of “tmp” files in the same external drives.

I decided to format and reinstall windows7, and everything went fine until I (stupidly) connected my kindle (ebook reader), which I had not formatted since using it on the old installation.

Immediatly I got this message that avast blocked a “threat”. It also tells me I don’t need to do anything.

Object: F:\autorun.inf
Infection: INF:AutoRun-EJ[Trj]
Process: C:\Windows\System32\Wscript.exe

This message also pops up every second anytime I connect some external drives (but not all). It does for example with the kindle itself, plus everytime I copy a folder into the drive it immediatly becomes hidden and the system creates a shortcut to it (not hidden).

It also does so with an SD card. I formatted it, but nothing changes. As soon as the formatting is done, the popups start again, and immediatly ther appears in the drive a folder named “2e2e” with to files inside, “g3f7a3” and “i3333”. The computer tells me they are “Jscript script files”.

There appears also an “autorun” file, in the root directory of the drive, which disappears and reappears every few seconds.

Since that moment, even with no devices connected, every now and then (20’ or less) I get this popup that avast blocked a website or a file

Object: http: // etpsoprc.ru/a
Infection: URL:Mal
Process: C:\Windows\System32\Wscript.exe

I also get this icon in the notification area of my taskbar, like windows is downloading some updates, but when I hover the mouse over that icon, it disappears.

I tried deleting this “Wscript” file but it tells me I “need permission from TustedInstaller”.

I googled a bit, downloaded McShield but it won’t install.

Any help?

TY :slight_smile:

Hi,

http://forum.avast.com/index.php?topic=53253.0

Attach OTL, MBAM, aswMBR. I know you’re infection. It can be tricky to remove w/o MCShield.Try redownloading it?

http://www.mcshield.net/download.html

Edit: I forgot. Break that etpsoprc.ru/a link.

I cannot install Malwarebytes either :o

you may have a infection that is blocking…
then move to next tool…if you have problems running any of the tools, try run from safe mode

Monitoring.

OTL won’t run either

???

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

There you go.

G’night, see you tomorrow, ty

Hi,

Some Warnings:

:P2P Warning!:

!!IMPORTANT!!

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people’s passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Warnings
USAToday
Info World

Files Found:

-UTorrent

Your infection: (Hijacked Process)

2014-03-07 20:28 - 2013-10-12 02:15 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
2014-03-07 20:28 - 2013-10-12 02:33 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe

Hello, thanks for your answer.

I don’t think p2ps are the issue here, because I used them for a long time before getting this warnings from avast. It’s something else I think.

Any solution?

ty :slight_smile:

@1v4n0
UTorrent isn’t your problem nor M$‘s wscript legit process. You just wait for argus’ responce.

What I meant by that was, possibly you’re leading to more infections. Not your current one.

[Edit]: 1 out of many cases that were infected by P2P.

http://forum.avast.com/index.php?topic=145700.msg1057552#msg1057552

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKLM-x32\...\Run: [] - [X]
HKU\S-1-5-21-1736404222-114842431-3765707497-1001\...\Run: [387] - C:\Users\1V4N0\AppData\Roaming\2e6e\387.js [46924 2014-03-21] ()
2014-03-19 13:37 - 2014-03-19 13:37 - 00000000 __SHD () C:\Users\1V4N0\AppData\Roaming\2e6e
2014-03-19 13:37 - 2014-03-19 13:37 - 00000000 __SHD () C:\2fd
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version..
.


Please download MCShield from one of the following links:

MCShield -Official download link

[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[
]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Ok so I saved the txt file to my “desktop” folder. I ran FRST from the same folder and clicked “fix”. It created this file. It took a few seconds. It didn’t prompt a restart or anything.

:slight_smile:

i

EDIT see my next post.

And MCShield log ?

McShield won’t install…

EDIT Now it did. I insterted the SD card which gave me some troubles and McS told me evrything was OK.
I connected the kindle, which might have been at the start of it all, and McS created this log. Looks like everything is ok. Is it?

The folders are back to “visible”, too.

Same thing with my mp3 player.

Do I have to keep McS installed? And why didn’t it work before?

RI-EDIT the f*ck everything is ok. After a few seconds the situation in the mp3 player was back to how it was before (hidden folder and shortcuts, all pointing to “C/windows/system32”). McS scanned the drive once again, gave the same exact results, and now it won’t stay on more than a few seconds.

RE-RI-EDIT

From “safe mode” everything was ok, I managed to install &run “malawarebytes”, no signs of infection whatsoever from MB, McS, or avast. Scanned the whole system. Now back in normal mode though, nothing has changed and the virus is still there.

UP. Anyone here?

Sorry, you must’ve been overlooked. When I get home Ill get someone to help you

sorry if I bother. I thought upping this once again made sense…

… no one?